Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

CFPB holds symposium on consumer access to financial records

Federal Issues Agency Rule-Making & Guidance CFPB FCRA Consumer Data Symposium Consumer Finance Fintech Dodd-Frank

Federal Issues

On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes in data aggregation since the OCC first warned banks about aggregating consumer data in 2001: (i) “the range of actors involved has expanded greatly”; (ii) “the extent to which they are using aggregated data to provide new products and services to millions of American consumers has grown in scope and scale”; and (iii) “technologies that enable safer and more efficient consumer authorized data sharing continue to evolve and proliferate.” According to the CFPB’s press release, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Panel highlights include:

  • Panel #1. The panelists considered potential benefits and risks for consumers around data access as well as the current landscape and benefits and risks of consumer-authorized data access. Panelists agreed that consumers should be given control over their data and also mentioned the need to educate consumers on data security. One panelist suggested that consumers need to understand not only the breadth of data that is accessible, but also what sensitive consumer data is being accessed, stored, and shared. She stressed that entities storing/accessing the data should be subject to the same supervision for cyber security standards as banks.
  • Panel #2. The panel, which was comprised of experts in market developments and trends, including in the areas of cash flow underwriting and the business of securing consumer permission to access checking account data, discussed market developments in consumer-authorized data access. One panelist suggested that the U.S. is behind countries like Australia and Canada (where government intervention in the market clarified consumers’ legal right to access their financial data) because of a lack of connectivity and of data field availability in the U.S. Others discussed alternatives to the current screen scraping model—which does not advance transparency or traceability for consumers—such as a model based on an application program interface (API) (APIs can be used to combine data from various sources into one application). The panelists also discussed tokenized authentication as a possible middle phase when going from screen scraping to APIs. Panelists suggested that the market is making significant technological improvements, but lacks guidance from policymakers.

Panel #3. The third panel, focused on “where we are going and how we get there” or the “future of the market” and “considerations for policymakers on how to” ensure consumer data is safeguarded “while ensuring that consumers have continual access to their data.” Among other things, the panel discussed that regulatory intervention in this space has not been common. Many panelists also mentioned areas of uncertainty, including whether banks or consumers should decide the limitations of rights to consumer data. Regarding Section 1033, one panelist suggested that the bank view is that the CFPB does not need to regulate here and should not provide consumers and their agents with access to their information, however, any entities that have access to the data should be regulated. Others believed that banks and other financial institutions do not view Section 1033 correctly. Another area of uncertainty discussed was whether the consumer data right is an ownership right, and whether a bank can decide to whom it will or will not provide consumer data.