CBA Comment Letter re CFPB Consumer Access to Financial Records RFI

February 21, 2017

 

Submitted Electronically:  FederalRegisterComments@cfpb.gov

 

Ms. Monica Jackson

Office of the Executive Secretary

Consumer Financial Protection Bureau

1700 G Street, NW

Washington, DC 20552

 

Re:  Docket No.: CFPB-2016-0048 / Document No.: 2016-28086 - Request for Information Regarding Consumer Access to Financial Records

 

Dear Ms. Jackson,

 

The Consumer Bankers Association (“CBA”)[1] appreciates the opportunity to provide our comments in response to the Consumer Financial Protection Bureau’s (“Bureau” or “CFPB”) request for information regarding consumer access to financial records (“Request”).  As we explain in more detail below, CBA strongly supports effective and secure consumer access to personal data with proper consumer protections, transparency and fairness in customer relationships.

 

CBA commends the Bureau for its examination of effective consumer access to personal data and how financial institutions meet consumer demand.  It has long been established that financial institutions engaged in consumer data aggregation services assume an increased level of risk and must institute corresponding risk management practices to mitigate potential consumer harm.  The Federal Financial Institutions Examination Council (“FFIEC”) noted in 2003 that “the highly sensitive nature of the information collected and stored by aggregators greatly increases the risk associated with aggregation services.  The aggregator’s ability to protect stored customer IDs and passwords and to provide accurate and timely delivery of information from the customer’s accounts is the most significant fact in assessing the level of risk in aggregation services.”[2]  Due to this heightened risk, it is imperative data aggregators institute the most advanced protections to keep consumer data safe.

 

Over the past few years, the U.S. financial service industry has seen tremendous growth in consumer data aggregation services by personal financial management companies (“PFM”).  PFMs gather information from a multitude of websites to create certain services for consumers.  These services can vary from account aggregation, data verification, and fund transfers, and the information gathered can range from publicly available information to highly sensitive personal account data.  Account aggregation, a common PFM service, occurs when a PFM pulls together account information from the different record-holding custodian companies (“Custodians”) for the purpose of presenting a customer with a unified outlook of their financial health.  Data sources often include insurance companies, investment companies, and consumer banks (e.g. 401k, 529, credit cards, banking checking, and savings accounts).

 

CBA firmly supports the innovation and implementation of data aggregation services, and the ability of consumers to access their personal data in order to efficiently manage their finances.  If implemented correctly, we believe data aggregation can be a useful consumer tool to protect against risks such as fraud, breaches, and liability.  As such, banks often work with third-party PFMs to develop effective, secure ways to provide data aggregation services to consumers.  Accordingly, we support data aggregation that allows for sharing through structured agreements between PFMs and Custodians, such as banks, as long as adequate precautions are taken to mitigate risks.  

 

There are several core principles that are critical in helping ensure customers are protected: 

 

  • Information Security: Accessing, aggregating, and sharing consumer information must be done in a secure manner.  The highly sensitive nature of the information collected and stored by PFMs greatly increases the risk associated with aggregation services.  The PFM’s ability to protect stored consumer information is paramount to consumers’ financial safety;
  • Explicit Informed Consent: Customers need complete visibility into what data is being shared and with whom, which begins with an explicit consent from the customer to their financial institution that they agree to share their data;
  • Customer Control: Customers need to have transparency and control over who they are sharing their data with, what data is being shared, and how they can opt out of data sharing; and
  • Liability Awareness: Customers need to be aware of the liability implications for unauthorized use of their credentials and the potential for financial loss.

 

Again, it is important that consumers receive the safe and sound products they want and need at fair prices with robust privacy protections and transparent terms.  Accordingly, we urge the CFPB to refrain from mandating Custodians (i.e. banks) to transfer sensitive customer information to PFMs absent due diligence and formal contracts.  These critical elements are required to help ensure that information is being treated by PFMs in accordance with the same laws that banks are required to treat such data.

 

We look forward to working with the Bureau on this important, emerging issue.     

 

 

Discussion

 

At a November 17, 2016, field hearing in Salt Lake City, Utah, the CFPB expressed concern over the ability of consumers to access their own data.  CFPB Director Richard Cordray remarked, “[w]e are gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.”[3]  This statement suggests the CFPB believes banks are doing consumers a disservice by not readily opening their systems to data aggregators.  However, in reality, if a customer freely hands over their login credentials to third party aggregators, banks have no control over how third party aggregators are keeping customer’s account information safe.  When something does go wrong, such as a fraudulent payment or loss of data, consumers will generally turn to the banks – not the aggregators – for reparation.  These issues deserve serious consideration when discussing open access to consumer account data. 

 

Director Cordray further explained that in issuing the Request, the Bureau’s “main goals are to encourage innovation that promotes opportunity and to protect consumers as these new and promising technologies continue to develop.”  We could not agree more.  Innovation is key to developing services and products that consumers want.  Data aggregation services are always best offered when they are accompanied by the proper safeguards to ensure consumers can freely use these services while being protected from fraud and misuse.  The banking industry is greatly regulated through robust privacy requirements and, thus, is at the forefront of protecting consumer data.  We believe secure and proper innovation in the aggregation market is best served when PFMs and Custodians work together to ensure the safe exchange of sensitive information.  Protecting customer data is not a means of gaining a competitive advantage in the marketplace; it is simply good for consumers. 

 

There are several methods utilized by PFMs to aggregate a consumer’s information, including direct feeds (a unique data feed between the Custodian and the aggregator), a centralized network allowing PFM’s to access account information, and “screen scraping.”  The first two options allow for PFMs and Custodians to work together to find solutions for protecting customer privacy and, at the same time, allow for aggregation services.  This is usually done by carefully establishing an “access agreement” between the Custodian and the PFM, which provides for safe and undisruptive transfer of consumer information.  For example, by allowing for transmission through the use of an application programming interface (“API”), banks can offer aggregation solutions that will allow vetted data aggregators unfettered access to their customer data.   

 

However, the method of using a client’s credentials in order to subrogate on behalf of that client and access the Custodian’s website, known as screen-scraping, creates numerous concerns for banks and their customers, which are detailed below.   

 

 

Screen Scraping

 

Screen scraping is a program that mimics a user interacting with a computer screen.  The program knows where buttons and text entry fields are and “scrapes” the data that is shown on the screen.  Once all this unrelated data is pulled together, it is reconciled, scrubbed, and then mapped to a single data schema, typically in a portfolio management system.  This process is most often done without the PFM entering into a formal agreement with the Custodian.  Instead, PFMs that use scraping techniques obtain ID’s and passwords from customers in order to gain access to the customer’s accounts. 

 

 

  1. Privacy and Fraud

 

Scraping presents numerous concerns for banks.  First, banks go to great lengths establishing processes and systems to protect privacy and minimize fraud.  These efforts are complicated by the fact that automated screen scraping can appear very similar to nefarious, automated account validation (AV) scripts, which seek to compromise customer accounts.  Banks usually are not notified about what steps account aggregators or other permissioned parties have taken to mitigate risks.  PFMs have sometimes taken the position that when they take possession of data, the relationship is between themselves and the consumer.  They resist making substantial commitments to Custodians with regard to how they will protect, use, disclose, or otherwise process data, creating heightened risk for data security. 

 

The release and storage of sensitive customer information by data aggregators creates an increased risk of data breaches and, accordingly, PFMs must ensure compliance with applicable laws with regard to data privacy and security.  Under the Gramm-Leach-Bliley Act (GLBA), [4] financial institutions, including PFMs,[5] are responsible for the implementation of well-established data security requirements and responsibilities to keep consumer data secure.  While banks are held to these high standards through strict enforcement by their prudential regulators and regular examination, PFMs have no ongoing supervision.  Enforcement of infractions would almost certainly be a post hoc realization to a data breach.  Without proper oversight, the data being used and stored by PFMs runs a high risk of implementing subpar standards and increases the damage when targeted by hackers. 

 

   A prime example of this is illustrated in the CFPB’s first data security enforcement action against Dwolla, Inc., (“Dwolla”).[6]  Although the CFPB has no direct authority to enforce the standards prescribed under GBLA,[7] it took the unique position to bring an enforcement action against Dwolla under its unfair, deceptive, abusive acts and practices authority (“UDAAP”).[8]  Dwolla is a company that operates an online payment system, which uses consumers’ personal information to complete financial transactions.  The CFPB alleged the company failed to maintain adequate data security practices despite representations made on the company’s website and in communications with consumers that the company has implemented practices that exceed industry standards, such as the Payment Card Industry Data Security Standard (“PCI DSS”).  However, the CFPB also found that Dwolla failed to:

 

  • Adopt and implement reasonable and appropriate data security policies and procedures;
  • Use appropriate measures to identify reasonably foreseeable security risks;
  • Ensure that employees who have access to or handle consumer information received adequate training and guidance about security risks;
  • Use encryption technologies to properly safeguard sensitive consumer information; and
  • Practice secure software development, particularly with regard to consumer facing applications developed at an affiliated website.

 

These infractions mimic that of the GLBA’s Safeguards Rule.[9]  The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for and plans to continue to protect clients’ nonpublic personal information.[10]  The Dwolla case illustrates the possibility of lax compliance to GLBA standards by non-bank financial institutions that are not supervised on a regular basis. 

 

The GLBA’s Financial Privacy Rule also requires financial institutions, including PFMs, to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter.  The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.  The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.[11]  Should the privacy policy change at any point in time, the consumer must be notified again for acceptance.  Each time the privacy notice is reestablished, the consumer has the right to opt out.  The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.  Compliance with the GLBA’s Financial Privacy Rule can be complex and, in some situations, PFMs should be held to the same standard of compliance as banks. 

 

Second, many banks do not completely block PFMs that utilize scraping.  Many PFMs (i.e. MINT) have had relationships with banks for years.  These PFMs often have agreements with banks on how and when they access data, as aggregation via screen-scraping can have a profound effect on the performance of banks’ IT systems – creating a bandwidth issue.  PFMs often aggregate data constantly, and can drive spikes in volume to bank websites, which can cause a strain on the system and can result inconvenience for individual customers who are trying to directly access their account information at the same time.   When banks' website servers are besieged with requests from customers and data aggregators at the same time, the banks are going to protect individual customers’ access by making the aggregators wait and access the banks' systems only during non-peak hours.

 

 

  1. Vendor Management Requirements

 

 These issues underscore the need for banks and PFMs to work in unison to develop innovative services that consumers can use with ease and confidence.  Through established relationships, banks can diligently ensure that PFMs institute proper controls, minimize security risks, and support a level playing field that will promote competition in the market.   In fact, through third-party vendor requirements, banks must ensure the vendors they work with are held to the same standards as the bank. 

 

Beginning in 2012, the federal banking regulators intensified their review of bank relationships with third-party service providers.  The agencies have issued updated guidance to place supervised financial institutions on notice about the risk and responsibilities associated with overseeing vendors, and to establish regulatory expectations for managing these relationships.

 

On January 31, 2012, the Federal Deposit Insurance Corporation (“FDIC”) issued a Financial Institution Letter containing revised guidance on payment processor relationships, which discusses potential risks, risk mitigation, due diligence, underwriting, and ongoing monitoring in the context of payment processors.[12]  The FDIC warns banks that failure to adequately manage payment processor or merchant relationships may be viewed as facilitating these parties’ fraudulent or unlawful activity, and therefore they may be liable for such fraudulent or unlawful activity.

 

On April 13, 2012, the CFPB announced its intention to also hold companies accountable for the actions of outside service providers.[13]  The Bureau announced it will take a closer look at how service providers interact with consumers and will hold contracting companies accountable when legal violations occur.  The CFPB states that while banks and nonbanks have legitimate business reasons to outsource functions to service providers, the resulting relationships do not absolve banks of responsibility for complying with federal consumer financial laws.  Violations of consumer laws by service providers can result in legal responsibility for both the service provider and bank, underlying the need for these relationships to be monitored accordingly.  

 

On October 30, 2013, the Office of the Comptroller of the Currency (“OCC”) issued a risk management bulletin on third-party relationships.[14]  Similar to the CFPB bulletin, the OCC established new guidance on what banks must do to manage the risks associated with utilizing service providers. However, the OCC differs from the CFPB’s approach by not restricting its guidance to only service providers; the scope of the agency’s bulletin stretches out to cover any relationship banks have with a “third-party.”

 

These requirements proscribe guidance to banks for assessing and managing risks associated with third-party relationships.  By establishing a working relationship with banks, PFMs will be checked for critical privacy and security requirements, adding an essential level of protection to consumers.  Unfettered access granted to a non-contractual PFM without appropriate risk reviews and controls could run afoul of these regulatory expectations for banks.  Without company-wide processes and procedures to ensure that all third parties are systematically screened to verify whether or not they will have access to a company’s networks, IT systems or data, third parties can put an organization at risk of reputational impact, regulatory exposure, and revenue loss.

 

 

  1. Consumer Liability and Treatment of PFMs under Regulation E

 

            As referenced above, when PFMs collect personal non-public information, the consumer is put at a heightened risk for fraudulent activity.  The free exchange of account credentials and subpar security measures make many PFMs potentially rich targets for hackers.  Accordingly, consumers should be made well aware by PFMs of their liability for unauthorized transfers covered by their banks under Regulation E, which implements the Electronic Funds Transfer Act.[15]   

Regulation E defines an “authorized electronic fund transfer” as “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.”[16]  However, as further defined in the Regulation, unauthorized transfers are not transfers initiated “by a person who has furnished the access device to the consumer’s account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized.”[17]

 

If a bank customer gives their account credentials to a PFM which subsequently initiates an unauthorized transfer or an unauthorized transfer is initiated by an outside source as a result of a breach of the PFM, the transfer would be considered authorized by the bank because the client had furnished an access device (i.e. login credentials) to the PFM, leaving the customer liable for such transfers.  Accordingly, the bank would not be liable for these transfers unless the customer notified them that the transfers by the person, PFM or other vendor were no longer authorized.   

 

Consumers might look to a PFM for restitution if they qualify as a “service provider” under Regulation E.[18]  Under the regulation, a service provider includes any person that provides electronic fund transfer services to a consumer; issues an access device to that consumer that can be used to access the consumer’s account at the bank; and has no agreement with the bank regarding such access.[19]  A service provider is liable for unauthorized transfers that exceed a customer’ liability under Regulation E.[20]  Here, we believe a PFM would qualify as a service provider as they provide customers with a single login credential to access the PFMs services, which are a means of access to all the customer’s bank account(s).  Accordingly, consumers should be made aware of the liability implications of PFM services when they are acquired. 

 

          * * * * *

 

Through careful application of applicable law and proper oversight, banks and PFMs can work together to make data aggregation services readily available and safe for consumers who would like to freely access their personal financial data.  Through collaboration and innovative solutions, aggregation services can evolve as safe resources that work in harmony with bank platforms.  However, consumers should always be made well aware of security and liability concerns when engaging data aggregation services. 

 

CBA greatly appreciates the opportunity to share our suggestions and to work with the Bureau as it considers consumer access to financial records.  Should you need further information, please do not hesitate to contact the undersigned directly at dpommerehn@consumerbankers.com

 

 

Sincerely,

dpommerehn

David Pommerehn

Vice President, Associate General Counsel

Consumer Bankers Association

 

 

[1] The Consumer Bankers Association is the only national financial trade group focused exclusively on retail banking and personal financial services—banking services geared toward consumers and small businesses. As the recognized voice on retail banking issues, CBA provides leadership, education, research, and federal representation for its members. CBA members include the nation’s largest bank holding companies as well as regional and super-community banks that collectively hold two-thirds of the total assets of depository institutions. 

[2] FFIEC E-Banking IT Examination Handbook, August 2003.

[4] 15 U.S.C. §6801 – It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. 

[5] 15 U.S.C. §6809  - a “financial institution” generally means “any institution the business of which is engaging in financial activities as described in section 1843(k) of title 12.”  These definitions include entities providing data processing, data storage and data transmission services for financial or banking data. 

[7] The Dodd-Frank Act excludes from the definition of "enumerated consumer laws" subject to the CFPB's jurisdiction the provisions of the Gramm-Leach-Bliley Act.

[8] 12 U.S.C. §5481.

[9] 15 U.S.C. §6901-§6809.

[10] The Safeguards Rule applies to information of any consumers past or present of the financial institution's products or services.

[11] 15 U.S.C. §1681.

[12] FDIC FIL-3-2012 - Payment Processor Relationships Revised Guidance (Revised July 2014).

[13] CFPB Bulletin 2012-03  – Service Providers.

[14] OCC Bulletin 2013-29 – Third-Party Relationships.

[15] 12 C.F.R. §1005.1(b) -  Regulation E “establishes the basic rights, liabilities, and responsibilities of consumers who use electronic fund transfer and remittance transfer services and of financial institutions or other persons that offer these services.”

[16] Id.

[17] 12 C.F.R. §1005.2(m).

[18] 12 C.F.R. §1005.14.

[19] App. C – C.F.R. Part 1005, Comment 14(b)-1.

[20] Id.