Washington, D.C. – BPI commented today on the Consumer Financial Protection Bureau’s Outline of Proposals addressing consumer data portability. This is part of an effort to implement Section 1033 of the Dodd-Frank Act, which seeks to establish a framework under which consumers can authorize third parties to safely collect their personal financial data subject to clear terms, requirements and limitations.
What BPI is saying:
“BPI supports consumers’ ability to obtain their account and transaction data and connect with third-party applications so long as their financial information remains secure when it leaves the safety of a regulated financial institution,” stated Paige Pidano Paridon, senior vice president and senior associate general counsel. “All nonbank entities operating in the ecosystem must be required to provide the same data and privacy protections as banks and be subject to CFPB supervision and examination.”
The CFPB began the process of promulgating Section 1033 in October 2016 after issuing a request for information. Since then, it has hosted several symposia, published a set of principles and issued an advanced notice of proposed rulemaking. The Outline of Proposals aims to solicit feedback from small businesses and other entities that may be affected by an eventual rulemaking.
BPI believes that the final rule should be principles-based — rather than overly technical — to account for quickly evolving advances in the market and should codify the following principles:
- Consumers must have transparency into — and control over — where, how and the extent to which their data is shared. Around 80% of consumer respondents were unaware that third-party app providers gather users’ financial data and 78% were unaware that aggregators have access to personal data even when the app is closed or deleted, according to a recent survey.
- Data must be secure and protected with bank-like safeguards no matter where it resides.
- Any entity that causes harm to a consumer is responsible for remedying the harm. For example, if a data aggregator is hacked and a consumer’s data is accessed and used to engage in fraudulent activity, the data aggregator should be liable for that breach.
- The CFPB should establish a date certain to ban screen scraping to encourage the transition to safer alternatives, like application programming interfaces.
What are the next steps?
The CFPB will review comments and will convene a panel under the Small Business Regulatory Enforcement Act in early February. Feedback received during this process will result in the CFPB issuing a report. The CFPB will then initiate the formal rulemaking process through a notice of proposed rulemaking.
Additional reading: To learn more about this topic, visit the following links:
- BPI Responds to CFPB Launch of Section 1033 Rulemaking
- BPI Responds to Consumer Financial Protection Bureau ANPR on Consumer Access to Financial Records
- A Short Prescription for Ensuring Responsible Open Banking in the United States
- BPI Statement Before House Task Force on Financial Technology on Consumer Access to Personal Financial Data
- Data Aggregators Issue Summary
- BPI Welcomes CFPB Resolve to Verify Big Tech Consumer & Data Safeguards
- Summary: BPI/TCH Symposium on The Future of Consumer Financial Data Access: Implementing Section 1033 of the Dodd-Frank Act
About Bank Policy Institute.
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.