On October 18, 2017, the Consumer Financial Protection Bureau issued “Consumer Protection Principles” for protecting consumers’ interests in the context of consumer-authorized data sharing and aggregation. The principles are related to the Request for Information that the Bureau issued in connection with section 1033 of the Dodd-Frank Act late last year.

The Consumer Protection Principles emphasize the growing role of fintech companies that access consumers’ financial data – with their permission – in order to provide services such as data aggregation or financial advice. Acknowledging that industry participants are already working on developing agreed-upon practices and norms for such services, the Bureau insists that “consumer interests must be the priority of all stakeholders,” and presents these Principles as the agency’s “vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The Bureau also released an outline describing the stakeholder insights that it took into account in developing the principles.

The Consumer Protection Principles highlight the following themes for account providers and for third parties authorized by consumers to access financial data:

  • Consumer Access. Account providers should make consumer data available timely and securely to consumers and to consumer-authorized third parties without requiring that consumers share their account credentials with the third parties.
  • Data Scope and Usability. Account providers should make consumer data available in a manner that is “readily usable” by consumers and authorized third parties. Third parties should access only the data necessary for the requested products or services and should erase such data as soon as it is no longer necessary for those purposes.
  • Control and Informed Consent. Terms of access, storage, use, and disposal should be effectively disclosed and neither “overly broad” nor inconsistent with a consumer’s “reasonable expectations.” The Principles indicate that consumers should have the benefit of terms that allow them to easily revoke their authorizations and to order third parties to delete any personally identifiable information. Accessing information and making payments should require “separate and distinct” consumer authorizations.
  • Data Security. There should be secure methods of accessing, storing, using, and distributing consumer data, including consumers’ access credentials.
  • Transparency. For every third party with access to consumer data, consumers should be able to readily ascertain the “identity and security” of the party, the data it accesses, and how frequently and how it uses such data.
  • Dispute Resolution. Companies should provide consumers with “reasonable means” to dispute and resolve alleged inaccuracies in their data, even if an inaccuracy is attributable to another party. Companies should also provide means to dispute and resolve alleged unauthorized access, data sharing, payments, or failures to comply with other obligations.
  • Accountability. Account providers and authorized third parties should set “goals and incentives” that ensure that consumers are protected and that companies are accountable for any harms they incur on consumers.

The Bureau provides an important caveat for the Principles by stating that they “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—existing statutes and regulations that apply in this market” and “are not intended as a statement of the Bureau’s future enforcement or supervisory priorities.”