Who owns consumer data? CFPB launches inquiry
US watchdog agency will examine choice, security and control over financial data
By Fred O. Williams | Published: November 17, 2016
Expert on consumer credit laws and regulations
Who owns consumers’ digital financial data? Who can use it? How can it be kept secure?
The government’s consumer financial watchdog announced Thursday it has launched a formal inquiry into these questions, with the aim of helping people manage their finances better.
“Access to digital financial records is critical,” U.S. Consumer Financial Protection Bureau Director Richard Cordray said in a written statement. “As with your student records or medical records, your financial records tell an important story about you.”
As you use a bank account, credit card or prepaid card, the electronic record of your transactions grows into a valuable trove of information. Budgeting apps, for example, can examine your spending and help you spot where money is leaking. For people who lack a lengthy credit history, the transaction data can help lenders approve loans at fair interest rates.
Choice, security, control
But sharing transaction data brings up a number of questions. Among the issues the CFPB’s inquiry will cover are:
- Choice: Can consumers access their own digital financial records and grant access to others for their benefit. What burden does this choice put on financial institutions?
- Security: What are the options to ensure that transaction records are transmitted, stored and used securely.
- Control: When access is granted to third parties, can consumers restrict their data to specified uses and limit the access, such as requesting records be deleted.
The consumer protection bureau’s inquiry into these questions marks its first step into a contentious area. Mainstream financial institutions are facing off against newfangled apps and services, and personal finance aggregators such as Mint that pull transaction data from accounts across multiple institutions.
“We are concerned that some financial institutions have threatened to cut off the flow of information to some websites and mobile applications,” Cordray said. Keeping the data locked up shields banks from the competitive threat posed by financial technology – or “fintech” – upstarts, he said. Banks may also fear that they could be on the hook for losses if a data breach at an aggregator exposes the keys to customer accounts.
Banks, on the other hand, said they worry about customers’ privacy and account security. In his letter to shareholders in April 2016, JPMorgan Chase CEO Jamie Dimon sounded an alarm about customers granting account access to third parties. Chase’s analysis found that customers routinely gave apps access to “far more information” than needed for their purpose, he said.
“When we all readily click ‘I agree’ online or on our mobile devices … it is fairly clear that most of us have no idea what we are agreeing to or how that information might be used by a third party,” Dimon said.
The Wall Street Journal reported in August 2015 that aggregator Yodlee sold data to investment firms without disclosing the practice. Yodlee reportedly said the data is anonymous and cannot be linked to individual consumers.
Consumer data and fintech boom
The CFPB announced the inquiry – potentially its first step toward a regulation on financial data – the same day as a field hearing in Salt Lake City on the use of electronic financial records. The list of attendees includes representatives from Yodlee, the American Bankers Association and the pro-technology group Center for Financial Services Innovation.
Resolving the issues around sharing consumers’ transaction data has a big upside, proponents say. The nation’s current boom in financial technology – including a wave of mobile money apps for budgeting, bill paying and other tools – holds out the promise of helping strapped consumers manage their finances better, the CFSI said in announcing a study in May.
“Banks, fintech companies, and other providers can position themselves today as leaders in helping consumers solve their financial challenges,” Jennifer Tescher, president of CFSI, said in a news release.
Regulation or guidelines?
Industry and consumer representatives at the panel discussion split on whether the CFPB must issue regulations to achieve safe data sharing. In the alternative, industry standards could be developed cooperatively, with the agency issuing guidance from the sidelines.
"I don't hear us being that far apart in terms of where we want to go, said Alaina Gimbert, senior vice president of The Clearing House, a New York-based bank industry group and payment processor. "I think we can do this without regulation."
Consumer organization representatives disagreed, saying consumers need clearcut rights to their data as a core principle of the data sharing environment.
"I don't think this will work unless we have enforceable minimum standards by a regulator," said Ed Mierzwinski, consumer program director at the Public Interest Research Group. Nick Thomas, co-founder of budgeting app Mvelopes, said some financial institutions take days to make transaction data available after the transaction takes place.
Consumers' ability to easily transfer their transaction data will make it easier to change banks and financial services, said Joe Valenti, director of consumer finance at the Center for American Progress. Banking will be more competitive and banks will be more responsive to consumer concerns when consumers are empowered to vote with their feet, he said.
Holding the hearing signaled that the CFPB intends to continue work on regulatory initiatives in the face of uncertainty about its future. Republican congressional efforts to restructure the CFPB and reduce its powers, blocked so far by the threat of a White House veto, are now seen as having a strong likelihood of success under the Trump administration.
The Dodd-Frank Act gives consumers the right to access their transaction data in a useable electronic form. The law also makes the CFPB responsible for regulating the issues surrounding data access. The public may comment on the inquiry, using docket number CFPB-2016-0048, for 90 days after the agency’s formal Request for Information is published in the Federal Register.
See related: Mobile shopping apps raise privacy, security issues
- Debt relief firm that claimed ties to US government sued by CFPB – The Consumer Financial Protection Bureau sued two companies both known as FDAA for an allegedly illegal debt relief scheme targeting credit card debtors ...
- In the wake of Equifax hack, Congress proposes credit bureau reform – Lawmakers call for changes in credit report system to protect people's data, or at least give them more control over it ...
- Poll: 1 in 4 Americans checked their credit after Equifax breach – The flood of post-breach consumer action is encouraging, but many still didn't check their credit ...