On October 18, the Consumer Financial Protection Bureau (the “CFPB”) released the Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (the “Principles”).
The Principles represent a cautious step forward by the CFPB in providing guidance on how institutions holding customer accounts (such as banks) should share information with service providers, including “fintech” companies that obtain customer authorization to access their account information in order to provide services such as fraud screening, identity verification, personal financial management and bill payment. While U.S. regulators have expressed support for providing consumers with access to useful services and fostering competition in the financial services sector, additional sharing of data and the increase in data access points also creates additional risks from a cybersecurity and privacy perspective. In contrast to some jurisdictions, U.S. regulators continue to take a “wait-and-see” approach to new regulation in this space rather than pursuing a comprehensive, highly-prescriptive approach. While this gives industry time to continue working towards a self-regulatory solution that will be flexible and market-based, it leaves open for the moment questions about an uneven playing field for different market participants and whether consumer information is adequately protected by current market practices during this period of rapid change.
Please click here to read the full alert memorandum.