CFPB Outlines Principles for Third-Party Data Access

October 19, 2017

The Consumer Financial Protection Bureau yesterday issued nine guiding principles for protecting consumers that choose to share their financial data with third parties and data aggregators. The principles were released after the CFPB last year conducted a formal investigation into “screen scraping,” a process in which consumers provide their online banking credentials to a third-party app or tool. The principles do not reflect new or alter any existing guidance.

While the CFPB affirmed that consumers should generally have the ability to share their financial data, it noted that consumers should not be required to give up their banking credentials to do so. The principles establish that third parties that are granted access to customer data should use it only to the extent necessary to provide the products and services selected by the customer, and that the data should be accessed, stored and used safely and securely. In addition, the CFPB emphasized that consumers should have the ability to quickly review who has access to their data and have disputes over unauthorized access resolved in a timely manner.

ABA welcomed the CFPB’s commitment to protecting consumer financial data as new technologies continue to emerge, and noted that the principles incorporate several recommendations the association made in previous comments to the bureau. “Customers deserve bank-level security wherever they share their financial information, and the CFPB principles pay particular attention to protecting this sensitive data,” said ABA VP Rob Morgan. “ABA believes customers should understand and control how third parties use their information.”

Morgan added that per ABA’s recommendation, “CFPB recognized that customers should not be required to share their online banking username and password to facilitate data sharing. There are technologies that can facilitate more secure access, and the banking industry will continue to work closely with technology companies to give customers the ability to share their financial data securely.” View the principles.