Earlier this year, the Consumer Financial Protection Bureau called for comments on the many issues associated with how consumers share bank account data with third-party companies like Intuit’s Mint or Kabbage. In response, leaders at financial institutions generally expressed concern about potential security breaches while fintech companies generally supported the demands of consumers having access to all of their bank account data on third-party apps.
The result of that inquiry — the CFPB's recently announced non-binding principles on data-sharing — was absolutely the right call. The bureau’s principles made it known that the CFPB is furthering its role as a consumer advocate by permitting bank customers access to their data on the app of their choosing, so long as the process is secure and users have full control over what data does and does not get shared. But the CFPB also did so in the right manner — as guiding principles — rather than as a rule.
While the CFPB was careful to note that the principles were not binding, the industry — including banks, data aggregators and fintech companies — should adopt the bureau’s principles going forward because they provide a mutually understood and defined vocabulary that will allow all parties to work together in a broader fashion in these three crucial areas.
First, security is deservedly a key priority, as the bureau recognized in its principles. A single data breach causes tremendous damage to financial institutions and consumers alike. Therefore, it is crucial for all parties involved in sharing financial data to embrace the most stringent security measures, including a defense-in-depth model, continuous security vulnerability scans, Department of Defense (DoD) shredding techniques upon request or upon end of useful lifecycle, and much more. These and future security measures should be the baseline for any company involved in transmitting financial data. Nothing short of the most stringent security measures will do.
Second, as the financial lives of today’s consumers become more complex, it’s increasingly essential to give consumers full access to their own financial data on whatever app they wish. As the CFPB highlights in its principles, this data includes “any transaction, series of transactions, or other aspect of consumer usage” as well as “the terms of any account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards.” In addition, the CFPB also says that the data must be accurate.
Third, the principles are flexible in allowing for technological innovation. By establishing broad principles and not mentioning any specific technologies, such as screen-scraping and application programming interfaces, the CFPB is effectively preparing the industry for future innovations that are beyond our current technological understanding. If regulators, say, had adamantly promoted a particular authentication technology a decade ago, then newer authentication models such as Touch ID and Face ID would be held back today. The principles-based approach also avoids the problem of constant amendments, as typically happens with regulations such as the Truth in Lending Act, which has had many amendments to accommodate digital disclosure and online transaction systems.
In short, the broadness of the nine principles underscores the CFPB's understanding of an evolving technological landscape while still providing frameworks for security, growth, and innovation. If banks follow the guidance, the industry will undergo a cultural shift where institutions have to compete on the merits of actively benefitting their account holders rather than fixating on their immediate bottom lines. As a result, citizens will find it easier to prepare for medical emergencies, stay out of debt and contribute to the causes they personally believe in. These outcomes are perfectly aligned with the CFPB’s mission “to make consumer financial markets work for consumers, responsible providers, and the economy as a whole.”
Ultimately, these nine principles from the CFPB deserve the applause of the entire industry for advocating making data more transparent and accessible. It’s what the entire financial industry should be tasked with — helping consumers gain real financial strength and winning long-term loyalty in the process.