CFPB Request for Information Regarding Consumer Access to Financial Records

The CFPB has launched a formal inquiry into obstacles consumers face in accessing and sharing with third parties personal financial records held by banks and other institutions.

The action by the bureau comes amid banking industry concern over a commonly used process called “screen scraping” in which consumers provide their online banking credentials to a third-party app or tool. While banks fully support consumers’ ability to extract and control personal financial data — and are working on ways to facilitate it safely — services that require customers to provide account credentials can introduce significant risks, including potential loss of consumer protections.

CFPB Director Richard Cordray said:

Consumers should be able to use their financial records and account information and securely share access in an electronic format. Technology provides opportunities to use these records to create new consumer tools that help improve financial lives. To realize that potential, we are launching a public inquiry into how much control consumers have over their records and how easy and secure it is for them to share their records with third parties.
The CFPB also issued a request for information on several aspects of consumer data access and sharing, including current practices and potential market developments. Responses to the request will be due 90 days after it is published in the Federal Register.

The Request for Information contains 17 questions the CFPB is asking for feedback on:

Questions 1 through 17 below seek information about current market practices.

Questions 18 through 20 enable commenters to describe how they believe market practices may or should change over time. Questions use “consumer-permissioned access” to cover direct access by the consumer upon request and access by the consumer’s permissioned designees, but, where they deem it appropriate, respondents may provide different answers for these two forms of consumer access.

Current practices

  1. What types of products and services are currently made available to consumers that rely, at least in part, on consumer-permissioned electronic access to consumer financial account data? What benefits do consumers realize as a result? This question covers the use of such data to deliver products or services or to assess eligibility for a given product or service.
  2. How many consumers are using or seeking to use such products or services? What demographic or other aggregate information is available about these consumers?
  3. To provide or assess eligibility for these products and services, what kinds of consumer financial account data are being accessed, by what means, under what terms, and how often? How long is accessed data stored by permissioned parties or account aggregators?
  4. To provide or assess eligibility for these products and services, what kinds of nonfinancial consumer account data are being accessed by parties that also access consumer financial account data? By what means, under what terms, and how often? How long is accessed data stored by permissioned parties or account aggregators?
  5. What types of companies offer products and services that rely, at least in part, on consumer-permissioned electronic access to consumer financial account data, either to deliver the product or service or to assess eligibility for the product or service? To what extent are such products and services offered by entities that offer transaction accounts? To what extent are they offered by other market participants?
  6. In what ways, if any, do consumer products and services that rely, at least in part, on consumer-permissioned electronic access to consumer financial account data differ according to whether the offering company provides or does not provide transaction accounts to consumers? Do any such differences impact consumers? If so, how?
  7. To what extent do market participants compete to offer consumer products and services that rely, at least in part, on consumer-permissioned access to consumer financial account data? How does such competition impact consumers?
  8. What incentives or disincentives exist for consumer financial account providers to facilitate or discourage consumer-permissioned access to the account data that they hold by permissioned parties or account aggregators? In what ways do consumer financial account providers directly or indirectly facilitate or restrict consumer-permissioned access to account data? What are the associated impacts to consumers and other market participants?
  9. What impediments, obstacles or risks do consumer financial account providers currently face in providing data to or allowing access to data by permissioned parties or account aggregators? Describe specific operational costs, risks, and actual or potential losses, and identify their specific causes.
  10. What impediments, obstacles or risks do permissioned parties or account aggregators currently face in obtaining such data? Describe specific operational costs, risks, and actual or potential losses, and identify their specific causes.
  11. What impediments, obstacles or risks do consumers currently face in obtaining— including permitting access to—such data?
  12. What security and other risks do consumers incur if they permit access to their financial account data in order to obtain a particular product or service? What steps have consumer financial account providers, account aggregators, permissioned parties and other users of consumer-permissioned account data taken to mitigate such risks? What information do these parties communicate to consumers about associated risks?
  13. In what ways, do account aggregators or permissioned parties use consumer permissioned account data for purposes other than offering or facilitating the delivery of a specific product or service to the permissioning consumer? Do such companies continue to access or store data after the consumer ceases to use the product for which the permissioned data use was intended by the consumer? Do such companies share the data with other parties and, if so, under what terms and conditions? What are the associated impacts to consumers?
  14. When consumers permit access to their financial account data, what do they understand about: what data are accessed; how often they are accessed; for what purposes the data are used; whether the permissioned party or account aggregator continues to access, store or use such data after the consumer ceases to use the product or service for which the permissioned data use was intended by the consumer; and with which entities a permissioned party or account aggregator shares the data and on what terms and conditions? What drives or impacts their level of understanding? What impact does their level of understanding have on consumers and on other parties, including on consumers’ willingness to permit access?
  15. To what extent are consumers able to control how data is used by permissioned parties or account aggregators that obtain that data via consumer-permissioned access? Are consumers able to control what data are accessed, how often they are accessed, for what purposes and for how long the data are used, and with which entities, if any, a permissioned party or account aggregator may share the data and on what terms and conditions? Are they able to request that permissioned parties, account aggregators, or other users delete such data? Is such data otherwise deleted and, if so, when and by what means? To what extent are consumers consenting to permissioned party and account aggregator practices with respect to access, use and sharing of consumer financial account data?
  16. Do consumer financial account providers vet account aggregators or permissioned parties before providing data to them? Do consumer financial account providers perform any ongoing vetting of account aggregators or permissioned parties? If so, for what purposes and using what procedures? What are the associated impacts to consumers and to other parties?
  17. What industry standards currently exist, in development or otherwise, to enable consumer-permissioned access to financial account data?

Potential market developments

  1. What changes are or may be expected to happen to any market practice described in response to questions 1 through 17, why, and with what impacts to consumers, consumer financial account providers, permissioned parties, and account aggregators? Responses to this question may be integrated into responses to questions 1 through 17 if commenters prefer.
  2. What changes should happen to any market practice described in response to questions 1 through 18, why, and with what impacts to consumers, consumer financial account providers, permissioned parties, and account aggregators? Responses to this question also may be integrated into responses to questions 1 through 17 if commenters prefer.
  3. Are “industry standard” practices that provide consumers with data access comparable to that envisioned by section 1033 of the Dodd-Frank Act likely to be broadly adopted by consumer financial account providers, permissioned parties and account aggregators in the absence of regulatory action? If not, how will “industry standard” practices be insufficient? What marketplace considerations are likely to bear on such developments? Generally, how will the advent of standard practices for consumer-permissioned access to consumer financial account data affect competition and innovation in various consumer financial service markets?

Leave a Reply

Your email address will not be published. Required fields are marked *