Consumers who let budgeting apps or payment platforms access their banking data shouldn’t feel as “powerless” about how that information is used if a pending regulation works as planned, said the head of the Consumer Financial Protection Bureau.
The bureau is working to finish a long-awaited rule that would make it easier for people to share information about their bank accounts and other sensitive data that financial institutions store and protect. Opening up this data to online financial tools promises to boost competition, though it also raises risks that people’s information could be misused.
“I do worry that there’s a broader sense of powerless[ness] that both businesses and consumers feel when it comes to just turning over all their data,” CFPB Director Rohit Chopra said in a July 22 interview.
For consumers to get the most out of a free-flowing information environment, they’ll need a better handle on how their financial data is used and what they’re agreeing to when a company asks permission to see their data, Chopra said. The bureau is developing a regulatory framework that would allow consumers to have more control, and more choice, without creating what Chopra called “an underworld” where companies try to monetize access to financial data.
The CFPB this fall is expected give the first glimpse of its rule to let people safely share access to sensitive financial information, in part by using a common digital infrastructure.
“That is the future,” said Jeremy Grant, a former federal cybersecurity official who’s now managing director of technology business strategy at law firm Venable LLP. “Rather than sharing a credential, I can log into my bank account and tell my bank to let a third-party app access certain data. It empowers consumers to have more control over data in a way that’s more secure.”
Making data more portable, as an open banking system would, ensures that a single firm can’t hold a monopoly over it, says the Information Technology and Innovation Foundation.
“The point of data portability is making sure there’s not exclusive access to data,” agreed Daniel Castro, vice president of the foundation and director of the Center for Data Innovation.
But there are significant risks that CFPB needs to guard against, said Karen Shaw Petrou, managing partner of Federal Financial Analytics. And they’ve grown more ominous since the idea of open banking was proposed as part of the post-financial crisis Dodd-Frank law.
Enter Big Tech
Forays into financial services by Google parent Alphabet Inc., Facebook parent Meta Platforms Inc., and Apple Inc., raise the specter of tech companies with such access leveraging details like a consumer’s transaction history or account balance to sell them products.
And tech giants combining consumer financial data with search histories and social media posts could let them steer consumers “into unsuitable products that put their financial well-being at risk,” said Petrou.
Chopra called the emergence of big tech companies in the financial services arena “one of the most high stakes questions we have to confront as an industry, as regulators and as a public.”
“It raises a lot of very, very pressing questions, not just about privacy, but about fair competition, transparency and consumer protection,” he told Bloomberg Law.
When a purchase is made using a digital payments platform like Google Pay or Apply Pay, some personal information such as email and mailing address is shared with the merchant the consumer is buying from, according to their privacy notices. It’s typically used for calculating taxes and shipping, or for preventing fraud.
Google says its digital payment service doesn’t sell transaction history to third parties or share it with other Google services for targeted advertising. Facebook similarly says its payment platform doesn’t sell personal information to other parties. Apple Pay transactions aren’t used for advertising purposes, the company says.
Consumers have been freely sharing bank account data with third-party apps and other financial technology in Europe, the UK, Australia, and other places for decades. In the US, consumers already voluntarily share such information with budgeting, payment, and lending apps known as fintechs, drawn by the utility of digital platforms that provide services beyond what banks have traditionally offered. But the options are more restrictive.
Chopra said he’s followed those consumer experiences and has received reports on problems including data security and a lack of transparency, among others.
The 2010 Dodd-Frank Act, in Section 1033, ordered the CFPB to write a data-sharing rule to govern these data flows. While the agency has done some information gathering for the rule, it didn’t release a proposal until October 2020.
The delay was driven in part by other priorities taking precedence—born out of the 2008 financial crisis, the CFPB first tackled mortgage and other regulations intended to prevent abusive practices from bubbling up and putting consumers and the economy at risk—and the sheer complexity of sharing consumer financial data.
The data-sharing rule remains in the works as the issue of open banking interacts with another focus of the Biden administration: how big tech platforms collect and use personal information, including financial records, and its implications for competition.
Chopra, who previously took on Google and Facebook as a member of the Federal Trade Commission, demanded information from tech firms regarding their use of consumer data as one of his first acts running the CFPB.
The information the CFPB collects will help show what happens when consumers use digital wallets or payments platforms on their phones to buy or sell products, which will help inform policy as the 1033 rule moves forward, he said.
The CFPB rule could limit how financial data is shared with third parties and restrict “downstream uses of data” only to certain purposes, Castro said.
The current data-sharing regime relies on consumers clicking to agree with terms of service, often described in legal language that may obfuscate how information is used.
President Joe Biden wants the CFPB to wrap up the open banking rule, he said in a July 2021 executive order on competition. The Bureau says it will provide an outline of the rule to a small business review panel in the fall.
“It will give people a much better sense of what the bureau is thinking and how broad this rule might be,” said Kelly Thompson Cochran, deputy director of the nonprofit FinRegLab, who previously helped build the CFPB and shaped its rulemaking efforts.
Cochran said it’s unclear how a data-sharing policy might work in concert with other related laws like the Gramm-Leach Bliley Act, which sets requirements for securing financial information from data breaches.
The CFPB could also issue a rule to oversee data aggregators like Fiserv, Plaid, and MX, which aggregate consumer data and package it for use by banks and other firms.
By bringing data aggregators under CFPB supervision, agency examiners would be able to police whether consumer data is misused.
“That would be a powerful tool for the bureau to try to influence aggregators’ behavior and understand how data is used and sold,” said Michael Gordon, a Ballard Spahr LLP partner and former CFPB attorney.
Gordon added that this kind of rule would have to be proposed separately from the 1033 rulemaking. So far, it’s not on the CFPB’s official agenda.
Data aggregators that are members of industry group FDATA North America support being put under CFPB supervision, according to Steve Boms, the group’s executive director.
“Whatever the mechanism, aggregators should be supervised,” he said.