CFPB Issues Principles for Consumer Data Sharing and Aggregation
The CFPB recently announced the release of nine Consumer Protection Principles that address the authorized sharing of consumer financial data with third party data-aggregation services. The Principles are written towards companies that aggregate data from consumers’ various financial accounts to provide finance advice or financial management tools. The CFPB stated that the Principles are “intended to help foster the development of innovative financial products and services, increase competition in the financial markets, and empower consumers to take greater control of their financial lives.”
In November 2016, the CFPB published a Request for Information (RFI) that sought input into issues regarding the data aggregation services market. Based in part on stakeholder responses to this RFI, the CFPB has outlined nine Consumer Protection Principles, which generally address:
Access – consumers should be able to obtain information from their own product or service provider, and should also be able to authorize trusted third parties to obtain such information on their behalf.
Data Scope and Usability – authorized third parties should only access the data necessary to provide their product or service, and only maintain that data as long as necessary.
Control and Informed Consent – consumers should be fully informed as to the extent their data is accessed, stored, and used, and can readily revoke such access if they desire.
Authorizing Payments – authorization of data access should be separate and distinct from authorization of payment for aggregation services.
Security – consumer data should be stored, used, and distributed by secured means that protect and minimize the risk of security breaches.
Access Transparency – consumers should be informed of which third parties have access to their consumer data or accounts.
Accuracy – consumers should expect that their data be used in an accurate and up-to-date manner.
Dispute Resolution – consumers should have a reasonable means to dispute and resolve instances of unauthorized data sharing or unauthorized payments related to data aggregation services.
Efficient and Effective Accountability Mechanisms – commercial participants in data aggregation services should be accountable for the risks, harms, and costs they introduce to consumers, and their commercial interests should align with the protection of consumer data.
The CFPB’s press release states that the Principles are not a “statement of the Bureau’s future enforcement or supervisory priorities” and also are “not intended to alter, interpret or otherwise provide guidance on . . . existing statutes and regulations that apply in the [data aggregation market].” Nevertheless, the RFI, coupled with the release of the Principles, seems to indicate the CFPB will continue to maintain an interest in the consumer data aggregation industry.