On November 14 the Consumer Financial Protection Bureau (CFPB) announced an inquiry into the challenges consumers face in accessing, using and securely sharing their financial records. This came on the heels of CFPB director Richard Cordray telling a Money 20/20 audience in October that the agency believes consumers should be able to access their financial data and give permission for third party companies to access it as well. The bureau was acting in the wake of high profile cases where banks — including Wells Fargo, JPMorgan Chase and Bank of America — cut off access to third-party sites and apps like Mint.The CFPB may soon cease to exist or at the very least see dramatic changes to its rulemaking and enforcement power and there is certainly not the political will in the US to enact regulations like the EU's Payment Services Directive (PSD2), which will compel financial institutions to provide account information to third parties via application programming interfaces (APIs). Granted, the US market is voluntarily moving in a similar direction as banks like Wells Fargo and JPMorgan Chase share customer data with data aggregators like Intuit via API. But moving in this direction at a bank's discretion rather than a regulator's carries risk for consumers. Aggregators argue that these arrangements allow banks to safeguard sensitive information — for example, annual percentage rates for financial products — that could be used to lure their customers away if visible. If Cordray's October remarks signaled a power shift to the aggregators, the election just as soon reminded stakeholders that traditional FIs hold the upper hand and will move at the speed they want to in opening up access.
A host of banks and credit unions, industry and consumer groups, aggregators and fintechs that leverage aggregated data responded to the CFPB’s request for information regarding consumer access to financial records. Given that there were 70 comments and you're pressed for time, we waded through everything to identify three key themes.
Theme One: Does Dodd-Frank Mandate Access To Third Parties?
In its RFI, CFPB asked, “Are “industry standard” practices that provide consumers with data access comparable to that envisioned by section 1033 of the Dodd-Frank Act likely to be broadly adopted by consumer financial account providers, permissioned parties and account aggregators in the absence of regulatory action?”
The Consumer Financial Data Rights (CFDR) group — bringing together firms such as Affirm, Betterment, Digit, Envestnet Yodlee, Kabbage and Personal Capital — has argued that section 1033 “codified the consumers’ right to access their personal financial data through technology-powered third party platforms.” However, financial institutions and associations representing them strongly objected to the notion that section 1033 of Dodd-Frank mandates access to third parties.
“Financial institutions are required by the Gramm-Leach-Bliley Act to safeguard non-public personal financial information and only disclose information to third parties in specific circumstances as outlined in Regulation P. Further, the Dodd-Frank Act does not mandate account access to third parties. Requiring financial institutions to allow a third-party to access a consumer’s account online goes beyond the current requirements, conflicts with the Gramm-Leach-Bliley Act, and introduces substantial consumer data security risks.” — Christopher Wilder, Vice President, Operations, Alaska USA Federal Credit Union
“We do not interpret section 1033 to require a financial institution to provide a third-party with direct access to a consumer’s account—regardless of whether the consumer has authorized the third-party to do so." - Brad Douglas, President/CEO, Heartland Credit Union Association (representing 2.3 million credit union members)
“The entire text of Section 1033 concerns consumer access, in no place is there any language which indicates that Congress intended the Bureau to ensure permissioned third parties can access customer account data. Consumers of course must be free to use their own account data as they see fit. Consumers can download their data and upload it if they so wish. However, the CFPB simply does not have authority to require community banks to open their systems to third parties, and other entities which may have not implemented appropriate security processes or procedures.” - Independent Community Bankers of America
Theme Two: Financial Institutions Profit Off Of Complexity And Sub-Optimal Decisions, Third Parties Using Aggregated Data Offer Transparency
Are financial institutions afraid of a world where consumers can easily identify that they're eligible for lower interest rate products than they're currently receiving? Would this turn banking into an industry dominated by the same race to the bottom mentality that is pressuring retail margins? Some commenters have argued that financial institutions benefit from a lack of visibility around the best options available to consumers. Granting third parties access to your data allows them to identify the best products for you and reduces poor decisionmaking — using an 18.24% APR card when you're eligible for a 9.74% — that can be so lucrative.
“The sellers of financial products have an incentive to withhold from providers their customers’ financial information because they make money when complexity causes customers to make sub-optimal decisions. I have spoken with several provider firms and, without exception, each company has said that their biggest challenges are that financial firms will not provide consumer-permissioned data nor will they provide information on the price and terms of their products. In other words, they prefer an inefficient market.” — Kathleen C. Engel, Research Professor of Law, Suffolk University
“Confusing interest rates, underwriting standards and credit limits can make it difficult for consumers to understand financial product offers and to know how offers they see compare to those received by other people with similar credit profiles. Because many consumers give us permission to access their financial data, we can better track the market rate for various loan products. We can inform consumers whether their offer is market, above market, or below market, and whether there are different credit products that are a better fit for their financial profile. This transparency and ease of comparison in turn can spur more innovation and competition in the market of consumer financial products.” — Credit Karma, Inc.
Theme Three: Data Aggregators Are Financial Institutions Subject to Gramm-Leach-Bliley (GLBA)/Reduce The “Disparity In Data Security Expectations And Practices Between Banks And Data Aggregators”
The American Bankers Association has recommended that the CFPB ensure that consumer data be subject to the protections provided by Gramm-Leach-Bliley “regardless of whether it is held by a bank or third party." While requesting that CFPB clarify that data aggregators are "financial institutions" subject to the requirements of GLBA, ABA also asks that the bureau:
- Take steps to ensure data aggregators are subject to the same standards as depository institutions for safeguarding financial data and notifying customers about security breaches.
- Clarify that data aggregators are “service providers” under the Electronic Funds Transfer Act (EFTA) and are liable for unauthorized electronic fund transfers that exceed the consumer’s liability under EFTA.
Capital One and the Clearing House, a banking association that advocates on public policy on behalf of the largest U.S. commercial banks, emphasized that data aggregators have been deemed "financial institutions" by the FTC and are subject to Gramm-Leach-Bliley. The Clearing House argues that subjecting aggregators to increased regulatory requirements around data security would make banks more willing to engage with them.
"The FTC determined that data aggregators qualify as "financial institutions" under the GLBA (Gramm-Leach-Bliley). In the preamble to the FTC's regulation implementing privacy provisions of the GLBA, the FTC explained that the broad language used to describe "data processing" in section 225.28 "brings into the definition of financial institution an Internet company that compiles, or aggregates, an individual's online accounts (such as credit cards, mortgages, and loans) at that company's web site as a service to the individual, who may then access all of its account information through that Internet site." The FTC's regulation implementing the GLBA has been incorporated in Regulation P, issued by the CFPB post-Dodd-Frank. The CFPB has stated that it generally will follow the guidance issued by other agencies whose regulations CFPB has restated. Thus, given their fundamental data processing activities, data aggregators fall within the expansive definition of financial institution in the GLBA.” — Capital One Financial Corporation
“The FTC should use its existing statutory authority to implement enhanced substantive regulatory requirements applicable to data aggregators, including express requirements addressing: (i) technical controls of identified risks; (ii) involvement from boards of directors and senior business management; (iii) employee background checks for employees with responsibilities for or access to customer information; (iv) oversight of service providers’ data security practices; (v) a risk management framework and layered security to prevent unauthorized activity through strong authentication; and (vi) an incident response program. These actions by the Bureau and FTC would help reduce the disparity in data security expectations and practices between banks and data aggregators, which would greatly facilitate bank confidence in data aggregator supervision and oversight, would lessen required bank due diligence and monitoring, and would, as a result, enhance bank willingness to engage bilaterally with the market.” - The Clearing House
To be clear, many aggregators that touch bank data have insisted they are already governed by GLBA. "Ecosystem participants – both traditional institutions and newer digital players – should abide by this framework, including provisions that limit the use of permissioned data to the scope of the consumer’s consent," writes Plaid. Customer agreements compel other aggregators to comply with provisions of Gramm-Leach-Bliley.