At the ABA Business Law Section’s Virtual Spring Meeting in April 2021, a panel of industry experts will discuss data aggregation and the role data aggregators play in today’s financial services market. The discussion will center around the CFPB’s Advance Notice of Proposed Rulemaking (ANPR) on Section 1033 of the Dodd-Frank Act and Consumer Access to Financial Records, including the goal of regulation and consumer consent and privacy considerations and also covered use cases for data sharing, consumer benefits and regulator coordination. The panel consisted of Thomas Devlin, Managing Counsel, Office of Regulations, CFPB; Meredith Fuchs, General Counsel, Plaid; Chris Hill, Assistant General Counsel, Finicity; Grace Powers, Assistant General Counsel, eCommerce, Technology, and Innovation, Wells Fargo and Christina Tetreault, Manager, Financial Policy, Consumer Reports. ABA Business Law Section members will also be able to watch the program for CLE credit on-demand and can register for free here.
Data aggregation has long played an important role in consumer financial services. Whether done internally or through a third party, the ability to consolidate financial information and services can provide benefits to consumers. For example, a consumer may be able to send money to a friend, pay her electric bill, and book a vacation getaway all through her financial institution’s website. Financial service providers also benefit from data aggregation services by increasing touchpoints with their customers, streamlining account opening, and having access to more information for credit decisioning. However, the risks of unauthorized access to nonpublic personal information increase as more information is consolidated in a single location or as more entities pass the information.
The Emerging Landscape
In 2001, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2001-12 addressing bank-provided account aggregation services. While the OCC recognized the potential value of these services, it warned banks of the risks involved in this emerging area, particularly when engaging third parties. The guidance ultimately served to encourage banks to employ risk controls when engaging in aggregation activities. The OCC stressed strong information security controls to protect against unauthorized access to consumer information, promoted robust authentication measures to enhance the security controls, and recommended thorough evaluation of third parties to ensure the security of all information and compliance with all legal requirements. The guidance also noted the importance of disclosing the terms of the aggregation service and scope of the bank’s authority to use the customer’s information in customer agreements.
Since Bulletin 2001-12, data aggregation has expanded dramatically. The parties involved are no longer just banks and their third-party service providers. The lines between data holder, data aggregator and data user have blurred as both banks and non-bank providers have evolved. The sophistication of the parties and how they collect information has also changed.
Today, data aggregation is primarily done using application programming interfaces (APIs) and screen scraping. An API is an application that allows multiple systems to be compatible with one another to facilitate data flowing between the systems. The data user generally must conform to a set of standards or application terms in order to use a particular API. Screen scraping, which is less common than using APIs, is a computer program that will read public information on a website and copy such information. Depending on the sophistication of the program, it can copy all information from a site or target specific types of information. A screen scraper program may input the information collected into various formats, including into an electronic database or into an API to be shared with other data users. In either case, the application or program is operating in the background and does not necessarily impact the consumer experience.
In March 2020, the OCC once again addressed risk management concerns with data aggregation in Bulletin 2020-10. Under this guidance, data aggregators are “entities that access, aggregate, share, or store consumer financial account and transaction data that they acquire through connections to financial services companies.” The guidance noted that while a bank does not need to have a direct relationship with a data aggregator to share information authorized by the consumer, those who do interact with an aggregator should have sufficient controls in place. FAQ #4 explained that “[i]nformation security and the safeguarding of sensitive customer data” remains a key consideration for risk management of these relationships regardless of whether the bank has a direct relationship with the third-party data aggregator. Banks with direct relationships have higher risk management expectations. Employing strong vendor management controls, including due diligence and ongoing monitoring, is vital to ensuring the security of customer information.
The CFPB’s Role
The Consumer Financial Protection Bureau (CFPB) is also becoming more active in this space. While the OCC tends to focus on safety and soundness issues for banks, the CFPB has taken a more consumer-focused approach. In 2010, Congress passed the Dodd-Frank Act, including Section 1033 which provides consumers with a right to access their financial data. Section 1033 generally requires financial service providers to make available to a consumer information it has related to that consumer.
The CFPB announced its Consumer Protection Principles for Consumer-Authorized Financial Data Sharing and Aggregation in 2017. In the Principles, the CFPB observed the important role non-bank providers have in providing consumers with access to financial management tools, account verification, fraud prevention, and other services. Since these providers often need access to nonpublic personal information in order to provide these services, the CFPB stressed the need to keep consumers in mind when designing information-sharing policies and obtaining consent. Nine key principles were identified: access; data scope and usability; control and informed consent; authorizing payments; security; access transparency; accuracy; ability to dispute and resolve unauthorized access and efficient and effective accountability mechanisms.
In November 2020, the CFPB issued an ANPR on Consumer Access to Financial Records to implement rulemaking under Section 1033. In the ANPR, the CFPB recognized the changing industry dynamics regarding data aggregation and sought feedback on topics including the scope of consumer access, consumer control and privacy and data security. In its discussion, the CFPB noted the rise of non-bank providers and how the increased overlap between data holders, data aggregators, and data users complicates how consumers can access their data. The CFPB also noted that these changes play an important role in the market for financial products and services in the form of increased competition leading to new and improved products, broader access, and lower consumer costs.
The CFPB asked for comprehensive feedback from the industry to help it understand the best course of regulatory action. Regarding the scope of data access, the CFPB sought input on what types of data holders should be covered, how to address confidential information not subject to the right of access, and whether other information should be excluded from access. Regarding consumer control and privacy, the CFPB sought input on both primary and secondary uses of data and how to ensure consumers better understand how their data is being shared and used. Regarding data security, the CFPB sought input on existing law and incentives to keep consumer data secure. Other topics for input included costs and benefits of consumer data access, competitive incentives, and data accuracy. The comment period for the Section 1033 ANPR closed on February 4, 2021, and the CFPB’s rule or other response to the ANPR comments has yet to be published as of this writing.
Despite the many legitimate use cases and potential consumer benefits of data aggregators, a number of risks remain. Consumer protection advocates point to the consent and privacy implications citing a consumer’s need to understand how his data is being used and shared. The evolving state privacy law landscape and lack of a federal privacy and data security standard remains an open question on how to address these issues in the data aggregator space. Ultimately, how the CFPB decides to implement Section 1033 will have a substantial impact on this sector of the industry and it remains to be seen how regulatory intervention will affect progress and innovation.