CFPB got it right with data-sharing guidance

There is no longer any doubt: Consumers own their financial data.

This week, the Consumer Financial Protection Bureau released a long-awaited statement on whether banks should let customers share their financial data with third-party companies, and if so, how. The CFPB’s verdict made clear: Consumers should have access to financial data that is timely, accurate and secure on whatever trusted third-party tool they choose to use.

Equally important is how the CFPB chose to make its views known. The bureau laid out its vision for a “robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value” through a set of consumer protection principles and called on all stakeholders to keep consumer interests at the center of any new data-sharing agreements, systems or standards that are developed.

In issuing its recommendations as principles, the bureau got it exactly right. Under the Dodd-Frank Act, the CFPB has authority to write rules that govern how consumer financial data should be shared between financial institutions and third parties. But prescriptive rules would have risked becoming quickly outdated, given how fast the data aggregation market is changing. By issuing principles, the CFPB creates space for the industry to lead the development of solutions, while providing needed clarification about regulators’ expectations. Now it is up to the industry to seize the opportunity the CFPB has created.

With several bilateral agreements already inked between banks and third-party companies, and multiple stakeholder groups working to develop common application programming interface standards, there is growing momentum in the data-sharing space. But these industry-led efforts will miss the mark if they don’t also address the need for appropriate mechanisms for liability and accountability that incentivize all parties — banks, data aggregators and fintech companies — to keep the data up-to-date, accurate and secure.

The industry also needs to work much harder to give consumers real control over their financial data. First and foremost, we need to make sure that consumers understand what they are agreeing to when they give third parties access to their financial information: how data will be used, how long they will be stored, if and how they will be shared, and how they will be protected. Terms of use and privacy policies are rarely written with consumers in mind; however, the same care that companies put into designing the user experience in products should also be applied to disclosures and communication related to data access.

Over time, consumers also need easy ways to see which third-party apps have access to their data and the ability to revoke that access at any time. Should there be an error in the data or, even worse, a breach, consumers need clear and easy mechanisms for resolving disputes.

As for regulators, the CFPB’s actions this week are a very positive first step, but there are additional actions regulators could take that would help ease the way for industry-led solutions. For example, regulators such as the CFPB, the Office of the Comptroller of the Currency, Federal Reserve and others should clarify how existing regulations, such as Regulation E or third-party risk management guidance, apply to the data-sharing ecosystem — both publicly through additional guidance and internally for their own examiners.

Hopefully, the CFPB’s actions this week will help the industry focus on working together to come up with solutions that put consumers’ interests first. Finally, we can stop debating the worn-out question “Whose data is it?” and get to work.