BlogLine

From the CFPB: 9 Principles for Safer Third-Party Access to Financial Data

11/2/17

By: Zach Moura
The Consumer Financial Protection Bureau (CFPB) is a federal agency that was created to ensure consumer protection in the financial sector. On October 18, it released a set of nine principles intended to help protect consumers who have authorized third-party access to their financial services providers.
This type of access is typically granted when one company, such as a bank or a portfolio management company, obtains access to a consumer’s account data held by a separate financial organization in order to provide the consumer additional services such as bill payment, personal financial management, or fraud screening/identity verification. The CFPB acknowledged that these arrangements can provide “great benefits to consumers,” but present risks for data security and privacy.
To ensure the protection of consumer interests, the CFPB says financial organizations should follow the following nine principles when entering into such relationships:

1. Access: Consumers should be able to access information about their ownership or use of financial products and services in a timely manner.

2. Data Scope and Usability: Consumer data subject to access may include transactional aspects of consumer usage, account terms, and realized consumer costs and benefits. Authorized third parties’ access should be limited to the minimum amount necessary, and only for as long as necessary, to provide the consumer-selected products and services.

3. Control and Informed Consent: Terms of access, including access frequency, data scope, and retention period, should be clearly disclosed and consistent with the consumer’s reasonable expectations. The consumer should also be allowed to revoke the terms easily.

4. Authorizing Payments: Authorizations for payment must be separate from authorizations for data access.

5. Security: Access to consumer data and any storage, use, or distribution of such data must be secure. Consumer data should be maintained in a manner and in formats with strong protections that deter and protect against security breaches.

6. Access Transparency: Consumers should be able to readily ascertain the identity and security of each party for whom they have authorized access, as well as what data is accessed, how it is used, and the frequency with which it is accessed.

7. Accuracy: Consumers should have an expectation that data is accurate and current, with reasonable means to dispute and resolve inaccuracies.

8. Ability to Dispute and Resolve Unauthorized Access: Consumers should have practical means to dispute and resolve unauthorized data access or sharing, payments in connection with data access, and failures to comply with other data users’ obligations.

9. Efficient and Effective Accountability Mechanisms: Commercial participants should be held accountable for harm to consumers, and incentivized to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments, data inaccuracies, insecurity of data, and failures to comply with other obligations.

While these principles are not binding, they are “intended to reiterate the importance of protecting consumers as the market for services using consumer-authorized financial data develops.” It does not appear that the CFPB has any immediate plans to initiate formal regulatory action in this area, but financial institutions should keep abreast of developments as the market for consumer services and products requiring access to financial data grows. A complete copy of the consumer protection principles can be accessed here.
If you have any questions or would like more information, please contact Zach Moura at zmoura@fmglaw.com.