Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 21, the House Financial Services Committee’s Task Force on Financial Technology held a hearing titled, “Preserving the Right of Consumers to Access Personal Financial Data,” to discuss developments in fintech sharing and consumers’ right to control their own financial data. Task Force Chair, Stephen Lynch (D-MA), opened the hearing by expressing his concerns about the “uncertainty given the transformational technology and advancements as well as changing relationships and customer preferences.” He also noted that while the Committee is in agreement regarding the importance of protecting consumers’ control over their own financial data, “there’s a question whether both regulators and policymakers alike are moving fast enough to address the uncertainties.” The committee memorandum focused on recent developments in the data sharing fintech ecosystem discussed during the hearing, which included the following, among other things:
- Consumer Data Market Participants. The task force reported that new technologies have led financial service providers to utilize consumer-authorized data, such as data aggregators and payment processors. The task force also noted data privacy advocates have concerns that consumers may authorize the use of their data for purposes beyond what is understood by the consumer, and stated that the CFPB may consider the need for regulatory guidance on data use limitations, including possible time restrictions, in its rulemaking.
- Regulatory Structure Over Consumer Data. The task force discussed federal and state laws that cover data privacy, such as the Gramm-Leach-Bliley Act, FCRA, ECOA, and EFTA and their respective purposes in protecting consumer data through privacy and security.
- Screen Scraping, Application Program Interface (API), and Open Banking. The task force noted that many data aggregators have transitioned to using a structured data feed or API, instead of credential sharing and screen scraping. However, the task force expressed concerns that these methods may “lack adequate consumer protections and privacy protections, and face cybersecurity weaknesses.”
- DFA 1033 Rulemaking, Executive Order 14036, and Other Recent Developments. The task force discussed regulatory guidance and the need for clarity on consumer data sharing between financial institutions. The task force noted that some concerns from consumer advocates may involve the burden of liability or risk shifting to the consumer when consumers provide consent to financial institutions.
- International Data Sharing Landscape. The task force mentioned that several foreign countries promote consumer-permissioned data sharing access through APIs, due to cybersecurity concerns. For example, the United Kingdom requires large banks to adopt open API banking standards and the European Union’s General Data Protection Regulation established a set of rules regarding personal data throughout the EU.
Task force members heard concerns from witnesses regarding tighter legal and regulatory measures around data-sharing among financial institutions and third parties, in addition to requests for more robust, informed consent from consumers when their information is aggregated and allocated. Congressman Davidson (R-OH) expressed hope that the CFPB will find that individuals have a property right in their own data, and called for regulators to continue to “provide [a] consumer-focused, principle-based framework that will allow for innovation and competition.” He also found it encouraging that the “CFPB [is] continuing to make progress towards rulemaking under Section 1033 of the Dodd-Frank Act.”
On September 2, the Irish Data Protection Commission (Commission) announced that a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based messaging service’s handling of individuals’ personal information. The final Article 65 decision, published by the European Data Protection Board (EDPB), imposes a €225 million on the company, and resolves an investigation into whether the company met its transparency obligations with respect to its data processing activities. The Commission alleged that the company violated provisions of the GDPR through the way it processed users’ and non-users’ data, as well as in the way it processed and shared data with other companies’ owned by the parent global social media company.
According to the final decision, “a number of concerned supervisory authorities” raised objections to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €30 and €50 million. Because the Commission was unable to reach a consensus with the objecting concerned supervisory authorities, a dispute resolution process was triggered. The EDPB ultimately ordered the Commission to reassess and increase its proposed fine. In addition to imposing the administrative fine, the Commission also ordered the company “to bring its processing into compliance by taking a range of specified remedial actions.”
Recently, a global technology corporation disclosed a $746 million euro (approximately $888 million USD) fine issued by the Luxembourg National Commission for Data Protection (CNPD) for alleged violations of the EU’s General Data Protection Regulations (GDPR). The corporation’s Form 10-Q for second quarter 2021 states that on July 16, the CNPD issued a decision against the corporation’s European headquarters, claiming its “processing of personal data did not comply with the [GDPR].” In addition to the fine, the decision also requires corresponding practice revisions, the details of which were not disclosed. The corporation noted that the decision is “without merit” and stated it intends to defend itself “vigorously” in this matter. According to sources, the decision follows an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes.
- Daniel R. Alonso to discuss internal investigations at the Institute of Internal Auditors of Argentina Spanish-language webinar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Marshall T. Bell and John R. Coleman to speak at 2021 AFSA Annual Meeting
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek