When you click “I agree” on a website, or on an app on your phone, do you really know what you’re agreeing to?
If you’re like most people, you don’t. And those little afterthought agreements could be handing companies and third parties reams of real-time financial data — information that in the past was only stored at their bank.
Whether it’s to create a budget, get a better handle on managing their finances or try to improve their credit score, consumers are opting for digital applications and giving permission every day to a wide range of companies that gather, analyze, store — and sell — transaction data from their bank accounts.
This practice of consumers giving third parties access to personal financial data is raising legal, ethical and consumer protection issues, including whether consumers actually know how their data is being used when they give consent, and whether consent — in the form of those “I agree” boxes — is truly valid.
“When you start to think about the user experience of consent, and you think about clicking the ‘I agree’ [box] every time you get to a website, the constant bids to verify consent in many cases become white noise,” said Nick Thomas, chief product officer of global open banking at Mastercard and a co-founder as well as the president of Finicity, a Salt Lake City-based financial technology company owned by the credit card network.
A hot-button issue
The Consumer Financial Protection Bureau, led by Biden appointee Rohit Chopra, is now looking into the issue of how much control consumers have and should have over their data, and if Chopra’s past comments are any indicator, the agency is likely to be very skeptical about technology companies’ motives.
Once written, the rule could be one of the most significant policies put in place by Chopra, a former Democratic member of the Federal Trade Commission who previously served as the CFPB’s student loan ombudsman during the Obama administration. Since taking the reins of the bureau in October, Chopra has vowed to steer the agency to a more aggressive, pro-consumer stance.
Under Chopra’s leadership, the CFPB is expected to address a wide range of issues over how consumers control the type and amount of information being accessed by nonbank fintechs and data aggregators. Chief among those issues is establishing what constitutes “informed consent” — whether consumers in fact know how their personal financial information is being used and whether it is being sold for purposes they know nothing about.
Over the past year, the CFPB has been reviewing feedback on its 2020
At a conference of state attorneys general last year, Chopra voiced concern about violations of consumer privacy laws by large technology firms and their impact on consumers.
“What is the connection between data and democracy, between data and consumer protection, between data and fair markets?” Chopra said. “I think that's going to be top of mind for us.”
While the CFPB writes its rule, the FTC is updating its data security rules, potentially touching on the question of informed consent. And Congress is also wading into the matter, which — perhaps surprisingly — has sparked broad bipartisan outrage.
At a congressional hearing in September, the issue of secondary uses of data became a surprise topic when lawmakers on both sides of the aisle questioned why laws and regulations do not prohibit a consumer’s personal financial data from being accessed and sold without their consent.
Rep. Blaine Luetkemeyer, R-Mo., said his constituents were “aghast” and “absolutely horrified” that third parties lacking authorization from a consumer were gaining access to bank account transaction data.
“Let’s be honest here, this is all being done without the consumer’s knowledge,” Luetkemeyer said at the hearing. “This is not OK. The first way to protect people’s privacy is to be honest with them upfront and say ‘this is what’s happening with your information, and people are accessing it unbeknownst to you.’ We’re approaching this from the wrong angle.”
Lawmakers also questioned whether consumers understand, when consenting to certain terms and conditions buried in the fine print, that their data may be used for purposes beyond what was originally intended.
“Consumer data has become so leveraged and holds so much value, that it has also become a very large business asset,” Rep. Warren Davidson, R-Ohio, said at the hearing. “No matter how big the financial industry gets or how much financial technology evolves, the monetary value of consumer data will never be worth more than the fundamental right to privacy. Our Constitution is supposed to protect the right to privacy for every American citizen. And it’s our duty to do that.”
Industry standard
Fintechs and data aggregators are preemptively working to develop internal controls and standards to address the many issues involved in the uses of consumer data, hoping to stave off the need for restrictive laws and rules.
“The industry has made big improvements in a short amount of time by coming together to address the many aspects of consent such as transparency and control,” said Thomas, the Mastercard product chief.
In the meantime, the Financial Data Exchange, a Reston, Virginia, nonprofit that is working on technical standards for the industry, is also trying to bring consistency and transparency around the issue of consumer consent.
Most of the industry’s focus so far has been on crafting technical standards to move away from screen-scraping practices. But the industry also is crafting standards through FDX that companies could adopt — using additional prompts and dashboards — to provide consumers with a clearer understanding of what data is being accessed, by what company, for how long and specifically how it is being used.
Many hope that by adopting its own standards, the CFPB will refrain from dictating stricter requirements. Once the CFPB finalizes a data access rule, FDX has said it will adopt any principles or requirements.
A core feature that may be embedded in consumer notifications is data minimization, or the ability of the consumer to provide access only to the data they need for each specific use. For example, if a consumer gives permission to a budgeting app, that individual likely is under the impression that the financial data is being accessed for that purpose and that purpose only, consumer advocates say.
The CFPB’s rulemaking on data access aims to clarify standards for how fintechs access bank account data. Banks have long objected to screen scraping and increasingly are partnering with aggregators to send data to fintechs using application programming interfaces. Fintechs and data aggregators are slowly shifting from screen-scraping consumers’ bank account data to obtaining it through more efficient and secure APIs. FDX recently reported that 28 million consumer accounts use the FDX API for financial data access, up from 16 million in 2021.
There remain a host of thorny issues concerning what constitutes consumer consent and security of the financial data including for secondary uses.
The notion that most consumers have a specific service in mind when they authorize access to their data came up in a recent congressional hearing when Davidson asked Tom Carpenter, FDX’s director of public affairs and marketing, about data minimization.
“One concept I think is key to the discussion is the idea of data minimization or the idea that companies should collect minimal data to provide the product or service,” Davidson said. “On the other hand, many businesses collect data that is not directly tied to providing the service.”
Carpenter said FDX aims to define data minimization and to assure that implementation through an API is “actually certifiable.”
“The question is, what can we do on the consumer front end to possibly provide that,” Carpenter said. “So that’s an area that we’re looking into.”
FDX has identified seven specific steps and screens — some required, others just recommended to its members — starting with getting permission to access the data, then disclosing the scope of data being accessed in clear, concise language, and selecting a data provider. The other steps involve additional security measures for the consumer to authenticate their identity and provide consent. The final two steps involve authorizing access to the fintech or aggregator and having the consumer agree to a final confirmation notice, according to FDX’s user experience guidelines.
Consumers also could have the option to authorize one-time consent tied to a specific action or digital app. Or they could opt for time-based consent, where a fintech has a specific time frame such as 90 days to access the data, for instance, when applying for a loan.
The process also would include post-consent items and the design of consumer dashboards by banks, aggregators and fintechs so a consumer can view and revoke consent whenever they choose.
Until the CFPB writes a final rule, however, the status quo prevails.
What do consumers know and when do they know it?
Currently, when a consumer clicks an "agree" box to give a third-party access to their personal financial data, that consent typically extends to the secondary uses of the data, experts and industry executives said.
“All of the use of personal data today is consented by the consumer,” said Brian Costello, vice president of data strategy and governance at Yodlee, a San Mateo, California, data aggregator and data analytics platform that connects consumers to more than 1,400 banks and fintechs. Yodlee is owned by Envestnet, a fintech based in Chicago that distributes wealth management products.
Fintechs and data aggregators contend that consumers have a sophisticated understanding of how their data is being used. The proliferation of fintech companies over the past five years has been driven in part by consumers providing their data or login information to their bank accounts in exchange for a free service from a third-party fintech that has a digital app the consumer wants to use.
Embedded in a disclosure contract are terms and conditions that typically give fintechs the right to use the data for a wide range of purposes.
“Sell or license personal data, derive insights and provide those insights — there’s a whole continuum of onward utility and onward transfer,” Costello said.
Data aggregators essentially act as intermediaries between financial apps and banks by providing the “pipes” through which financial apps gain access to a consumer’s financial information. The largest data aggregators today hold sensitive financial information on millions of U.S. consumers.
To be sure, many of the practices lawmakers oppose involve so-called screen scraping, a widely used method of collecting consumer data. Consumers will share their online or mobile banking usernames and passwords with a third-party fintech and that finitech or data aggregator logs on to the website as if they are the consumer and copies the latest data from the consumers’ bank accounts.
Since the dawn of modern-day consumer protection laws, disclosures have become the de facto regulatory tool used by regulators, beginning with the passage of the Truth in Lending Act in 1968.
Still, many experts — and lawmakers from both political parties — have come to believe that providing a lengthy disclosure through an online link provides little or no consumer protection.
“I think we all agree on the importance of protecting consumers’ control over their own financial data,” said Davidson. “But a lot of times industry, in particular, will say, ‘Well, it’s in our terms and conditions.’ But if you print it out, it’s 400 pages and a 6-point font.”
A task force created in 2020 by then-CFPB Director Kathy Kraninger, a Trump appointee, noted that consumers had become overwhelmed “by a blizzard of information and disclosures,” and suggested changes to the regime.
“Disclosure policy should be reviewed and modernized, where appropriate, to facilitate electronic disclosures aimed at providing consumers with the relevant information needed at the moment of decision,” the task force recommended. “Although information can be useful to promote consumer choice and competition, it is equally important that policymakers be cognizant of the limits of consumer attention and that pro forma notice and consent by consumers should not be a substitute for agency action to protect consumers from harm.”
Lawmakers have long
Even so, fintechs and data aggregators say they are disclosing terms and conditions to consumers in the fine print of disclosure agreements — and that most agreements explicitly allow for secondary uses of data. The agreements are done on a company-by-company basis. Still, there is little regulatory oversight over how disclosures are written and how clear they are to ordinary people — beyond presenting a disclosure to a consumer and urging them to read it, little else is legally required.
“If you’re presenting a disclosure and telling the consumer, please read this disclosure before you give the consent, and they hit the button, you’ve done everything you can do,” Costello at Yodlee said. “We put it on the website so that interested consumers — and there are some, thankfully — can go and see it themselves.”
Fintech companies’ business models often are built around the right to use financial data in any way they want. But that model may not be compatible with the CFPB’s upcoming rulemaking, and experts suggest that consumers need to be made fully aware when giving consent at the front end of any transaction how their data will be used or sold, and for what purpose.
“The solution is not more checkboxes,” Thomas said. “It’s important that consumers approve what data they are sharing, who can see it, who can use it — by purpose, and for how long in a clear but not cumbersome way.”
But it also is unclear where consumer data stops belonging to the consumer and starts belonging to the company to which he or she gave consent, particularly if the data being sold is anonymized — that is, aggregate data with personal identifiable consumer information taken out.
Some banks and consumer advocates contend that some of the practices of aggregators, or the fintechs with digital apps that they support, are designed to confuse consumers about who is collecting their information and how it is being used.
Half of U.S. consumers and 95% of deposit accounts are estimated to have signed up for financial apps that rely on unregulated or underregulated data aggregators, according to Kelly Thompson Cochran, deputy director at FinRegLab, an independent research firm that evaluates the use of data and technology. Cochran is a former assistant director of regulations at the CFPB.
Raul Carrillo, an associate research scholar at Yale Law School and deputy director of the Law and Political Economy Project, said meaningful consent cannot exist when the consumer doesn’t know what financial information is being used and by whom.
“Corporate actors often do not even know the purpose of data collection until after they analyze the aggregated data set,” Carrillo said.
An FTC investigation into Yodlee was closed in 2020 with no further action. The company faces a privacy-related class-action lawsuit in California for allegedly collecting and selling financial data without consumers’ consent.
The company collects transaction data from consumers’ bank accounts and credit card histories and sells the highly sensitive financial data to financial institutions, wealth management firms and digital payment platforms. The information is extremely valuable to hedge funds, Wall Street investors, banks and others.
For example, data can be collected on the average water bill for 25,000 citizens in San Francisco or on the daily spending by consumers at McDonald’s, according to the lawsuit. The suit alleges that Yodlee “exploits this information to routinely extract data from user’s accounts without their consent.”
A key allegation in the lawsuit is that Yodlee distributed sensitive financial information on consumers in unencrypted plain text files, all without individuals’ knowledge. The lawsuit also alleges that such plain text files can be read by anyone who acquires them, making it possible to identify the specific individuals involved in each transaction.
The company has denied the allegations.
“At Yodlee, we don’t sell data that identifies consumers,” Costello said. “We write our disclosures and we inform our clients about how to write their disclosures to describe what it is we do, and we put it on the website.”
CFPB’s principles
In its principles outlining the upcoming data-access rule, the CFPB appears to be taking a different approach from what is currently happening with disclosures today.
The bureau said companies should be required to get permission from a consumer specifically for secondary uses of their data.
“Ideally, data aggregators and data users should be required to obtain the consumer’s additional affirmative consent before they are allowed to use the consumer’s data for a secondary use not reasonably expected by consumers, thereby empowering consumers to control all the potential uses by permissioned parties of their data,” the CFPB said in its 2020 proposal.
The bureau also is considering ways in which consumers can have their consent revoked. Companies may be required to periodically get reauthorization from a consumer to access data. In addition, the CFPB may create a requirement that aggregators and fintechs stop collecting data if a consumer deletes a financial app.
In the principles it laid out, the CFPB also said that companies should create clear disclosures regarding the “identity and security of [the] party, the data they access, their use of such data, and the frequency at which they access the data … throughout the period that the data are accessed, used, or stored.”
The CFPB also appears to look unfavorably at the tradition of companies having unlimited data access.
“Perpetual access permissions unnecessarily put consumers and their data at risk,” the bureau said in its proposal.
Given that the CFPB has oversight over nonbanks, many companies are concerned of running afoul of the federal prohibition on unfair, deceptive and abusive acts and practices, known as UDAAP. For example, if a consumer asks to have their consent revoked and any data that has been collected deleted and a company does not take action, the CFPB can issue an enforcement action and a fine.
“If consumers are harmed and either banks, fintechs or aggregators have not provided accurate existing records of [a consumer’s] financial information — and just as importantly not included an explanation of how data is shared — the bureau should take appropriate action,” Carrillo said.
Here comes Congress
Lawmakers appear to be supportive of a range of possible CFPB actions to address the issue of consent and secondary uses of data.
“When a consumer grants consent for any party to access or to hold their personal financial data, it’s vital that this consent is read narrowly,” said Davidson, the Ohio congressman. “Whether this involves limiting the specific financial activity for which the data is needed, or the length of time it is authorized, I expect these types of questions to be at the forefront of the CFPB’s process as they undertake the rulemaking.”
Many lawmakers are concerned that the U.S. has a fragmented regulatory framework when it comes to consumer privacy and data protection. Several existing laws already address consumer privacy including the Gramm-Leach-Bliley Act, Fair Credit Reporting Act and Electronic Fund Transfer Act.
In addition to the CFPB’s data-access rulemaking, the FTC is modernizing information security standards for nonbank financial service providers under the Gramm-Leach-Bliley, and prudential regulators are working to harmonize guidance for third-party service providers The CFPB also is expected in its final rule to begin supervising data aggregators and other fintechs that hold large amounts of consumer data.
Meanwhile, lawmakers appear eager to address the issues, potentially on a rare bipartisan basis.
Sen. John Kennedy, R-La., has introduced a bill called the Own Your Own Data Act, which joins a growing list of other privacy bills as Congress considers a new federal privacy law. The bill provides an exclusive property right in the data that an individual generates on the internet and requires the use of prominent icons to guide consumers to obtain a copy of their data, to export it or to cancel any agreements governing data use. The law would be enforced by the FTC.
House Financial Services Committee Chair Maxine Waters, D-Calif., has been pushing for consumers to be able to opt out of any data collection as opposed to automatically opting in.
“I get that [companies] provide something in writing on page 15 somewhere that if you want to opt out you’ve got to let us know,” Waters said. “Most people don’t know what is meant by it, and so if you don’t opt out, the information is shared with a third party, that information is shared with somebody else, [and] somebody else shares the information.”