On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) outlined nine non-binding Consumer Protection Principles (the Principles) for the access and sharing of consumer information between third-party companies. The Principles focus on the consumer experience, specifically consumers’ enhanced control over their financial lives.
The CFPB envisions a marketplace in which consumers are in the proverbial drivers’ seat with regard to the use of their financial data. To that end, the CFPB announced the Principles in an attempt “to reiterate the importance of consumer interests to all stakeholders in the developing market for services based on the consumer-authorized use of financial data.” The Principles provide general guidance for the following:
- Data Scope and Usability
- Control and Informed Consent
- Authorizing Payments
- Access Transparency
- Ability to Dispute and Resolve Unauthorized Access
- Efficient and Effective Accountability
Shifting the balance of power to consumers
Although each Principle sets forth a unique protection for consumers, when read as a whole, the Principles make it apparent that the CFPB seeks to shift the balance of power into consumers’ hands. For example, a boilerplate notice regarding data access and data sharing may no longer suffice in light of the Control and Informed Consent Principle. This Principle provides that “authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer.”
As if to clarify any possible confusion, the CFPB specifies that consumers are not to be “coerced into granting third-party access.” Continuing on this theme of consumer control, the CFPB also pushes for “separate and distinct consumer authorizations” for payment authorization. Put simply, consumer authorization of data access does not equal consumer authorization for the initiation of payments.
Emphasizing security of data and credentials
Of particular importance in the aftermath of the Equifax security breach is the CFPB’s emphasis on the security of consumer data and access credentials. Although the CFPB does not specify a security standard, it nonetheless provides that “all parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes.”
Such practices are not meant to be static, as the CFPB envisions adaptable security practices in response to new and emerging threats. To that end, the Principles could be read as an impetus to encourage cooperation among market participants with regard to data/security standards. Data aggregators are in the best position to determine the scope of these evolving threats and determine criteria to protect consumer interests with minimal CFPB involvement.
Similarities to EU’s GDPR
Keen observers of the data privacy arena may note some resemblance to the rights enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR), specifically the right to data portability. As envisioned, the GDPR’s right to data portability would allow a data subject to request a copy of all his or her electronically stored personal data and/or have the right to transmit that data to another data controller without hindrance.
The GDPR, like the CFPB’s Principles, allow the data owner, or consumer, to remain in control of his or her data. Unlike the GDPR, which will become an enforceable regulation on May 25, 2018, the Principles are, for the time being, aspirational tenets by which the CFPB seeks to enable consumer-friendly innovation in financial services. Under the Principles, financial institutions and third-party service providers will need to coordinate closely, which may require a heavy investment if they choose to fully implement the Principles.
The watchdog role
Even though the Principles do not alter, interpret, or otherwise provide guidance on applicable statutes and regulations, they provide a practicable, if generalized, framework with respect to data security, privacy, and unauthorized access. Through the Principles, the CFPB is further staking out its role as watchdog in the growing aggregation services market.
Exactly how bold the CPFB will be in enforcing consumer rights in this area remains unknown. What is known is that the CFPB will be embedding regulators with the three major credit reporting agencies in the wake of the Equifax data breach, indicating the CFPB’s heightened involvement in the day-to-day security operations of these companies.
What the future may hold
Looking ahead, the CFPB could further clarify existing regulations or take more drastic measures such as engaging in rulemaking under Section 1033 of the Dodd-Frank Act. The CFPB could also use its powers under the Unfair, Deceptive or Abusive Acts or Practices (UDAAP) regulation to bring enforcement actions against companies that refuse to follow the Principles.
On the other hand, in the wake of CFPB Director Richard Cordray’s resignation, the CFPB could simply withdraw its oversight from this area, as a future director may look to reorient the CFPB’s mission. Until such time as the CFPB signals its intent with regard to data-sharing requirements, data aggregators and any financial service entity that collects consumer data should heed the Principles and ensure consumer protections for safe access to and controlled use of consumer financial data.
As data privacy threats continue to loom, so too will the increase in regulation and oversight. General data privacy principles continue to serve as the building blocks for many of the international standards in data privacy. As technology continues to shrink global differences, U.S. companies can expect general and globally accepted data privacy principles to cross borders and influence data privacy laws stateside.