CFPB Issues Consumer Protection Principles for Consumer-Authorized Financial Data Sharing and Aggregation

Published: Oct. 25, 2017

Updated: Nov. 07, 2023

After much anticipation, the CFPB released guidance on October 20, 2017 regarding the consumer protection implications of financial data sharing and aggregation services. In these new principles, the CFPB expresses strong support for such offerings, which it sees as “hold[ing] the promise of improved and innovative consumer financial products and services, enhanced control for consumers over their financial lives, and increased competition in the provision of financial services to consumers.” This, on the whole, is good news for data aggregators and those who obtain data from such services as the CFPB report has generally given the green light for companies to continue to innovate in this area. And it has done so with a fairly light touch, without issuing the types of onerous regulatory oversight that the traditional banking industry had been seeking.

The CFPB notes, however, that there are “significant consumer protection challenges to be considered—particularly with respect to data privacy and security.” Accordingly, the CFPB has provided nine “Consumer Protection Principles” that set forth “the Bureau’s vision for realizing a robust, safe, and workable data aggregation market.” Although the CFPB clarifies that the principles are intended to neither have legal effect nor set out enforcement priorities, companies offering financial data aggregation services (and those entities who are obtaining data from such aggregators) should bear these principles in mind.

  1. Access – Consumers are able to access financial services’ information about them and authorize trusted third parties to access that information.
  2. Data Scope and Usability – Information to which consumers have access includes interest, benefits, rewards, and transactional information, and is accessible in “readily usable” formats.
  3. Control and Informed Consent – Data practices are well noticed, and consumer authorization for third party data access is uncoerced and revocable.
  4. Authorizing Payments – Payment authorizations are “separate and distinct” from data access authorizations.
  5. Security – Consumer data is properly secured to protect against fraud, data breaches and other security risks, and only transmitted to third parties with similar protections.
  6. Access Transparency – Consumers can ascertain which third parties have access to their data and what those entities are doing with their data.
  7. Accuracy – Consumers can expect accessible data to be accurate and current, and can dispute data inaccuracies.
  8. Ability to Dispute and Resolve Unauthorized Access – Unauthorized data access and payments are remediable by consumers.
  9. Efficient and Effective Accountability Mechanisms – Incentives of companies are aligned with proper data practices.