Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, October 18, 2017

CFPB releases financial data sharing principles

By Andrew A. Turner, J.D.

The Consumer Financial Protection Bureau has outlined principles for protecting consumers when they authorize third party companies to access their financial data to provide financial products and services. The non-binding Consumer Protection Principles relate to data access, data scope and usability, control of the data and informed consent, payment authorizations, data security, transparency on data access rights, data accuracy, accountability for access and use, and disputes and resolutions for unauthorized access.

The principles reiterate the importance of protecting consumers to all stakeholders that provide, use, or aggregate consumer-authorized financial data, the CFPB said. With many companies, including "fintech" firms, banks, and other financial institutions, obtaining authorization from consumers to access their account data, the CFPB recognizes both the benefits and challenges involved. Products and services that may be provided include fraud screening and identity verification, personal financial management, and bill payment.

Consumer-authorized access to consumer financial account data in electronic form may promote innovation as companies aggregate and use records to offer new products and services. However, expanded access to consumer financial records raises concerns involving data security, privacy, and unauthorized access.

Subject categories. The principles are intended to help safeguard consumer interests as the consumer-authorized aggregation services market develops. The principles state:

  • Consumers are able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider. Financial account agreements and terms support safe, consumer-authorized access, promote consumer interests, and do not seek to deter consumers from accessing or granting access to their account information.
  • Third parties with authorized access only access the data necessary to provide the products or services selected by the consumer and only maintain such data as long as necessary.
  • Consumers are not coerced into granting third-party access. Consumers understand data sharing revocation terms and can readily and simply revoke authorizations to access, use, or store data.
  • Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities.
  • All parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes.
  • Consumers are informed of, or can readily ascertain, which third parties that they have authorized and are accessing or using information regarding the consumers’ accounts or other consumer use of financial services.
  • Consumers have reasonable means to dispute and resolve data inaccuracies, regardless of how or where inaccuracies arise.
  • Consumers have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments, and failures to comply with other obligations, including the terms of consumer authorizations.
  • Commercial participants are accountable for the risks, harms, and costs they introduce to consumers.

Stakeholder insights. The CFPB has also provided a summary of feedback that it received in response to a November 2016 Request for Information to inquire into issues regarding the aggregation services market.

Some stakeholders asked the CFPB to assume a substantive and formal role in moving the aggregation services market forward. Others asserted that market participants should be entrusted to develop solutions, such as data or security standards, that protect consumer interests with minimal Bureau involvement, if any at all. A third and final group of stakeholders stated that the CFPB should play some role in facilitating industry’s development of data sharing practices but should not initiate formal regulatory action, or at least not unless and until industry-developed mechanisms have had a chance to succeed.

MainStory: TopStory BankingOperations CFPB FinTech IdentityTheft Privacy

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.