ICBA supports responsible financial services innovation and urges policymakers to carefully consider the privacy, regulatory compliance burden, data security, and legal implications presented by permissioned third-party access to consumer bank accounts.
ICBA encourages adoption of the CFPB’s common principles and industry standardization efforts by data access ecosystem participants in the sharing and use of permissioned customer financial account information in a secure, transparent manner that allows consumers to control their information.
ICBA is firmly against mandating standards that threaten to leave community banks at a disadvantage from any asymmetry of capabilities and resources.
ICBA encourages development of data-sharing technologies and adoption of standards that offer more secure access to data and enhanced privacy. Core processors and technology providers should enable accelerated adoption of these capabilities to ensure that community banks are well-positioned to compete in an evolving market. ICBA strongly supports limiting the use, sharing, and storage of data to that which is authorized by the consumer. ICBA urges the CFPB to prohibit the sale of customer-permissioned data to unpermissioned third-parties.
Data aggregators should be brought under the supervision of the CFPB which would result in consumer protection compliance obligations and subject these entities to annual examinations.
Data access disclosures should clearly indicate the entity that is obtaining permission from the customer and provide the customer with clearly stated instructions for revoking their permission
Regulators should not interpret customer-permissioned aggregator access to a bank’s data as a direct vendor relationship.
ICBA firmly asserts that liability should follow the custody of the data and that all costs associated with a breach or system intrusion should be borne by the entity that incurs the breach.
Data Sharing. Section 1033 of the Dodd-Frank Act requires a bank to make a consumer’s data and financial records available upon request. Community banks should assess the risks related to open access by third parties, also known as open-banking, including financial and reputational risks, and take necessary actions to mitigate risks.
Common Principles and Industry Standards. The CFPB issued data-sharing principles in 2017 that ensure consumers remain protected when sharing their financial data. These principles include user-permissioned access and the ability to revoke consent as well as the use of applicable laws and industry best practices with regard to data privacy and security.
The industry is moving towards adoption of standardized Application Programming Interfaces (API) to address technical inconsistences and enable these common principles. However, there is only limited adoption of APIs among community banks because APIs are highly dependent on their core banking platforms or other solution providers for API integration capabilities.
To date, there has been insufficient progress and speed to market by core and other technology providers to enable adoption of APIs. Standards implementation by different market participants should reflect industry progression and must not leave community banks at a disadvantage from any asymmetry of capabilities and resources.
Data Minimization. Data for which the consumer has authorized access should have limited application functionality, providing only minimal access, collection, and storage for a restricted period of time and thereby protecting consumers in the event of a breach or misuse of their data. These restrictions should include limiting data to the original entity that has received permission and affirmatively prohibiting the sale of data to unpermissioned third parties.
Regulatory Oversight of Data Aggregators. Title X of the Dodd-Frank Act authorized the CFPB to establish a supervisory program for nonbanks that offer consumer financial products or services. Such authority ensures consumer safeguards and levels the playing field among all industry participants. However, to date, aggregators benefit from unregulated access to sensitive consumer financial data without the oversight of examinations.
Many aggregators are now expanding their services, but these companies sit outside the regulatory perimeter. The longer they benefit from lack of supervision, the more risk of harm to consumers as aggregators become more enmeshed with their data. This unequal regulatory dynamic diminishes community bank competitiveness because aggregators are not subjected to the same obligations nor oversight.
Transparent Consent Disclosures. Consumers must clearly understand which company they are granting permission to access their banking data. Banks should not be required to provide disclosures on behalf of permissioned third parties. Use of bank logos and branding elements create confusion and mislead bank customers, creating customer support difficulties for banks.
Consent disclosures should identify specific data to be accessed and instructions on how to revoke permission. Services that go beyond financial aggregation, such as money movement, should require separate and explicit consent disclosures from the permissioned third party to inform the customer of risks created by such services.
No Vendor Relationship. Regulators should not interpret customer-permissioned aggregator access to a bank’s data as a direct vendor relationship. Banks and aggregators are brought together at the direction of a consumer authorizing access to their data. The aggregator is not an agent, nor a third-party service provider, acting on behalf of the bank.
Absent the consumer connection, there is no contractual or other business relationship between the bank and the data aggregator that would trigger vendor due diligence requirements. As such, banks should not be required to conduct vendor-like due diligence on aggregators, and the requirement to do so is yet another unfair and misplaced regulatory burden.
Third-Party Responsibility for Financial Losses. A community bank’s success is largely dependent on its reputation for fostering customer trust. Maintaining the integrity of customer financial relationships is of utmost importance to community banks, not only because it is required by law but also because it is the right thing to do.
If a customer experiences a financial loss with a permissioned data aggregator or third party, the customer is likely to seek redress from their bank. Regardless of where a breach occurs, banks take a variety of steps at their own expense to protect the integrity of customer accounts and should have access to all cost recovery options. Too often, the breached entity evades accountability while financial institutions are left to mitigate the customers damages.
Staff Contacts: Rhonda Thomas-Whitley and Deborah Matthews Phillips