The CFPB’s Laser Focus on Consumer Protections Continues

The Consumer Financial Protection Bureau’s (CFPB) announcement last week around data sharing and data aggregation is fascinating – not so much in connection with the main principles that are laid out (more on that below) but with respect to the laser focus they are placing on consumer protection.

By way of background, consumer protection concerns are what initially drove the CFPB approximately a year ago to issue an RFI about consumer access. Back in late 2016, the CFPB’s RFI stated its interest was to “assist market participants and policymakers to develop practices and procedures that enable consumers to realize the benefits associated with safe access to their financial records, assess necessary consumer protections and safeguards, and spur innovation.” Now they are releasing their main principles, while also listing out a summary of stakeholder insights and slightly more detailed list of 72 comments that they received from groups such as NACHA, the ABA, the Financial Services Roundtable, US PIRG, the Consumers Union, the Center for Financial Services Innovation, the Electronic Transactions Association, as well as numerous banks and fintech companies.

Since they first embarked on this project, the CFPB has been forced into the middle of the post-Equifax data breach situation. Unfortunately, that incident continues to plague how identities are verified, how consumer authentication will have to change, and how consumer protection has been transformed from a side topic relegated to the payments and security communities to something people are asking about on mainstream news programs and websites. So whereas some readers might have thought a year ago that this project wasn’t germane or significant, in a post-Equifax world, I’d argue that many of those individuals will think differently of this guidance

This blog won’t dive into the details around each of the CFPB’s“7 Principles” (which are Access, Data Scope and Usability, Control and Informed Consent, Authorizing Payments, Security, Access Transparency, and Accuracy) since those concepts are well-ensconced in existing frameworks such as COBIT 5, ISO 27001, PCI-DSS, and other similar structures that have existed for many years. But what is good to see is that one of the key (although somewhat buried) concepts that is worth highlighting is that these seven principles are not meant to exist in a vacuum or independently but rather “are intended to be read together.” This is not to be taken for granted, as it is not uncommon for people using such structures as a mechanism to fill individual “holes” in their risk management environment and approach. Moreover, this reiteration of an existing set of over-arching principles makes it crystal-clear to industry that the risk management work they are doing is on track.

The overall political environment may leave some concerned that the CFPB may not be around long enough to bring these Principles to reality from an enforcement point of view. Then again, that’s not the point with this latest announcement. The underlying hope behind this release is that providers of aggregation and other data-sharing services/products will increasingly look to these Principles in order to plan their market moves, consider their need to be compliant, and map those items against the market opportunity they continue to pursue in leaps and bounds.

Regardless of the future of the CFPB, it is good to see that as it continues its watchdog status on consumer protections, that it does so in a way that is aligned with other frameworks and structures that have existed in the US and abroad.