FPF Response to CFPB Data Portability Proposal
In response to the Consumer Financial Protection Bureau’s (CFPB) request for comment regarding data portability for financial products and services, the Future of Privacy Forum filed comprehensive comments and recommendations, urging the Bureau to craft balanced, informed privacy rules that protect individuals’ personal information while enhancing trust in the privacy and security of emerging data portability mechanisms in this space.
The request is an initial step for the CFPB, which is expected to launch an upcoming rulemaking on this issue under the Dodd-Frank Act later this year; the rulemaking will likely implicate practices such as peer-to-peer payments, tax filings, and wealth management services.
In our submission, FPF provides more than 20 specific recommendations to the CFPB, reflecting FPF’s expertise in this area and in the interplay of developing business practices and technology. Key recommendations include:
- Phasing-out and eliminating the use of screen scraping—whereby a company uses a consumer’s log-in credentials to access a bank or card issuer website;
- Requiring all parties to implement security programs commensurate to their size and scale;
- Encouraging development of shared service platforms to manage notices and consents;
- Establishing clarity surrounding the responsibilities of data providers (banks), data receivers (fintechs), and aggregators, which also improves regulatory oversight models;
- Requiring opt-in consent for secondary uses of data, with a proposed definition for these uses;
- Leveraging other regulatory models like HIPAA for data retention and retrieval; and
- Supporting and strengthening industry governance and technical standards.
The CFPB’s regulatory activities are likely to clarify roles and obligations that will lead the way for advancements in data portability in the financial sector. Working together, clearer roles and policies can form simpler, more consistent, and safer consumer experiences. FPF looks forward to continued progress on these important topics, which can also advance thought leadership about data portability and open data across other industry sectors.
Our comments are supported by over a year of meetings and outreach with leaders in banking, credit management, financial data aggregators, and solution providers to comprehensively understand the developing industry of open banking. In 2022, FPF organized an event on open banking with the Organization for Economic Co-Operation and Development (OECD), which was attended by important regulators and key industry players representing many jurisdictions. FPF distributed a paper at the event, Data Portability in Open Banking: Privacy and Other Cross-Cutting Issues, detailing how different jurisdictions’ laws impacted open banking activities and intersected with data protection law, including issues surrounding consent, security, and data subject portability rights.