Customer-Authorized Financial Data Sharing and Aggregation

The CFPB released its outline of principles for protecting consumers when they authorize third party companies to access their financial data to provide certain financial products and services (think – digital wallets).  The principles are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.

Included in the principles are:

  1. Access
    Consumers are able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider. Such information is
    made available in a timely manner. Consumers are generally able to authorize trusted third parties to obtain such information from account providers to use on behalf of
    consumers, for consumer benefit, and in a safe manner.
    Financial account agreements and terms support safe, consumer-authorized access, promote consumer interests, and do not seek to deter consumers from accessing or
    granting access to their account information. Access does not require consumers to share their account credentials with third parties.
  2. Data Scope and Usability
    Financial data subject to consumer and consumer-authorized access may include any transaction, series of transactions, or other aspect of consumer usage; the terms of any
    account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards. Information is made
    available in forms that are readily usable by consumers and consumer-authorized third parties. Third parties with authorized access only access the data necessary to provide the
    product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.
  3. Control and Informed Consent
    Consumers can enhance their financial lives when they control information regarding their accounts or use of financial services. Authorized terms of access, storage, use, and
    disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of
    the product(s) or service(s) selected by the consumer. Terms of data access include access frequency, data scope, and retention period. Consumers are not coerced into granting
    third-party access. Consumers understand data sharing revocation terms and can readily and simply revoke authorizations to access, use, or store data. Revocations are
    implemented by providers in a timely and effective manner, and at the discretion of the consumer, provide for third parties to delete personally identifiable information.
  4. Authorizing Payments
    Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct
    consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of
    authorization to obtain services.
  5. Security
    Consumer data are accessed, stored, used, and distributed securely. Consumer data are maintained in a manner and in formats that deter and protect against security breaches
    and prevent harm to consumers. Access credentials are similarly secured. All parties that access, store, transmit, or dispose of data use strong protections and effective processes to
    mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties
    that also have such protections and processes. Security practices adapt effectively to new threats.
  6. Access Transparency
    Consumers are informed of, or can readily ascertain, which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other
    consumer use of financial services. The identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data is
    reasonably ascertainable to the consumer throughout the period that the data are accessed, used, or stored.
  7. Accuracy
    Consumers can expect the data they access or authorize others to access or use to be accurate and current. Consumers have reasonable means to dispute and resolve data
    inaccuracies, regardless of how or where inaccuracies arise.
  8. Ability to Dispute and Resolve Unauthorized Access
    Consumers have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments conducted in connection
    with or as a result of either authorized or unauthorized data sharing access, and failures to comply with other obligations, including the terms of consumer authorizations.
    Consumers are not required to identify the party or parties who gained or enabled unauthorized access to receive appropriate remediation. Parties responsible for
    unauthorized access are held accountable for the consequences of such access.
  9. Efficient and Effective Accountability Mechanisms
    The goals and incentives of parties that grant access to, access, use, store, redistribute, and dispose of consumer data align to enable safe consumer access and deter misuse.
    Commercial participants are accountable for the risks, harms, and costs they introduce to consumers. Commercial participants are likewise incentivized and empowered effectively
    to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, data inaccuracies, insecurity of data, and failures to comply with other obligations, including the terms of consumer authorizations.
Passwords to access the blog posts, and blog posts are only for CSG owners and retained clients. These should not be shared outside of the organization. Blog posts generally contain only a summary of any requirements, and do not represent all potential impact on the organization. For further details on any blog post, contact CSG or references cited in the blog post. The information contained on this site is provided for informational purposes only, and should not be construed as legal advice.

Leave a Reply

Your email address will not be published.