Hints of Banking API Regulations From CFPB With Consumer Authorized Financial Data Sharing And Aggregation Rules
27 Nov 2017
The Consumer Finance Protection Bureau (CFPB) has started laying out some consumer-authorized data sharing and aggregation rules to begin moving forward the banking data scraping conversation in (hopefully) a more production way. It is common knowledge that many financial focused (Fintech) companies regularly access consumers account data using their credentials, so that they scrape relevant account information from their bank, for use in a wide variety of 3rd party tools. This is a common practice that everyone in the industry knows about, understands is a potential security and privacy risk, but everyone looks the other way because it adds value to the consumer ecosystem.
In a perfect world each bank would have a public API portal where Fintech aggregators could come and sign up for application keys, and get the authorization of users via OAuth, and obtain access to their banking data in a secure, and accountable way. However, as we are well aware, we do not live in a perfect world, and banks are pretty resistant to change, so the scraping continues. At some point we are going to see the landscape begin to shift, and I’m guessing it will be at the regulatory level where we finally begin to see this behavior changed–making the CFPB’s rules announcement a reflection of what is coming down the pipes when it comes to banking API regulation.
The consumer protection principles for consumer-authorized financial data sharing and aggregation announcement focuses on:
- Access - Consumers are able, upon request, to obtain information about their ownership or use of a financial product or service from their product or service provider. Such information is made available in a timely manner. Consumers are generally able to authorize trusted third parties to obtain such information from account providers to use on behalf of consumers, for consumer benefit, and in a safe manner. Financial account agreements and terms support safe, consumer-authorized access, promote consumer interests, and do not seek to deter consumers from accessing or granting access to their account information. Access does not require consumers to share their account credentials with third parties.
- Data Scope and Usability - Financial data subject to consumer and consumer-authorized access may include any transaction, series of transactions, or other aspect of consumer usage; the terms of any account, such as a fee schedule; realized consumer costs, such as fees or interest paid; and realized consumer benefits, such as interest earned or rewards. Information is made available in forms that are readily usable by consumers and consumer-authorized third parties. Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.
- Control and Informed Consent - Consumers can enhance their financial lives when they control information regarding their accounts or use of financial services. Authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer. Terms of data access include access frequency, data scope, and retention period. Consumers are not coerced into granting third-party access. Consumers understand data sharing revocation terms and can readily and simply revoke authorizations to access, use, or store data. Revocations are implemented by providers in a timely and effective manner, and at the discretion of the consumer, provide for third parties to delete personally identifiable information.
- Authorizing Payments - Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.
- Security - Consumer data are accessed, stored, used, and distributed securely. Consumer data are maintained in a manner and in formats that deter and protect against security breaches and prevent harm to consumers. Access credentials are similarly secured. All parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes. Security practices adapt effectively to new threats.
- Access Transparency - Consumers are informed of, or can readily ascertain, which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other consumer use of financial services. The identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data is reasonably ascertainable to the consumer throughout the period that the data are accessed, used, or stored.
- Accuracy - Consumers can expect the data they access or authorize others to access or use to be accurate and current. Consumers have reasonable means to dispute and resolve data inaccuracies, regardless of how or where inaccuracies arise.
- Ability to Dispute and Resolve Unauthorized Access - Consumers have reasonable and practical means to dispute and resolve instances of unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, and failures to comply with other obligations, including the terms of consumer authorizations. Consumers are not required to identify the party or parties who gained or enabled unauthorized access to receive appropriate remediation. Parties responsible for unauthorized access are held accountable for the consequences of such access.
- Efficient and Effective Accountability Mechanisms - The goals and incentives of parties that grant access to, access, use, store, redistribute, and dispose of consumer data align to enable safe consumer access and deter misuse. Commercial participants are accountable for the risks, harms, and costs they introduce to consumers. Commercial participants are likewise incentivized and empowered effectively to prevent, detect, and resolve unauthorized access and data sharing, unauthorized payments conducted in connection with or as a result of either authorized or unauthorized data sharing access, data inaccuracies, insecurity of data, and failures to comply with other obligations, including the terms of consumer authorizations.
Smells like a PSD2-esque set of API standards are on the horizon for the U.S. Ideally this is something the banks would see as an opportunity, rather than a regulatory thing, but I understand how hard-headed they are. I’m spending some time over the next month or two getting up to speed more on where we stand with the PSD2 rollout, as well as the GDPR rollout in the EU. Both of these efforts provide us with a blueprint to follow here in the US. Obviously it is a much different regulatory and banking environment here, but there are still plenty of lessons to consider, and think about as agencies like the CFPB get to work on this topic.
All nine aspects of this latest announcement from the CFPB reflect what APIs are all about. We have the blueprint for tackling this problem head on in use across the tech sector already. This isn’t a technology problem, this is a business and politics problem. It would make sense for a savvy bank (cough, cough Capital One) to get ahead of this one and be the Amazon Web Services of the banking space and set the standard for how data aggregation and sharing occurs. Define the open blueprint for how consumer data is accessed and put to work in the banking ecosystem, gain teh competitive advantage when it comes to Fintech tooling servicing the space, and make all the other banks play catch up. As usual, I’ll keep an eye on what the banks are up to (not much), and look out for more movement from the federal government on this issue, and report back anything I find.