We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
08 December 2017
On October 18 2017 the Consumer Financial Protection Bureau (CFPB) released a set of consumer protection principles designed to protect consumer interests in the market for services built around consumer-approved use of financial information. The principles are targeted at so-called 'data aggregation' or 'screen scraping' services that collect customer information in order to provide financial planning or other services. Over the past few years, data aggregation services and banks have struggled to develop the right model for sharing customer account data. The principles issued by the CFPB seek to provide a potential data-sharing model for banks and data aggregation services while protecting consumer interests.
In recent years, financial technology (fintech) companies have developed products and services that make it easier for consumers to manage their own finances, including financial planning services, transaction verification tools, payment applications and fraud-screening. These products and services rely on consumer-authorised access to financial data about those consumers stored by other financial institutions. To collect this data, fintech firms have often resorted to screen scraping, in which the company uses the consumer's bank account login credentials to login on behalf of the consumer and download the available financial data. Screen scraping does not involve a formal data-sharing agreement with the bank, and it therefore raises significant concerns from all parties involved. Banks are often concerned about the effect of these services on their systems, the commercial value of their data and the security of the information, for which the bank could potentially be held responsible. Fintech companies worry that banks will block them from accessing the consumer data on which the viability of their business depends. These concerns have created obstacles to innovation by placing banks and fintech firms in an ill-defined adversarial position. Further, sharing login credentials with third parties raises significant issues of consumer privacy, choice and transparency.
The CFPB, which is the primary federal regulator of consumer financial products and services, has acknowledged that this type of consumer-authorised access and aggregation:
"holds the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers."
Its new principles reflect its view of the positive potential for new data aggregation services while emphasising the need to develop a workable industry model that addresses consumer privacy, limits data security risks, promotes transparency and consumer choice and protects the accuracy of financial data.
In view of these issues, the CFPB developed the principles with guidelines for ensuring consumer protection in the aggregation services market. Before issuing the final principles, the CFPB solicited input from a variety of stakeholders, from individual consumers and account data holders to trade associations and aggregators. Although the CFPB's principles are not binding, they signal increased momentum for a workable model of data sharing between banks and fintech companies. They may also demonstrate the CFPB's expectations of market participants and its broader viewpoints about consumer privacy and consent. The nine principles cover the areas set out below:
Industry reactions to the principles has generally been positive, as banks and fintech companies continue to work out formal agreements to share data. Several data-sharing agreements between large banks and fintech companies have been publicly announced during the past year, prevising the potential for continuing innovation in the market for data aggregation services. Rather than using screen scraping, these agreements contemplate data sharing via application programming interface, which allows for direct and more secure delivery of data from the bank to the fintech firm. The CFPB principles provide useful guidance for the development of these agreements and greater certainty around potential regulator expectations with respect to consumer privacy.
Nevertheless, a theme of the principles is a broad entitlement of the consumer to benefit from services that rely on access to information, with a substantial burden imposed on companies to enable these services. In particular, the principles seem to imply a duty on the part of existing data holders to develop mechanisms to make the data available to consumers and third parties when the data holders may have no incentive to undertake the significant development and ongoing costs. This theme of imposing broad burdens on holders of consumer information to facilitate a third-party service could be troubling in the data aggregation area, as well as if applied more broadly. The principles also impose duties on the companies obtaining the data to use the information for the benefit of the consumers.
The CFPB's release of consumer protection principles combines the bureau's supervision of consumer financial products and services with an increasing focus on data security matters. In 2016 the CFPB brought its first data security enforcement action under the authority granted by the Dodd-Frank Wall Street Reform and Consumer Protection Act against online payments company Dwolla Inc, for deceptive representations with respect to its data security practices. The Dodd-Frank Act authorises the CFPB to take action against institutions engaged in unfair, deceptive or abusive acts or practices or that otherwise violate federal consumer financial laws. Under the terms of the CFPB order against Dwolla, the company was required to stop misrepresenting its data security practices, train employees properly and fix security flaws. In addition, Dwolla was required to pay a $100,000 civil money penalty.
As stated, the consumer protection principles issued by the CFPB with respect to the aggregation services market are not made under rulemaking authority and do not reflect the bureau's enforcement priorities. That said, industry stakeholders should consider the potential impact of the principles in connection with data aggregation services and financial services more broadly and within the context of the existing legal requirements. These requirements may include:
When reviewing and considering how to implement the CFPB's recently issued principles, companies should consult with legal counsel to ensure that they comply with all applicable legal requirements.
For further information on this topic please contact Colleen Theresa Brown, Edward R McNicholas, Alan Charles Raul or John K Van De Weert at Sidley Austin LLP by telephone (+1 202 736 8000) or email (firstname.lastname@example.org email@example.com, firstname.lastname@example.org or email@example.com). The Sidley Austin website can be accessed at www.sidley.com.
David E Teitelbaum, partner, assisted in the preparation of this update.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.