The Consumer Financial Protection Bureau (CFPB) has launched an inquiry into the way financial data is used in consumer transactions. The federal consumer watchdog is seeking public feedback about how confident consumers are in whether or not their data is secure.
"Consumers should be able to use their financial records and account information and securely share access in an electronic format," said CFPB Director Richard Cordray on November 17. "Technology provides opportunities to use these records to create new consumer tools that help improve financial lives. To realize that potential, we are launching a public inquiry into how much control consumers have over their records and how easy and secure it is for them to share their records with third parties."
When anyone with a bank, brokerage, credit card or other financial account makes a transaction, he creates a new financial record --one that is maintained by the account providers. As these records have moved from paper to digital, where information is kept in a data base rather than a file cabinet, data aggregators and similar firms are using that information to create and sell new products--not necessarily to the benefit of people whose data they are exploiting. These firms may not only be involved in creating new financial products, but in mining data that enables banks to sell them to existing customers or troll for new ones.
By the same token, the CFPB has noted that some financial institutions are thwarting access to customer data that keeps new, competing firms from creating better products. The CFPB has rulemaking authority over the use of this data.
"Consumers should be able to access their financial records and have the choice to use that information for their own benefit," said Cordray. "However, the Bureau has heard concerns about ways that financial institutions may make it difficult or impossible for consumers to allow others to access and use their digital financial records."
Security is the paramount issue. The Bureau, Cordray said, "has heard concerns from some financial institutions that providing third-party companies with access to records may compromise consumer privacy or put consumers' funds and account relationships at risk." The CFPB's inquiry asks about options for ensuring that financial records are securely obtained, stored, and used.
"Consumers who allow third-parties to access and use their financial records need to know and control how their records will be used by these parties," said Cordray. "However, the CFPB has heard concerns that information and control are not uniformly provided across the market."
"I think there are several worthy issues here from a consumer point of view," said Lee Tien, senior staff attorney at the San Francisco-based Electronic Frontier Foundation. "The big ones are data security, and data privacy, given the data breaches we see across all sectors. FTC (Federal Trade Commission) has been active here but financial information is highly sensitive. The risk from loss of passwords or other access control mechanisms is severe, given how people reuse passwords. In the past, though perhaps less so today, it wasn't rare for us to hear about online accounts being poorly protected."
"Breaches are bad for privacy as well," Tien added, "but the more complex privacy issue involves where one's data goes, either under statutorily approved sharing, like with affiliates, or a specific consent from the consumer. You usually don't know exactly who is getting it."
Even if there is user consent, Tien said, the specific data involved is never really known--nor is the ability to learn what happened to it. Chasing data down a plethora of rabbit holes will be a heavy lift for the CFPB, which is facing a advent of a new White House administration that could lead to fundamental changes at the Bureau.
The CFPB's Request for Information can be found at here.
The CFPB's comment period on this public inquiry ends 90 days after it is posted on the Federal Register.