CFPB should write a data sharing rule that can evolve with the market
By David Silberman, Corey Stone
The Consumer Financial Protection Bureau’s recent Regulatory Agenda indicates that the bureau plans to commence a rulemaking in November to implement the data sharing provision in Section 1033 of the Dodd-Frank Act. For that rulemaking to enable consumers to enjoy the benefits of more open data, the CFPB should heed Director Rohit Chopra’s recent call to eschew “highly complicated rules that have long been a staple of consumer financial regulation” and instead develop a principles-based approach that addresses the most significant pain points in the data ecosystem today and will allow the market to evolve over time.
As former CFPB officials, we recognize the temptation to write a rule that addresses all the issues implicated by data rights, including those regarding the intersection of those rights with other consumer protection laws.
But we also recognize how daunting and time consuming a task that would be. Research we have conducted among innovators and data aggregators who facilitate data access persuades us that the bureau can best serve the market now by articulating a handful of core principles that will resolve ambiguities and enshrine consumers’ right of data access.
First, the CFPB should confirm the right of consumers to share any data that they would normally be able to see themselves through their relationship with a financial services provider with third parties of their choosing and the correlative duty of data holders to facilitate such sharing.
Although data access by third parties is widespread, some institutions are simply not recognizing their obligation to facilitate data sharing with consumers’ third-party representatives. Because of ambiguity about this obligation such institutions are not investing in the API connections and tokenization protocols that can eliminate the sharing of login credentials and the risk that poses to data security.
At the same time, even among institutions that permit data sharing, some withhold certain fields such as the interest rate on a credit card or the number and amount of penalty fees a consumer has been charged. Others are arbitrarily limiting the months of account and transaction history that a consumer can share.
Consequently, apps designed to help consumers depict a history of their finances, manage their cash flows or shop for financial services are handicapped in their ability to do so. The CFPB should make clear that such anti-competitive behavior cannot be justified on the grounds that such data is confidential.
Relatedly, the rule should resolve ambiguities regarding the types of entities that are obligated to share financial data beyond “core” financial services providers. At a minimum these should include government entities and their contractors when they provide prepaid instruments or payment processing services to enable consumers to access public benefits on a recurring basis and providers of services through which funds in a health savings or flexible spending account can be accessed. Financially vulnerable consumers need to be able to share those data to take advantage of apps that can help them better manage these benefits.
As a corollary to consumers’ right to share data, the CFPB also should establish the principle that data holders cannot unreasonably restrict the frequency with which a consumer or their agents can access their data.
For the most vulnerable consumers, tracking funds flows at the end of their pay periods and when bills come due can be an hour-by-hour affair. Third-party applications that can anticipate forthcoming debits, provide low-balance alerts, and even provide an emergency advance need — and should have — the same frequency of access as consumers have when they access data themselves through their banks’ mobile or online banking services. Yet we have found that many of the largest institutions, through negotiated agreements with data aggregators or otherwise, have imposed limits on the frequency with which data can be accessed — limits that interfere with the ability of third-party applications to provide real-time service to their customers.
Similarly, the bureau should establish the principle that data holders cannot unreasonably impede or discourage consumers from sharing their data or unreasonably limit the duration of consumer permissioned access.
We have found that as the process by which consumers consent to permit access to their data is migrating from data aggregators to financial institutions’ sites, completion rates once consumers are redirected to these sites vary considerably. This suggests that some have structured processes that, by design or otherwise, are sufficiently complex or contain warnings sufficiently dire to cause consumers to abandon the process midstream.
We likewise have found that a high proportion of account linkages expire within a short period after they are established as tokens for access are programmed to expire within short periods, causing data disruptions until the consumer goes back through the consent process. Although informed consent is a necessary touchstone for data sharing, the process of securing such consent should not be turned into an obstacle course or a means of frustrating consumers’ desires.
Finally, the bureau should make clear that data aggregation itself is a consumer financial product or service and establish the bureau’s supervisory jurisdiction over data aggregators. The Financial Health Network’s 2020 survey indicates that most consumers who have consented to share their financial data with a fintech app do not understand the role that data aggregators play in the process let alone realize that data aggregators may be pulling and retaining all of the data that is available to them rather than pulling and transmitting only those data needed for the fintech app to serve the consumer.
Although we strongly support the concept of data minimization, we recognize that Section 1033 does not speak to the obligations of data aggregators or users. Further, although one industry consortium has sought to define use cases for data access and the data elements needed for each use case, such use cases and ground rules are not easily handled or changed through prescriptive regulations.
Even embodying data minimization as a regulatory principle could embolden data holders to restrict data access in ways that would thwart consumers’ rights. We thus believe that the soundest approach is for the CFPB first to establish its supervisory jurisdiction, which would over time enable the bureau to formulate supervisory expectations regarding data access and retention.
Establishing these principles in a streamlined rulemaking will address the largest pain points in the current data ecosystem and enable Section 1033 to deliver on its promise to consumers and to competition.