Authorized access and use of consumer financial account data may enable the development of innovative and improved financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives. To accomplish these objectives, however, such access and use must be designed and implemented to serve and protect consumers.
The Bureau intends for these Consumer Protection Principles to help safeguard consumer interests as the consumer-authorized aggregation services market develops. The Principles are intended to be read together. They are not intended to alter, interpret, or otherwise provide guidance on although they may accord with existing statutes and regulations that apply in this market.
In the Dodd-Frank Act, Congress instructed the Bureau to implement and enforce consumer financial law for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent, and competitive.
Congress further instructed the Bureau to exercise its authorities so that markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.
For some time, a range of companies—many of them “fintech” companies—have been accessing consumer account data with consumers’ authorization and providing services to consumers using data from the consumers’ various financial accounts. Such “data aggregation”-based services include the provision of financial advice or financial management tools, the verification of accounts and transactions, the facilitation of underwriting or fraud-screening, and a range of other functions. This type of consumer-authorized data access and aggregation holds the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers.
There are many significant consumer protection challenges to be considered—particularly with respect to data privacy and security—as these technologies and practices continue to develop. In part through a November 2016 public Request for Information, the Bureau is aware that a range of industry stakeholders are working, through a variety of individual arrangements as well as broader industry initiatives, on agreements, systems, and standards for data access, aggregation, use, redistribution, and disposal. The Bureau believes that consumer interests must be the priority of all stakeholders as the aggregation services-related market develops.
A common understanding of consumer interests is essential so that effective consumer protections can be integrated consistently into this market. As a result, the Bureau today is releasing a set of Consumer Protection Principles intended to reiterate the importance of consumer interests to all stakeholders in the developing market for services based on the consumer-authorized use of financial data. The Principles express the Bureau’s vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.
The Bureau recognizes that many consumer protections apply to this market under existing statutes and regulations. These Principles are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections.
Thus, the Principles do not themselves establish binding requirements or obligations relevant to the Bureau’s exercise of its rulemaking, supervisory, or enforcement authority. In addition, the Principles are not intended as a statement of the Bureau’s future enforcement or supervisory priorities.
The Bureau will continue to monitor closely developments in this market. The Bureau will also continue to assess how the Principles set forth below may best be realized in the design and delivery of consumer financial products and services. The Bureau stands ready to facilitate constructive efforts or to take other appropriate action to protect consumers.
Consumer Protection Principles
Consumer-Authorized Financial Data Sharing and Aggregation Consumer-authorized access and use of consumer financial account data may enable the development of innovative and improved financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives. To accomplish these objectives, however, such access and use must be designed and implemented to serve and protect consumers. The Bureau intends for the following Consumer Protection Principles to help safeguard consumer interests as the consumer-authorized aggregation services market develops. The Principles are intended to be read together. They are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—existing statutes and regulations that apply in this market.
Consumers are able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider. Such information is made available in a timely manner. Consumers are generally able to authorize trusted third parties to obtain such information from account providers to use on behalf of consumers, for consumer benefit, and in a safe manner. Financial account agreements and terms support safe, consumer-authorized access, promote consumer interests, and do not seek to deter consumers from accessing or granting access to their account information. Access does not require consumers to share their account credentials with third parties.
2) Data Scope and Usability
Financial data subject to consumer and consumer-authorized access may include any transaction, series of transactions, or other aspect of consumer usage; the terms of any account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards. Information is made available in forms that are readily usable by consumers and consumer-authorized third parties. Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.
3) Control and Informed Consent
Consumers can enhance their financial lives when they control information regarding their accounts or use of financial services. Authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer. Terms of data access include access frequency, data scope, and retention period. Consumers are not coerced into granting third-party access. Consumers understand data sharing revocation terms and can readily and simply revoke authorizations to access, use, or store data. Revocations are implemented by providers in a timely and effective manner, and at the discretion of the consumer, provide for third parties to delete personally identifiable information.
4) Authorizing Payments
Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.
Consumer data are accessed, stored, used, and distributed securely. Consumer data are maintained in a manner and in formats that deter and protect against security breaches and prevent harm to consumers. Access credentials are similarly secured. All parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes. Security practices adapt effectively to new threats.
6) Access Transparency
Consumers are informed of, or can readily ascertain, which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other consumer use of financial services. The identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data is reasonably ascertainable to the consumer throughout the period that the data are accessed, used, or stored.
Consumers can expect the data they access or authorize others to access or use to be accurate and current. Consumers have reasonable means to dispute and resolve data inaccuracies, regardless of how or where inaccuracies arise.
8) Ability to Dispute and Resolve Unauthorized Access
Consumers have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, and failures to comply with other obligations, including the terms of consumer authorizations. Consumers are not required to identify the party or parties who gained or enabled unauthorized access to receive appropriate remediation. Parties responsible for unauthorized access are held accountable for the consequences of such access.
9) Efficient and Effective Accountability Mechanisms
The goals and incentives of parties that grant access to, access, use, store, redistribute, and dispose of consumer data align to enable safe consumer access and deter misuse. Commercial participants are accountable for the risks, harms, and costs they introduce to consumers. Commercial participants are likewise incentivized and empowered effectively to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, data inaccuracies, insecurity of data, and failures to comply with other obligations, including the terms of consumer authorizations.
Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) states that, ]subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The meaning of this provision has been the subject of debate since Dodd-Frank was enacted.
Principles for All
Most of the Bureau’s prior statements on third-party access to consumer account information have focused on financial institutions that limit access. However, the guidance also provides number of principles for providers of services.
• Under the Second Principle, the guidance says that third parties should only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.
• Under the Third Principle, the Bureau reminds third parties about the need to obtain clear and informed consent from consumers, to ensure that the authorization addresses number of specific items (such as access frequency, data scope, and retention period)to limit the data the third parties access to the extent of the consent, and to provide meaningful consent revocation mechanisms.
• Under the Fifth Principle, providers have obligations to protect consumer data (including both account data obtained from financial institutions and the account access credentials) against security breaches. Some of the principles also impose indirect obligations on providers or at least imply that financial institutions have some authority to impose certain obligations or limitations.
- The Sixth Principle says that consumers should be able to ascertain which parties are accessing or using their financial data. Although this principle doesn’t identify which party (the financial institution or the provider) has the obligation to make this information readily ascertainable, it appears to suggest that the financial institution is required to provide the consumer with information about who is accessing the account. And this, in turn, might imply that a financial institution can impose some kind of requirements on third parties to identify themselves.
Observations and Potential Implications
Focused on “the importance of consumer interests to all stakeholders in the developing market for services based on the consumer-authorized use of financial data,” the Bureau’s guidance contains principles that are exactly that principles, not hard and fast rules. To the Bureau’s credit, this guidance provides some insights into how the CFPB will analyse issues related to third-party account access. But as is highlighted below, there is still enormous room for disagreement about what actions the principles will require in any particular instance.
The CFPB’s principles related to consumer-authorized financial data sharing and aggregation signal uncertainty in the market and the continued potential for conflict between new and established financial services providers. IN light of these principles (and assuming no dramatic shifts in the CFPB’s priorities), it impossible that the CFPB may seek to impose additional regulatory obligations on market participants through a rulemaking under Section1033 or its larger-participant authority and/or further expand the scope of its enforcement authority. A rulemaking would signify an attempt to police the interaction between fintech firms and banks in regard to data sharing and information security, which would represent uncharted territory for the CFPB.
Will Third Parties Be Required To Provide The Financial Institution With Information That The Financial Institution Determines That It Needs In Order To Effectively Monitor For Suspicious Transactions?
Ans: Additionally, some of the CFPB’s principles may not align with guidance from other regulators and commonly accepted market practices and legal rights. For example, the CFPB’s principles state that consumers should not be required to share account credentials with third parties to facilitate information sharing, but the OCC expressly stated in its account aggregation guidance that banks may, and typically do, require customers to share account credentials
Does A Servicer Receive A Safe Harbour Under The Bankruptcy Code By Sending Periodic Statements In Compliance With The Bureau’s Rules?
Ans: A servicer does not receive a safe harbour under the Bankruptcy Code by sending periodic statements to a borrower in bankruptcy in compliance with Regulation Z, s. 1026.41(e) and (f). The Bureau does not have authority to create safe harbours under the Bankruptcy Code.
What Are Marketing Services Agreements?
Ans: Marketing services agreements, or “MSAs,” are agreements that commonly involve an arrangement where one person (or entity) agrees to market or promote the services of another and receives compensation in return. MSAs may involve only settlement service providers or may also involve third parties who are not settlement service providers. For example, an MSA exists when a mortgage loan originator agrees to market or promote the services of a real estate agent in return for compensation.
What Are Some Examples Of MSAS Prohibited By RESPA Section 8?
Ans: As stated previously, an MSA can be lawful under RESPA if it is structured and implemented consistently as an agreement for the performance of actual marketing services and where the payments under the MSA are reasonably related to the value of the services performed. 12 USC’ s. 2607(c)(2); 12 CFR s. 1024.14(g)(1)(iv) and (g)(2).
CFPB, Consumer Protection Principles: CFPB’s Vision of Consumer Protection in New Faster Payment Systems (July 9, 2015), http://files.consumerfinance.gov/f/201507_cfpb_consumer-protection-principles.pdf.