Released: July 28, 2021

Consumer advocate and data network call for transparency and control in data sharing

Contact: .(JavaScript must be enabled to view this email address), 202-544-3088

By Linda Sherry and John Pitts

Linda Sherry is director of national priorities for Consumer Action, a national consumer education and advocacy nonprofit organization celebrating its 50th anniversary this year.

John Pitts is head of policy at Plaid, a data network that powers the tools millions of people rely on to live healthier financial lives.

The recent Presidential Executive Order raised financial data portability as having competitive benefits for consumers. This portability is what allows consumers to use FinTech (or financial technology) apps, which help consumers make payments, invest, budget, save money, and view their financial “big picture” at a glance. Consumer Action has demonstrated that access to safe, sound and well-designed financial technology can help consumers improve their finances.

But in order for consumers to use these apps, they need to be able to access and share their financial data, which presents new demands for data privacy, security and control. Currently, the Consumer Financial Protection Bureau (CFPB), our federal consumer watchdog agency, is considering regulations to protect financial data access, oversee the data networks that facilitate access to consumers’ accounts at banks and other financial services businesses, and give consumers more control over the use of their financial data by FinTech developers via “open finance.”

Dodd-Frank Section 1033 gives the CFPB the authority to implement rules that give customers electronic access to “information in the control or possession of the covered person concerning the consumer financial product or service.” While one aim was to encourage competition and innovation in financial services, Section 1033 led to legitimate concerns about consumers’ control of and access to their data and the privacy and security of that data.

Earlier this year, the CFPB collected public comments about a Section 1033 rulemaking. Feedback from financial industry and civil society organizations, among others, points to the need for strong data security and privacy oversight; consumer control over their financial data; and rules that govern the activities of players in the FinTech industry so they comply with consumer financial regulations like fair lending laws.

The industry has a role to play in bringing these changes forward, most importantly by building technology and experiences that give consumers transparency and control. It starts where consumers build connections across their accounts. In most cases, applications themselves aren’t directly accessing the consumer’s data; instead, they employ a data network like Plaid to be their single source of connectivity so that all consumers can share their data regardless of where they bank. Where a consumer’s application relies on a network for connectivity, that network should make itself transparently known to the consumer, so that consumer can learn more about the network and its practices.

Tools to help consumers manage data connections after they’ve been established should be elemental in the CFPB’s requirements under Section 1033. Consumer Action has warned consumers to disconnect unwanted apps by changing their banking passwords—a cumbersome task. Instead, some financial services providers and data networks now are giving consumers “control panels” to monitor and track where they’ve linked accounts. For example, Plaid Portal, which gives consumers the ability to view, edit and revoke their connections all in one place, no matter where they bank, is being “beta tested” by the public. Major banks, including Wells Fargo, Chase and Bank of America, have created security dashboards so that their customers can monitor access provided to third-party services and apps.

Separately, Consumer Action and Plaid have called on the CFPB to regulate entities in the “FinTech ecosystem”—including data networks like Plaid. We both agree that Section 1033 rules must mandate that consumers have real control over their own data, that there are ironclad limits on the ways companies are allowed to use and share the data, and that companies be encouraged to offer tools allowing consumers to control how much or how little financial data they share, and with whom.

Consumer empowerment is rooted in strong financial regulations that protect the interests of customers “playing” on an often unlevel field. The FinTech ecosystem may promise a shift from the traditional credit reporting model, where banks share consumer data in the background, to an era where consumers are empowered to share elements of their financial transactions directly with financial services providers in order to qualify for credit, loans and mortgages. But to firmly shut the door on financial predators, discrimination, data misuse and loss of privacy, the CFPB’s Section 1033 rules must bring concrete certainty about consumer data protection rights and ensure data security and protection through supervision of data networks and all major players in the financial data-use industry. Without such certainty, the innovation and competition envisioned by Congress will never succeed.