In a comment letter to the Consumer Financial Protection Bureau today, ABA offered several recommendations for protecting consumers’ financial information when it is being voluntarily shared with third party data aggregators. The CFPB launched an inquiry amid the ongoing debate about “screen scraping,” a process by which consumers provide their online banking credentials to a third-party app or tool.
Currently, consumers face significant fraud, security and compliance risks when turning over their personal financial data or account credentials to a third party. ABA pointed out that in many cases, consumers are not provided sufficient information on how their data is being used, by whom, and for how long. In addition, consumers may not be fully aware of the differences in data protection standards between banks and non-bank entities, ABA added. Third-party financial aggregators often limit their own liability for loss, putting that risk on the consumer.
“ABA believes that innovations in financial services can provide consumers with tremendous value,” the letter said. “By addressing both the opportunities and risks, we have the ability to give consumers innovative services that they can trust. We believe that the specific steps outlined… provide the base upon which to build to provide the security, transparency and control for consumers so they can unlock the true potential of fintech and take charge of their financial future.”
Specifically, the association recommended that the CFPB ensure that consumer data be subject to the protections provided by the Gramm-Leach-Bliley Act regardless of whether it is held by a bank or third party; require third parties to provide clear, detailed disclosures about how data will be used; and give consumers the ability to control the information being shared.
ABA further urged the bureau to take steps to close existing regulatory gaps and ensure consumer protection, such as clarifying that requirements of the GLBA and the Electronic Funds Transfer Act apply to data aggregators, ensuring that data aggregators are held to the same data protection and notification standards as banks, and identifying and supervising “large participants” within the financial data aggregation market.