Financial Privacy, Security & Open Banking
Overview
Recent efforts by the Consumer Financial Protection Bureau (CFPB) and other regulators have raised the profile around the collection, use and sharing of consumer financial data, which has in turn put a spotlight on financial privacy and data use practices.
Through progressive rulemakings and guidance by the CFPB, the FTC and other regulators, financial institutions (like banks and credit unions) and other financial services providers (fintechs, credit marketplaces, data brokers, financial management apps, and more) are becoming increasingly subject to a rapidly evolving legal landscape governing consumer financial data.
DWT's Financial Privacy, Security and Open Banking team is a cross-practice, multi-disciplinary group of attorneys with expertise in banking and payments, fintech, privacy and data security, and technology transactions. Our team helps financial services clients manage all aspects of collecting, using and sharing consumer financial data – from complying with law to negotiating data sharing agreements, as well as enforcement counseling and defense.
Our Capabilities
Privacy
Open Banking
The CFPB's proposed "open banking" rules introduced new disclosure, technical and other standards and requirements intended to help consumers, and their authorized service providers (including data aggregators), more efficiently access their financial data from their credit card and depository banks. Although the CFPB finalized part of the rulemaking, regarding certification requirements for standard-setting bodies, the remainder of the proposed rulemaking left unanswered a number of legal and operational questions, including how participants should reconcile the open banking rules with existing legal and operational requirements under the Fair Credit Reporting Act (FCRA), GLBA and state privacy rules, data security regulations, business continuity considerations, and others (as further discussed in our First Impressions on CFPB's Proposed Open Banking Rule article).
Since the days of screen scraping, we have assisted clients on a variety of open banking matters, including:
- Advising data providers (banks) and data recipients on regulatory obligations in providing or gaining access to financial data via 1033-compliant interfaces, including assisting these data providers and data recipients assess their existing data sharing agreements for compliance with the CFPB's proposed "open banking" rules.
- Negotiating data sharing agreements between financial institutions and data aggregators/authorized third parties.
- Counseling open banking participants on how open banking implicates their status under adjacent laws, such as the FCRA (e.g., as consumer reporting agencies or furnishers), GLBA and state privacy laws.
- Advising banks, in their role as data providers, on the applicability of third-party risk management requirements under federal banking third-party risk management guidance and ongoing safety and soundness requirements.
- Assisting authorized third parties with consumer authorization, re-authorization, retention and other open banking obligations.
Credit Reporting
The CFPB has stepped up its scrutiny over companies' credit reporting practices, with particular focus on "furnisher" obligations under the FCRA to accurately report information and to investigate and correct errors. This has led to a number of CFPB guidance and enforcement actions.
Efforts are underway to delve further into the credit reporting practices of users of consumer report, as evidenced by the CFPB's recent proposal to ban medical bills from credit reports and potentially more FCRA rulemakings addressing data brokers, FCRA permissible purpose, CRA data security and consumer disputes.
We assist clients on FCRA compliance, transactional and enforcement/litigation matters, including counseling clients on identity verification, fraud detection and similar "non-FCRA" services.
Data Security
Financial institutions and other companies are increasingly finding themselves subject to a slew of data security obligations, from data breach and security laws to technical, sector-specific requirements. We help clients gain a comprehensive and holistic understanding of how these obligations apply to them, including information security and data breach response, incident and breach readiness, security program development, security compliance, and transaction counseling.