Consumers who let budgeting apps or payment platforms access their banking data shouldn’t feel “powerless” about how that information is used if pending regulation works as intended, the Bureau chief said. consumer financial protection.
The bureau is working to develop a long-awaited rule that would make it easier for people to share information about their bank accounts and other sensitive data that financial institutions store and protect. Opening up this data to online financial tools promises to boost competition, but it also increases the risks that people’s information will be misused.
“I fear there is a broader sense of helplessness[ness] businesses and consumers feel when it comes to just returning all their data,” CFPB Director Rohit Chopra said in a July 22 interview.
For consumers to get the most out of a free-flowing information environment, they will need a better understanding of how their financial data is being used and what they agree to when a company asks for permission. to see their data, Chopra said. The bureau is developing a regulatory framework that would give consumers more control and more choice, without creating what Chopra called “an underworld” where companies try to monetize access to financial data.
This fall, the CFPB is expected to give a first look at its rule allowing people to securely share access to sensitive financial information, in part using a common digital infrastructure.
“It’s the future,” said Jeremy Grant, a former federal cybersecurity official who is now managing director of technology business strategy at law firm Venable LLP. “Rather than sharing an ID, I can log into my bank account and tell my bank to let a third-party app access certain data. It allows consumers to have more control over data in a more secure way. . »
Making data more portable, like an open banking system would, ensures that a single company cannot have a monopoly on it, says the Information Technology and Innovation Foundation.
“The whole point of data portability is to ensure that there is no exclusive access to data,” agreed Daniel Castro, vice president of the foundation and director of the Center for Data Innovation.
But there are significant risks the CFPB needs to guard against, said Karen Shaw Petrou, managing partner of Federal Financial Analytics. And they have become more worrisome since the idea of open banking was proposed as part of the post-financial crisis Dodd-Frank Act.
Enter Big Tech
Forays into financial services by Google parent Alphabet Inc., Facebook parent Meta Platforms Inc. and Apple Inc. raise the specter of tech companies with such access by exploiting details such as a consumer’s transaction history or account balance to sell products to them.
And tech giants combining consumer financial data with search histories and social media posts could allow them to steer consumers “toward unsuitable products that put their financial well-being at risk,” he said. Petrou.
Chopra called the emergence of big tech companies in the financial services arena “one of the most important issues facing us as an industry, as regulators, and as a public.”
“It raises a lot of very, very pressing questions, not just about privacy, but about fair competition, transparency and consumer protection,” he told Bloomberg Law.
When a purchase is made using a digital payment platform such as Google Pay or Apply Pay, certain personal information such as email address and postal address is shared with the merchant from whom the consumer purchases, in accordance with their privacy notices. It is generally used to calculate taxes and shipping costs, or to prevent fraud.
Google says its digital payment service does not sell transaction history to third parties or share it with other Google services for targeted advertising. Facebook also says its payment platform does not sell personal information to other parties. Apple Pay transactions are not used for advertising purposes, the company says.
Consumers have been freely sharing bank account data with third-party apps and other fintechs in Europe, the UK, Australia and elsewhere for decades. In the United States, consumers already voluntarily share this information with budgeting, payment and lending apps known as fintechs, attracted by the usefulness of digital platforms that provide services beyond what banks have traditionally offered. But the options are more restrictive.
Chopra said she tracked these consumer experiences and received reports about issues such as data security and lack of transparency, among others.
The 2010 Dodd-Frank Act, Section 1033, directed the CFPB to write a data sharing rule to govern these data streams. Although the agency collected information about the rule, it did not release a proposal until October 2020.
This delay is partly explained by other high priorities – born out of the 2008 financial crisis, the CFPB first tackled mortgage and other regulations aimed at preventing abusive practices from growing and endangering consumers and the economy – and the sheer complexity of sharing consumer financial data.
The data-sharing rule remains up in the air as the issue of open banking intersects with another Biden administration focus: how big tech platforms collect and use personal information, including financial records, and its implications for competition.
Chopra, who previously took on Google and Facebook as a member of the Federal Trade Commission, sought information from tech companies regarding their use of consumer data as one of his first acts as head of the CFPB.
The information gathered by the CFPB will help show what happens when consumers use digital wallets or payment platforms on their phones to buy or sell products, which will help inform policy as Rule 1033 progresses. did he declare.
The CFPB rule could limit how financial data is shared with third parties and restrict “downstream uses of data” only for certain purposes, Castro said.
The current data-sharing regime relies on consumers clicking to accept terms of service, often described in legal language that can obscure how the information is used.
President Joe Biden wants the CFPB to conclude the open banking rule, he said in a July 2021 executive order on competition. The Bureau says it will provide an overview of the rule to a small business review panel in the fall.
“It will give people a much better idea of what the bureau thinks and the extent of this rule,” said Kelly Thompson Cochran, deputy director of the nonprofit FinRegLab, which previously helped build of the CFPB and shaped its rulemaking efforts.
Cochran said it was unclear how a data sharing policy would work in concert with other related laws such as the Gramm-Leach Bliley Act, which sets out requirements for securing financial information against breaches of privacy. data.
The CFPB could also issue a rule to oversee data brokers such as Fiserv, Plaid and MX, which aggregate consumer data and package it for use by banks and other businesses.
By placing data brokers under CFPB oversight, agency reviewers would be able to monitor whether consumer data is being misused.
“It would be a powerful tool for the bureau to try to influence the behavior of aggregators and understand how data is used and sold,” said Michael Gordon, a partner at Ballard Spahr LLP and a former CFPB attorney.
Gordon added that this type of rule should be offered separately from Regulation 1033. At this time, it is not on the CFPB’s official agenda.
Data brokers who are members of the FDATA North America industry group support putting it under CFPB oversight, according to group executive director Steve Boms.
“Regardless of the mechanism, aggregators must be supervised,” he said.