Last week, with the issuance of an Advance Notice of Proposed Rulemaking (ANPR), the Consumer Financial Protection Bureau (CFPB) announced its intention to explore regulation of open banking. The Notice requests public input on a broad array of concerns with respect to the "data access ecosystem," including consumer privacy, security, and effective consumer control over access to data in light of the secondary commercialization of data by data aggregators.

At present, the only rules of the road applicable to open banking in the U.S. are a set of principles issued by the CFPB in 2017 that highlight consumer interest in control and security of their data but do not prescribe enforceable standards. Section 1033 of Dodd-Frank requires entities that provide consumer financial products to provide consumers with access to information about their products and services, including "information related to any transaction, or series of transactions, to the account including costs, charges, and usage data" subject to rules issued by the CFPB.

The ANPR consists of 46 different questions covering a wide range of topics but does not propose any regulations. It does, however, express repeated concern regarding the transparency and fairness of emerging market practices, which it claims "may not reflect the access rights described in Section 1033." While noting the many benefits of open banking in driving competition and innovation, the Notice mentions two key concerns raised in a February 2020 CFPB Symposium: the security practices of third parties authorized by consumers to access their data, and privacy risks inherent in current practices.

ANPR Follows Scrutiny Over Data Aggregator Privacy Practices

FinTech data aggregator Yodlee is facing a lawsuit alleging that the company violated a number of state and federal laws when it "surreptitiously" collected data from consumers who used third-party services that utilize Yodlee to connect to financial institutions' accounts and then sold that data for its own benefit—often to financial institutions. The suit also alleges that Yodlee failed to adequately secure data both in the acquisition process and when transmitting it to financial institution purchasers. The FTC has issued a Civil Investigative Demand to Yodlee related to its privacy practices as well, according to the 10K filed in February 2020 by Yodlee's parent company, Envestment.

Data aggregator Plaid is facing a similar slate of consumer lawsuits which were recently consolidated into a multidistrict litigation and was sued last week by TD Bank's parent company over Plaid's use of the TD Bank name and logo in its consumer authorization workflow. The lawsuit complained that Plaid violated TD Bank's intellectual property rights and gave consumers the misimpression that they were entering credentials into the bank's website when, in fact, they were providing them to Plaid.

Key Questions in ANPR

The ANPR does not mention these lawsuits directly but alludes to the issues raised in the complaints by asking a series of questions regarding secondary use of consumer data, including whether consumers understand the actual movement of their data, how disclosures could be improved, whether the CFPB should regulate secondary use by data aggregators, and the costs and benefits to consumers of regulation on this issue.

Other questions posed by the ANPR include:

  • What are the costs and benefits to consumers of allowing them to authorize third parties to access their data, and do those vary among different types of consumers and types of financial institutions?
  • Should the CFPB set standards associated with the mode of data access or format in which data is shared?
  • Who should have access to data, to what data, and on what frequency?
  • Should third-party access be limited to the minimum amount of consumer data necessary to achieve the authorized purpose, and how can such a principle be implemented?
  • Is "regulatory uncertainty" about other privacy laws impeding competition or innovation?
  • Do all parties in the data access ecosystem have adequate incentive to ensure that consumer data is secure?
  • To what extent is there a risk of harm due to inaccurate data being provided to consumers or other players in the ecosystem?

The ANPR is soon to be published in the Federal Register, and CFPB will receive comments for a period of 90 days following the date of publication. The path to regulation—if the CFPB chooses to regulate—will likely take years, but the CFPB's interest coupled with the recent lawsuits challenging data aggregator practices highlight that the risks associated with disclosure of data through authorized third parties, or collection of data as an authorized third party, are already changing.

This article was originally featured as a privacy and security advisory on on October 27, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.