The data dilemma: regulating the lifeblood of fintech innovation
At the ABA Business Law Section’s virtual spring meeting in April 2021, a panel of industry experts will discuss data aggregation and the role of data aggregators in today’s financial services market. The discussion will focus on the CFPB’s Advance Notice on the Proposed Rule Creation (ANPR) on Section 1033 of the Dodd-Frank Act and consumer access to financial records, including the goal of consumer regulation and consent, and privacy considerations and use cases as well for data exchange, consumer benefits and coordination of regulators. The panel consisted of Thomas Devlin, Managing Counsel, Office of Regulations, CFPB; Meredith Fuchs, General Counsel, Plaid; Chris Hill, Assistant General Counsel, Finicity; Grace Powers, Assistant General Counsel, E-Commerce, Technology and Innovation, Wells Fargo and Christina Tetreault, Managers, Financial Policy, Consumer Reports. Members of the ABA Business Law Section can view the On-Demand CLE Credit Program and register here for free.
Data aggregation has long played an important role in consumer financial services. Whether done internally or through third parties, the ability to consolidate financial information and services can be beneficial for consumers. For example, a consumer can send money to a friend, pay their utility bills, and book a vacation through their financial institution’s website. Financial service providers also benefit from data aggregation services by increasing the contact points with their customers, optimizing the account opening and having access to further information for the credit decision. However, the risk of unauthorized access to non-public personal data increases as more information is consolidated in a single location or as more companies divulge the information.
The emerging landscape
In 2001, the Office of the Currency Auditor (OCC) published Bulletin 2001-12, which dealt with account aggregation services provided by banks. While recognizing the potential value of these services, the OCC warned banks about the risks associated with this emerging area, especially when third parties are involved. The ultimate aim of the guidelines was to encourage banks to apply risk controls to aggregation activities. The OCC emphasized strict information security controls to protect against unauthorized access to consumer information, promoted robust authentication measures to improve security controls, and recommended a thorough third-party assessment to ensure the security of all information and compliance with all legal requirements. The guidance also highlighted the importance of disclosing the terms of the aggregation service and the extent of the bank’s authority to use customer information in customer agreements.
Since the 2001-12 bulletin, data aggregation has increased dramatically. The parties involved are no longer just banks and their third-party providers. The lines between data owner, data aggregator, and data user have become blurred as both banks and non-bank providers have evolved. The sophistication of the parties and the way they collect information have also changed.
Nowadays, data aggregation is mainly done via APIs (Application Programming Interfaces) and screen scraping. An API is an application that allows multiple systems to be compatible with each other to facilitate the flow of data between systems. In general, the data user must adhere to a number of standards or application conditions in order to use a particular API. Screen scraping, less common than using APIs, is a computer program that reads public information on a website and copies that information. Depending on the complexity of the program, it can copy all of the information from a site or target certain types of information. A screen scraper program can enter the collected information in a variety of formats including an electronic database or an API to share with other data users. In either case, the application or program runs in the background and does not necessarily affect the customer experience.
In March 2020, in Bulletin 2020-10, the OCC reiterated concerns about risk management in data aggregation. According to this guidance, data aggregators are “companies that access, aggregate, share, or store consumer financial accounts and transactional data that they collect through connections to financial services companies”. The guidance indicated that while a bank does not need to have a direct relationship with a data aggregator in order to exchange consumer-authorized information, those who interact with an aggregator should have adequate controls. FAQ # 4 stated that “[i]Information security and the protection of sensitive customer data ”remains an important consideration in managing the risk of these relationships, regardless of whether the bank has a direct relationship with a third-party data aggregator. Banks with direct relationships have higher risk management expectations. The use of tight supplier management controls, including due diligence and ongoing monitoring, is critical to ensuring the security of customer information.
The role of the CFPB
The Consumer Financial Protection Bureau (CFPB) is also becoming more active in this area. While the OCC typically focuses on security and solidity issues for banks, the CFPB has taken a more consumer-centric approach. In 2010, Congress passed the Dodd-Frank Act, including Section 1033 This gives consumers the right to access their financial information. Section 1033 generally requires financial service providers to provide a consumer with information they have regarding that consumer.
In 2017, the CFPB announced its consumer protection principles for the exchange and aggregation of consumer authorized financial data. In the Principles, the CFPB identified the important role of non-bank providers in providing access to financial management tools, account verification and fraud prevention for consumers. and other services. As these providers often need access to non-public personal data in order to provide these services, the CFPB stressed the need to consider consumers when designing policies for information exchange and consent. Nine key principles were identified: access; Data volume and usability; Control and informed consent; Authorization of payments; Security; Access transparency; Accuracy; Ability to contest and resolve unauthorized access and efficient and effective accountability mechanisms.
In November 2020, the CFPB published an ANPR on Consumer Access to Financial Records to implement the rule-making under Section 1033. In the ANPR, the CFPB recognized the changing industry dynamics in relation to data aggregation and requested feedback on issues such as the level of consumer access and consumer control as well as data protection and data security. In its discussion, the CFPB noted the rise in non-banking providers and how the increasing overlap between data owners, data aggregators and data users is making it difficult for consumers to access their data. The CFPB also noted that these changes play an important role in the financial products and services market in the form of increased competition leading to new and improved products, wider access and lower consumer costs.
The CFPB asked the industry for full feedback in order to understand the best regulatory approach. Regarding the level of data access, the CFPB asked for information on what types of data owners should be collected, how non-privilege sensitive information should be treated, and whether other information should be excluded from access. With regard to consumer control and privacy, the CFPB sought information on both primary and secondary uses of data and how to ensure that consumers better understand how their data is shared and used. With regard to data security, the CFPB sought contributions to existing laws and incentives for the security of consumer data. Additional topics for input were the costs and benefits of accessing consumer data, competitive incentives, and data accuracy. The comment period for section 1033 ANPR closed on February 4, 2021, and the CFPB rule or any other response to the ANPR comments has yet to be published.
Despite the many legitimate use cases and potential consumer benefits of data aggregators, a number of risks remain. Advocates of consumer protection point to consent and privacy implications, arguing that a consumer needs to understand how their data is used and shared. The evolving landscape of state data protection law and the lack of a federal data protection and data security standard remain an open question as to how these issues in the area of data aggregators can be addressed. Ultimately, the CFPB’s decision to implement Section 1033 will have a significant impact on this industry sector and it remains to be seen how regulatory intervention will affect progress and innovation.
 12 USC § 5533.