The Consumer Financial Protection Bureau (CFPB or the “Bureau”) has recently expressed interest in how consumer financial information aggregators and financial services companies interact to share and protect financial data about consumers. Below we provide background on this growing industry, summarize the CFPB’s recent Request for Information (RFI) Regarding Consumer Access to Financial Records, and discuss how this could be a first step towards future regulation that would significantly affect how financial data is shared by financial institutions and handled by third-party aggregators.
The Evolution of Data Aggregators
For several years, various types of entities have aggregated information about consumer financial products and services to ease the burden on consumers of comparison shopping for credit cards, auto loans, mortgages and personal loans. These entities collect detailed information about consumers in various ways – typically by obtaining a consumer’s express permission to access his or her credit report, or by obtaining a consumer’s username and password to access the online banking portals of various financial institutions. With this access, the non-bank entity then retrieves and stores the consumer’s detailed personal financial data, makes it available to the consumer, and uses it to make targeted offers for financial products and services. Financial technology companies, in particular, have begun to use consumer financial records in other ways, for example, to alleviate pain points in personal financial management by providing automatic savings programs, budgeting tools, investment analysis, and online bill payments. On the back-end, they have created efficiencies for financial services providers by providing account verification, consumer information verification, fraud identification, ID theft protection, and underwriting and credit “decisioning” services. We refer to these entities collectively as “aggregators.”
Diverging Interests Between Banks, Aggregators, and Regulators
Last year, several large banks shut off aggregators’ access to consumer financial account information. The banks pointed to a series of concerns that they said were raised by the aggregators’ business models, ranging from internal data security and the enhanced complexities that could arise in the event an aggregator suffers a data breach, to operational limitations on the ability of bank servers to respond to an overwhelming number of aggregator data requests. The CFPB recently showed interest in consumer data sharing with aggregators as part of its “Project Catalyst Initiative,” publishing a report titled “Promoting consumer-friendly innovation: Innovation Insights” in October, which we discussed here. In that report, the CFPB stated that consumer-permissioned access to financial data forms the “basis for personal financial management tools and mechanisms [that can] reduce the time to verify consumers’” accounts and provide other consumer benefits. The report notes that the loss of access to consumer data by these third parties “could cripple or even entirely curtail the further development of such products and services.” CFPB Director Richard Cordray reiterated in a speech that the Bureau is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.” The Bureau subsequently issued the RFI to better understand the consumer benefits and risks associated with market developments that rely on access to consumer financial account and account-related information. The RFI states that its objectives are to both: 1) help the industry develop best practices to deliver benefits to consumers and address potential consumer harms; and 2) evaluate whether any guidance or future rulemaking is needed.
Statutory Authority to Write Rules Affecting Consumer Access to Electronic Financial Information
The CFPB relies on two distinct provisions of the Consumer Financial Protection Act (“Act”) for potential regulations in this area. Section 1033 of the Act gives a consumer the right to request and receive electronic records related to a consumer financial product or service obtained from a financial institution, including transaction, cost, and usage information. This provision expressly grants the CFPB authority to write implementing rules. The CFPB’s authority over data security issues also is based on the prohibition of unfair, deceptive, or abusive acts or practices under Sections 1031 and 1036 of the Act. The RFI cites to the Bureau’s recent data-security case against Dwolla and the Federal Trade Commission’s (the “FTC”) past data security activities as relevant precedent to generally assert that “[a]n entity’s consumer data privacy or security practices can violate UDAAP standards.” While the CFPB has filed only one enforcement action involving data security claims, the FTC has used its unfairness authority (under Section 5 of the Federal Trade Commission Act) to regulate specific data security practices. The RFI’s reference to FTC precedent could indicate the CFPB’s willingness to rely on its UDAAP authority to regulate specific data security practices. If the CFPB were to go further and propose rules in this area, that regulatory initiative would be the first use of Section 1033 and the first use of Sections 1031 and 1036 with respect to information collection or data security practices.
Concerns & Challenges Expressed in the RFI
The CFPB expressed concern that some participants may restrict consumer-permissioned access in ways “that undermine consumer interests identified in Section 1033 [of the Act].” At the same time, the CFPB recognized that, despite the many consumer benefits of account data sharing that it seeks to foster, legitimate risks need to be addressed, including data security and privacy.
Data Gathering: Questions in the RFI
The RFI asks 20 questions on how aggregators operate, including current market practices and how those practices will likely change over time. Below are classified and summarized questions to which the CFPB is seeking responses.
- Product structures & use: How many consumers are using these services and what are their characteristics? How is financial and non-financial information used to assess eligibility for products? How are offers based on this data being made and by whom?
- Provision of Data: What incentives or disincentives exist for companies to provide consumer- permissioned data? Why might companies, consumers or aggregators not provide data, e.g. operational costs, risks, and actual or potential losses, and their specific causes?
- Data security: How long is data stored? What security and other risks are incurred by consumers? How are these risks communicated to consumers and mitigated by companies or aggregators?
- Consumer understanding: What consumer-facing disclosures are provided? Are consumers told what data are accessed, how often such data are accessed, how such information is used, whether access continues after a consumer stops using a given product, how sharing occurs and under what terms and conditions? Do consumers understand these practices and how does comprehension impact their willingness to consent?
- Consumer control: Can consumers control how aggregators use their data, and if so, how? May consumers ask for data about themselves to be deleted?
- Vendor management: Do financial institutions vet aggregators before granting access? If so, under what procedures?
- Adequacy of industry standards: Do industry standards currently comply with Section 1033? Are they actually adopted by the industry?
- Expected and desired change: How are the current market practices expected to change? How should those practices change?
The RFI demonstrates that only basic principles of contract, yet scarcely any clear regulatory obligations, apply to aggregators and that individual transactional solutions might not be sufficient to uniformly promote consumer benefits and control identified risks. Regulatory bright lines might be helpful, but participants in the consumer data sharing ecosystem should consider how the scope of such regulation could clarify the rights and responsibilities of financial institutions, require financial institutions to allow greater access to financial data and bear increased data security risk, or limit technological innovation and thereby compromise solutions for consumers. Following are a series of additional concerns financial institutions should consider:
- With respect to data security, a supervised financial institution should consider the scope of its duty to monitor and protect customer information, and what responsibilities should be placed upon aggregators so that their mutual customers’ data is protected.
- With respect to the use of information gathered by third party aggregators, companies should consider whether the use of such data creates a perception that products recommended to a consumer by the aggregator have been selected based on the consumer’s individual circumstances. If a particular experience places a consumer in a position of “reasonable reliance” on an aggregator to “act in the interests of the consumer,” then – to follow the terms of Section 1031 of the Act – certain conduct by the aggregator, such as product recommendations that are not suitable for the consumer, might be considered “abusive.”
- The RFI assumes that Section 1033 grants a consumer’s agent unfettered access to the consumer’s financial records. But Section 1033 only grants “a consumer” the right to request records. Recent case law from the Ninth Circuit indicates that a third party’s access to another company’s computer systems without proper authorization may be prohibited by the Computer Fraud and Abuse Act (CFAA), which carries criminal penalties. In Facebook v. Vachani, a social media aggregator attempted to use Facebook’s systems at the request of Facebook users. Facebook attempted to block the aggregator from accessing its site through an IP block and a cease and desist letter, but the aggregator continued to access the Facebook database despite this explicit restriction on access in violation of the CFAA. The court provided the following analogy involving a retail bank branch to demonstrate the difference between user and agent access under the CFAA:
- “Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for [the aggregator] to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient [under CFAA] to constitute authorization after Facebook issued the cease and desist letter.”
- Note that the defendants in this case have indicated their intent to file a petition for certiorari with the Supreme Court to appeal the case.
- As aggregator services become more complex and the attendant data security and other risks become correspondingly higher, financial institutions should consider whether enhanced contractual protections and more rigorous oversight of aggregators are necessary.