On October 18, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) entered into the long simmering debate over consumer-authorized data sharing.  This debate pits mainstream financial institutions, which are typically reticent to share customer data with third parties, against data aggregators and other fintechs.  Those newer companies provide services directly to consumers—or to enhance the consumer experience—and rely on data from mainstream institutions in order to do so.  Both sides are grappling with complex issues surrounding consumer information, including who owns consumers’ financial data, as well as how it can be used, shared, and kept secure.

The CFPB released a set of nine consumer protection principles to address those issues and “help safeguard consumer interests as the consumer-authorized aggregation services market develops.”  While pointedly refusing to ease any existing regulatory burden currently on the banks to ensure safety and privacy, the Bureau has now articulated a yet-to-be fully defined set of requirements for traditional financial institutions to cooperate with demands for openness.  Each consumer right embedded in these requirements implies a financial institution obligation, in some cases with considerable associated cost and operational disruption.

The release follows a November 2016 Request for Information where the CFPB asked stakeholders to weigh in on the challenges consumers face in accessing, using, and securely sharing their financial records.  The CFPB also released a 12-page report that summarized stakeholder insight and informed development of the following principles:
Continue Reading The CFPB Releases Data Sharing Principles, Setting Off A New Round of Controversy