On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses rely on the consumer-authorized financial data market are scrambling to regain consumer trust.

Noting the “growing market” for consumer-authorized financial data aggregation services, the CFPB has promulgated nine principles which, in the words of CFPB Director Richard Cordray “express [the Bureau’s] vision for realizing an innovative market that gives consumers protection and value.” (See CFPB press release).

Many of the principles themselves will be familiar to anyone who has paid attention to consumer privacy discourse over the last 30+ years. They are in many ways a restatement of the OECD Guidelines, published in 1980 by the Organisation for Economic Co-operation and Development, but with a few useful additions. The “new” CFPB principles include time-tested privacy principles of:

  1. informed consent & control over data sharing;
  2. notice and transparency regarding the third parties’ access to and use of consumer data;
  3. data quality & accuracy and the right of consumers to dispute inaccuracies;
  4. an expectation of security and safeguards to protect consumer data;
  5. a right of access by consumers to their own data; and
  6. accountability to the consumer for complying with the foregoing principles.

In addition, however, the CFPB principles contain some fairly specific guidance that is particularly useful in the context of financial data and may have a significant impact on the way financial data is gathered, marketed and retained. For example, the CFPB Principles contain a specific principle (#4) regarding payment authorization:

  • Authorizing Payments. Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.

The above principle is one of several that illustrate the CFPB’s disapproval of broad, open-ended consents from consumers, favoring instead tailored, purpose-specific access. Principle #2 (Data Scope and Usability) is another example of this theme. It reads in part, “Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”

It remains to be seen how these principles might be applied to data collectors like credit bureaus, who typically hold consumer data for as long as a consumer’s lifetime in many cases. The CFPB’s press release emphasized that the principles are not intended to supercede or interpret any existing consumer protection statutes or regulations and that they are not binding. Still, they do provide a window into the CFPB’s mindset and the likely trend for future regulation.

Last Monday, October 24, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray spoke on the Bureau’s approach to FinTech at Money 20/20, a conference focused on payments and financial service innovation.  In his remarks, Cordray focused on responding to criticism of the CFPB’s enforcement actions against FinTech start-ups and appeared to warn large financial institutions about limiting access to financial data.  The Bureau also released the first report on “Project Catalyst,” the CFPB’s effort to facilitate innovation in consumer financial products and services.

Cordray began by stating that the Bureau’s enforcement actions against FinTech providers “should not be misread or overread.”  Cordray characterized these actions as not aimed at stifling innovation, but rather addressing “basic meat-and-potatoes issues such as companies that promise one thing to their customers and then do something quite different.”  For example, in March 2016, the CFPB imposed a $100,000 penalty on Dwolla, an online payment platform accused of deceiving customers by claiming that its data protection methods “exceeded industry standards.”

Later, Cordray appeared to rather bluntly warn banks against limiting access to customers’ financial data from FinTech providers with whom customers do business.  For example, some banks and FinTech firms have clashed over the practice of “screen scraping”—a technology that allows financial advisors and other FinTech companies to collect financial data of willing consumers through their bank’s website.  Some large banks have reportedly attempted to limit screen scraping, citing security concerns.  While Cordray recognized that allowing such access can “raise various issues,” he nonetheless expressed that the Bureau is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make such access, once granted, is safe and secure.”

In what could signal potential future regulation or enforcement activity, Cordray made clear that the Bureau “believes consumers should be able to access this information and give their permission for third-party companies to access this information as well” and that the Dodd-Frank Act supports this position.  In Cordray’s view, Congress specified that consumers should be able to access, in a usable electronic form, their financial information maintained by financial institutions.  Further, in its Project Catalyst report, the Bureau noted that it is working to achieve a “level playing field” for all market participants.

The Project Catalyst report also outlines several areas of consumer finance that the Bureau believes hold potential for consumer benefit.  Most revolve around increasing access to “underserved consumers,” like “unbanked” households and individuals with poor or no credit scores.  In addition to increasing consumer-permissioned access to financial data, the report highlighted efforts by FinTech companies such as:

  • Entering the student loan market to offer high-rate borrowers opportunity to refinance at lower rates;
  • Improving mortgage loan servicing such as through the use of machine learning to detect at an earlier stage when borrowers are likely to suffer financial distress;
  • Assisting with “cash flow management” to help consumers smooth uneven or unexpected changes in income, avoid overdrafts, and reduce reliance on short-term credit; and
  • Making peer-to-peer payment systems that bypass existing reliance on bank accounts or other networks more consumer friendly.

As FinTech providers continue to develop innovative financial products and services, we will continue to follow the Bureau’s efforts to navigate and regulate this evolving space.

On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here).  In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information security program, security operations, and assurance processes.  Affected institutions include those regulated by prudential regulators in addition to those regulated by the Consumer Financial Protection Bureau (CFPB), which is a member of FFIEC and has been increasing its scrutiny of consumer-facing “financial technology” or “fintech” firms (on September 27, the CFPB also noted that is consumer complaint database had hit the 1 million-complaint-mark).

Compliance, internal auditors and cybersecurity professionals in affected institutions should in particular take note of updated Appendix A to the booklet, which lays out the following 11 objectives for examiners.

  1. Determine the appropriate scope and objectives for the examination.
  2. Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
  3. Determine whether management of the information security program is appropriate and supports the institution’s IT risk management process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
  4. As part of the information security program, determine whether management has established risk identification processes.
  5. Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
  6. Determine whether management effectively implements controls to mitigate identified risk.
  7. Determine whether management has effective risk monitoring and reporting processes.
  8. Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
  9. Determine whether management has an effective information security program.
  10. Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
  11. Discuss corrective action and communicate findings.

Incorporating these objectives into information security programs will assist affected firms in structuring, monitoring and evaluating IT security risks in accordance with FFIEC standards.

Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued its proposed rule amending the Gramm-Leach-Bliley Act’s annual privacy notice requirement set forth in Regulation P.

The rule is in response to Congress’ December 2015 amendment to the act, which eliminated the need for certain companies to provide annual privacy disclosures to consumers.  Under the amendment, the annual notice requirement is eliminated for any financial institution that:

  1. Limits it sharing so the customer does not have the right to opt out; and
  2. Has not changed its privacy notice since the one most recently delivered to the customer.

If adopted, the proposed rules would create a 60-day deadline for financial institutions to provide an annual notice if they have changed their policies and practices so as to lose the annual notice exception.  The proposed changes would also remove the rule implemented in 2014 that permits alternative annual notice delivery methods because any party that meets the criteria for alternative delivery will also meet the criteria set forth in the new rule that permits the institution to forego providing the annual notice altogether.

The proposal does not affect the requirement that financial institutions provide an initial privacy notice to new customers, and it does not exempt the financial institution from providing any disclosures required by the Fair Credit Reporting Act in association with affiliate information sharing.

Comments may be submitted electronically or by mailing or delivery to the CFPB.

Last week, President Obama proposed wide-reaching legislation to establish a uniform, nationwide standard for data breach notifications that envisions a significant enforcement role for the Consumer Financial Protection Bureau (CFPB). The proposal, titled the Personal Data Notification and Protection Act, can be found here. In terms of the types of covered data, the White House proposal significantly expands on prior breach notification bills. The proposal, however, includes certain exemptions from the individual notice requirements that apply to small businesses and to breaches that do not pose a reasonable risk of harm to the affected individuals. The proposal designates the Federal Trade Commission (FTC) as the primary enforcement agency with broad rulemaking authority, but requires the FTC to coordinate with the CFPB where the data breach relates to “financial information or information associated with the provision of financial products or services.” The proposal would also preempt state law data breach notice procedures.

The President’s bill broadly defines the categories of covered data and further groups them into data that is sensitive on its own, or sensitive in combination with other data elements. The result is a proposal that applies to a wider range of data breaches as compared to prior, similar bills. For example, in a departure from previous bills, the White House proposal requires businesses to comply with notice requirements where disclosure consists solely of driver’s license or passport numbers. Prior bills triggered notification only where the disclosure of driver’s license or passport numbers were accompanied by the individual’s name.

Other notable business requirements of the proposal include, but are not limited to, the following:

  • 30-day notice to individuals
  • Individual notice by mail, telephone or, under certain conditions, email
  • Media notice where the breach affects more than 5,000 individuals in a single state
  • Notice to the federal government under certain circumstances, including where the breach involves more than 5,000 individuals
  • Notice to credit reporting agencies where the breach involves more than 5,000 individuals

Businesses that do not access, store, or use covered data for more than 10,000 individuals during a 12-month period are exempt from the individual notice requirements. Likewise, the businesses that conduct a “risk assessment” concluding that the data breach did not result in, and will not result in, harm to affected individuals, is also exempt from the individual notice requirements. To qualify for this safe harbor protection, within 30 days of discovery of the breach, the business must notify the FTC of the results of its “risk assessment” and its intent to invoke the safe harbor.

On October 17, 2014, before an audience at the Consumer Financial Protection Bureau (“CFPB”), President Obama announced the launching of the Buy Secure initiative.  This initiative is designed to provide consumers with more tools to secure their financial information in the wake of massive data breaches among national retailers by assisting victims of identity theft, improving the Government’s payment security as a customer and a provider, and accelerating the transition to stronger security technologies and the development of next-generation payment security tools. 

 As the first part of this initiative, the President signed an Executive Order – “Improving the Security of Consumer Financial Transactions” – that takes critical steps to protect consumer’s financial security and confidence in the marketplace.  Continue Reading Obama Signs Order to Improve Security of Consumer Financial Transactions