CBA Comment Letter re Section 1033 ANPR

The Consumer Bankers Association (“CBA”) appreciates the opportunity to comment on the Consumer Financial Protection Bureau’s (“Bureau” or “CFPB”) Advanced Notice of Proposed Rulemaking (ANPR) concerning Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Section 1033”).

In 2017, the Bureau released “Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation” (“2017 Principles”), which expressed “the Bureau’s vision for . . . a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The 2017 Principles detailed nine topics related to consumer-authorized access: access; data scope and usability; control and informed consent; authorizing payments; security; access transparency; accuracy; ability to dispute and resolve unauthorized access; and efficient and effective accountability mechanism. Since the release of the 2017 principles, industry participants engaged in a cooperative spirit to work towards creating not only a workable data aggregation market but a well-functioning, secure, data access ecosystem. CBA encourages the Bureau to take a balanced, cautious approach regarding Section 1033.

Against this background, CBA encourages the Bureau to undertake a risk-based assessment of that ecosystem and leverage that in developing its approach regarding Section 1033. This would include identification of gaps between the current data access ecosystem and the nine elements reflected in the 2017 Principles that include, among other things, instances of unfettered, unauthorized, and unsupervised third-party access to sensitive financial data. Absent clear and consistently applied standards for obtaining express consumer consent to the access and use of financial data, any consent may not be truly informed if it lacks a reasonable level of clarity. This data leaves the safety of a regulated financial institution without any requirement imposed upon the third-party, or any other subsequent data user or data processor, to keep the consumer’s information safe from unauthorized access and use.

Banks have noted efforts to develop APIs limiting data access to that necessary to perform the expressly authorized aggregation services and to enter contracts with data aggregators obliging them to additional consumer protections, both with limited success. Financial institutions have virtually no leverage to require aggregators to agree to reasonable access and data security controls.  Screen scraping and aggregator storage of consumer passwords and pins are still highly prevalent, creating unnecessary and unacceptable data security risk. Data aggregator and other data user disclosures are sometimes confusing and buried in larger privacy policies, which consumers are not required to click through to establish an account with the third party. The downstream uses of the consumer data remain ambiguous to both banks and consumers.

In addition, the current data aggregator business model does not appear appropriate to access, store or to process consumer financial data. Unfettered access to consumer accounts (rather than limited access to account information) could subject consumers to significant losses in the event of a widespread breach into aggregator databases. In this scenario, it is unclear whether a consumer would bear those loses or whether the data aggregator would be held accountable.

Consumers deserve standardization in disclosures, consent, security and data usage requirements among aggregators and others to provide them with meaningful, informed consent. Financial institutions also need these standards to assess and to mitigate risks to the banks posed by data aggregator services.

With that being said, CBA recommends the Bureau analyze three critical areas to ensure consumers sensitive financial data is being used appropriately:

  • Regulate All Participants in the Data Access Ecosystem
  • Prioritize Consumer Control of their Data Security and Privacy
  • Provide Consistent and Standard Data Security and Data Minimization Throughout the Entire Ecosystem

Regulate All Participants in the Data Access Ecosystem

Compliance with rules and regulations established to protect consumers is critical to a well-functioning data access ecosystem.  The Bureau’s 2017 Principles also recognized the critical balance of giving consumers the ability to share their data, while ensuring it remains protected. When consumer sensitive financial data is accessible by third parties who do not protect the information or access effectively, consumer risks is dramatically escalated.  CBA urges the Bureau to propose a “Larger Participant Rule” to mandate supervision of segments of data users in the data access ecosystem – the data holder, data user, and the data aggregator.  For significant players outside of the definition of a “Larger Participant Rule,” CBA encourages the Bureau to exercise its authority pursuant to Section 1024(a)(1)(c) of the Dodd Frank Act to designate companies and to examine for compliance. Without federal oversight of all these participants, the consumer is at risk.

A regulatory framework can help the data access ecosystem more quickly innovate and collaborate. Access to consumers’ account data has the potential to enable many products and services which will help consumers better manage their finances, but a sound financial system must incorporate a fair, level-playing field amongst all participants and the security and use minimization of consumer financial data. By addressing both the opportunity and risk of consumer access to data, the Bureau can facilitate innovation consumers can trust. Consumers need security, transparency, and control to unlock the true potential of financial innovation.

To read full comment letter, click here.