Capital One Financial Corporation 1680 Capital One Drive McLean, Virginia 22102
February 18, 2020
Consumer Financial Protection Bureau 1700 G. Street, NW Washington, DC 20552
Via Electronic Delivery
Re: Consumer Financial Protection Bureau Symposium on Consumer Access to Financial Records, Section 1033 of the Dodd-Frank Act
Capital One Financial Corporation (“Capital One”)1 appreciates the opportunity to provide a written statement with respect to policy making by the Consumer Financial Protection Bureau (“CFPB”) regarding Dodd-Frank Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) Section 1033 and ongoing data aggregation- related market monitoring.
Overview
New technology has enabled the rapid proliferation of non-bank financial technology (“fintech”) companies. Much of the U.S. population feels comfortable conducting business online with an entity with which it has little or no prior experience and that does not have any physically accessible locations. Recently, however, the growth of data aggregation services has accelerated the distribution and duplication of consumer financial data, and the risks posed by consumer financial data aggregation services have increased in parallel.
Capital One commends the CFPB for taking its first steps to address this market in the 2017 “Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation.” Capital One participated in the November 2016 Request for Information
1 Capital One Financial Corporation (www.capitalone.com) is a financial holding company whose subsidiaries, which include Capital One, N.A., and Capital One Bank (USA), N.A., had $262.7 billion in deposits and $390.4 billion in total assets as of December 31, 2019. Headquartered in McLean, Virginia, Capital One offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients through a variety of channels. Capital One, N.A. has branches located primarily in New York, Louisiana, Texas, Maryland, Virginia, New Jersey and the District of Columbia. A Fortune 500 company, Capital One trades on the New York Stock Exchange under the symbol “COF” and is included in the S&P 100 index.
process that helped inform the creation of the principles.2 While industry actors have been actively working to move data sharing practices forward, a number of the issues that were characterized by the CFPB’s principles remain works-in-progress and, as detailed below, there are areas for improvement.
Effective disclosure and consumer awareness are lacking in the consumer financial data services market, as consumers are often not made fully aware of the costs, benefits, and risks of using consumer financial data aggregator services. For aggregators to provide data services to fintechs, to date, most data aggregators continue to require consumers to divulge their online bank account credentials (usernames and passwords). By disclosing their credentials, consumers are inadvertently subjecting themselves to security and financial risks. Consumers likely do not understand that the credentials they provide to a fintech will be provided to, used, and maintained indefinitely by a third party – the fintech’s data aggregator. Data aggregators obtain the consumer’s financial data by acting as the consumer to enter the consumer’s secure online financial account environment.
Consumers may not be aware that data aggregators will copy and store their data, may use the data for other purposes, or will create new products and services using the consumer’s data.3 Similarly, consumers may not be aware that data aggregators collect and transfer as much information as can be obtained, in many cases well beyond the data actually necessary for the consumer to use the new financial product or service. For instance, in the case of screen scraping, a data aggregator has access to and may collect more information than authorized if the consumer credentials provide the data aggregator with access to multiple financial accounts, as is typically the case with multi-relationship customers of a financial institution. Moreover, an aggregator, fintech, or bad actor that obtains a consumer’s credentials from an aggregator or fintech has the capacity to take any action as a consumer using the financial institution’s website, including initiating electronic funds transfers and account changes.
Consumers have grown to trust that regulated financial institutions are subject to a legal, regulatory, and supervisory regime that requires the safeguarding of consumer financial data. Among numerous other regulatory requirements, financial institutions are subject to periodic examinations for cybersecurity, third party risk management, and consumer protection issues. If a data breach were to occur at a financial institution, the financial institution is expected to notify their federal regulator on a timely basis. Consumers are generally not aware of the differences in the legal and supervisory standards and practices of other participants in the marketplace, and that their financial data may not be subject to the same legal protections when it is removed from the banking system and held by a non-bank aggregator or fintech. Indeed, consumers may incorrectly assume that the fintech with which they are interacting is part of the banking system and is subject to the same standards of practice and information security as a bank. These risks can be further
2 Capital One requests that its February 21, 2017 letter, enclosed with this written statement, also be entered to the record of this Symposium. 3 For instance, some data aggregators are marketing identity management products.
2
exacerbated if downstream fintech clients of data aggregators (“fourth parties”) also fail to provide sufficient protections for consumer financial data.
The CFPB has the authority - and a responsibility - to ensure that consumer financial data is subject to adequate safeguards throughout its lifecycle. Consumers expect to have a stable and consistent level of protection for their financial data, regardless of where the data originated, where it has been transferred, and the type of entity that is using or storing the data. As described further below, the CFPB can and should take steps to simultaneously enhance the legal protections afforded to consumer financial data and promote fintech innovation that increases competition and delivers consumer benefits.
Accordingly, Capital One respectfully recommends that:
● the CFPB prescribe disclosures that, pursuant to its authorities under Section 1032 of the Dodd Frank Act, ensure consumers’ control over their data, adequately convey who has their data, and allow consumers to effectively manage how that data is used;
● the CFPB support secure methods for consumers to access their financial data that do not require consumers to share their account credentials with third parties, such as through application programming interface (“API”) agreements between banks and data aggregators;
● the CFPB collaborate with its prudential counterparts and affirm that, notwithstanding the CFPB’s Principles regarding Consumer-Authorized Financial Data Sharing and Aggregation, financial institutions should not depart from the FFIEC’s guidance regarding multi-factor authentication;
● the CFPB exercise its authority under Dodd-Frank Act Section 1024(a)(1)(C) to provide notice of its intent to require reports and conduct supervisory examinations of specific data aggregators, given the risks they pose to consumers and the consumer financial services market; and
● that any such examination of data aggregators be accompanied by clear expectations from the CFPB regarding disclosure, consumer control, data security, and oversight relating to data aggregators’ sharing consumer data with third parties, as well as any fourth parties that third parties may then share consumer data with.
The CFPB should prescribe disclosures that ensure consumers’ control over their data, adequately convey who has their data, and allow consumers to effectively manage how that data is used.
In 2017, the Bureau articulated a vision in which “[c]onsumers are informed of, or can readily ascertain, which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other consumer use of financial services.” Further, the Bureau described an environment in which consumers were able to reasonably ascertain the “security of each such party, the data they access, their use of such data, and
3
the frequency at which they access the data” throughout the time that the data is accessed, used, or stored by any such party.4 Beyond transparency, the Bureau envisioned actual consumer control and consent regarding how their data is used. This would include that “[c]onsumers understand data sharing revocation terms and can readily and simply revoke authorizations to access, use, or store data,” among other protections.
Unfortunately, two years later, consumers continue to lack a sufficient understanding of aggregator and fintech data sharing practices and are not offered a meaningful opportunity to consent or object to the privacy and data sharing practices of these services. Moreover, the ability of consumers to understand rapidly evolving market practices is being outpaced by the proliferation of new actors, technologies, and techniques to monetize consumer financial data. The environment described by Federal Reserve Governor Lael Brainard in late 2017 continues to persist:
It is often hard for the consumer to know what is actually happening under the hood of the financial app they are accessing. In most cases, the log in process does not do much to educate the consumer on the precise nature of the data relationship . . . . In reviewing many apps, it appears that the name of the data aggregator is frequently not disclosed in the fintech app’s terms and conditions, and a consumer generally would not easily see what data is held by a data aggregator or how it is used. The apps, websites, and terms and conditions of fintech advisors and data aggregators often do not explain how frequently data aggregators will access a consumer's data or how long they will store that data.5
Indeed, in November 2019, The Clearing House published the results of a survey of nearly 4,000 U.S. banking customers.6 The survey found that 80% of fintech app users were not fully aware that fintech apps or third parties may store their bank account username and password. Once they realize this, more than two-thirds of consumers (68%) were uncomfortable with the level of access they had shared. Similarly, less than a quarter of fintech app users knew that financial apps often continue to have ongoing access to their data until consumers revoke their bank account credentials.
4 Consumer Financial Protection Bureau, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 18, 2017), https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data- aggregation.pdf. 5 Lael Brainard, Governor, Federal Reserve System, Speech at the Univ. of Mich., “Where Do Consumers Fit in the Fintech Stack?,” (Nov. 16, 2017), https://www.federalreserve.gov/newsevents/speech/brainard20171116a.pdf. 6 The Clearing House, Consumer Survey: Financial Apps and Data Privacy (Nov. 2019), https://www.theclearinghouse.org/-/media/New/TCH/Documents/Data-Privacy/2019-TCH- ConsumerSurveyReport.pdf.
4
As for consumer control over such data, Governor Brainard again explains:
In examining the terms and conditions for a number of fintech apps, it appears that consumers are rarely provided information explaining how they can terminate the collection and storage of their data. For instance, when a consumer deletes a fintech app from his or her phone, it is not clear this would guarantee that a data aggregator would delete the consumer's bank login and password, nor discontinue accessing transaction information. If a consumer severs the data access, for instance by changing banks or bank account passwords, it is also not clear how he or she can instruct the data aggregator to delete the information that has already been collected. Given that data aggregators often don't have consumer interfaces, consumers may be left to find an email address for the data aggregator, send in a deletion request, and hope for the best.
The Dodd-Frank Act calls upon the CFPB to ensure that “markets for consumer financial products and services are fair, transparent, and competitive.”7 In particular, the CFPB has specific authority under Section 1032 of the Dodd-Frank Act to “prescribe rules to ensure that the features of any consumer financial product or service, both initially and over the term of the product or service, are fully, accurately, and effectively disclosed to consumers in a manner that permits consumers to understand the costs, benefits, and risks associated with the product or service, in light of the facts and circumstances.”8
Accordingly, we recommend the CFPB use its rulemaking authority under section 1032 of the Dodd-Frank Act to ensure that consumers understand the costs, benefits, and risks associated with their use of consumer financial products and services that are provided through the consumer financial data services market. The CFPB should consider promulgating disclosure requirements to ensure that consumers are provided with timely and understandable information needed to make responsible decisions about the sharing of their consumer financial data with aggregators and fintechs, and that the market for consumer financial data operates transparently and efficiently to support enhanced consumer access and innovation.
The CFPB should support secure methods for consumers to access their financial data that do not require consumers to share their account credentials with third parties, such as through API agreements between banks and data aggregators.
Credential-based access is almost always over-broad and presents security risks. The CFPB’s Principles state that authorized third parties should “only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.” This can generally be characterized as a “data minimization” principle, which recognizes that large data sets present risks to the holders
7 12 U.S.C. § 5511. 8 12 U.S.C. § 5532.
5
and subjects of the data. However, the currently-prevalent practice of credential sharing is inherently inconsistent with data minimization: even if consumers only authorize use of their credentials to obtain account data, the aggregator or fintech that obtains a consumer’s credentials has the capacity to access all of the consumer’s information. In other words, even if a consumer provides an aggregator or fintech limited authorization to access information from a financial institution, by asking for the consumer’s credentials, the aggregator or fintech obtains access to the full suite of data and services available to the consumer. This practice both misleads consumers about the activity that actually occurs and exceeds the consumer’s express authorization.
The CFPB’s Principles also state that an authorization to initiate payments is separate and distinct from an authorization to obtain data. (“Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities.”) However, the holder of a consumer’s bank account credentials often has the capacity to initiate electronic funds transfers and account changes, even if the consumer never authorizes the aggregator or fintech to take those actions. By way of comparison, European regulations draw a distinction between regulated account information service providers (AISPs) and payment initiation service providers (PISPs), each being subject to different regulations that acknowledge their respective risk profiles. Aggregators and fintech obtaining data using consumer credentials have the capacity to access more data than they need and initiate transactions not requested by a consumer. Moreover, storing credentials presents a substantial threat to consumers because an aggregator or fintech data breach could result in fraudulent access to consumers’ online accounts. As a result, credential-based access presents heightened risks and, to the extent credential-based access continues to be allowed, the companies using this access method should be subject to commensurate, heightened regulatory obligations.
Under the Gramm-Leach-Bliley Act (“GLBA”), data aggregators may argue that they are requesting and obtaining data from a financial institution “[w]ith the consent or at the direction of the consumer.”9 However, the exception that permits a financial institution to disclose nonpublic personal information based on consumer consent relates to the specific act of a particular disclosure to a particular third party, and does not provide a financial institution with a general exception to the application of GLBA for unlimited sharing of data to third parties.10 In other words, the GLBA exception for consumer-directed disclosure is not intended to permit a financial institution to obtain a consumer’s blanket consent to avoid GLBA restrictions on third party sharing altogether.11 Rather, consumer consent or direction to disclose information under GLBA should be expressed by the consumer directly to the financial institution and identify parameters of the disclosure for each particular use case.
9 12 C.F.R. § 1016.15(a)(1) (2019). 10 See 12 C.F.R. §§ 1016.14(a)(1), 1016.15(a)(1). 11 In addition, under GLBA, reuse and disclosure obligations continue to apply to any subsequent third-party sharing of the customer’s nonpublic personal information after a customer receives notice and opt-out rights from the originating financial institutions, and are controlled by the privacy policy of the originating financial institution. 15 U.S.C. § 6802(c); 12 C.F.R. § 1016.11.
6
This consent can be adequately captured via a financial institution’s OAuth authentication protocol.
For similar reasons, Capital One recommends that the CFPB collaborate with its prudential counterparts and affirm that, notwithstanding the CFPB’s Principles regarding Consumer-Authorized Financial Data Sharing and Aggregation, financial institutions should not depart from the FFIEC’s guidance regarding authentication in an internet banking environment.12 In particular, that “where risk assessments indicate that the use of single- factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risk.” Among other concerns, fraudulent attempts to access consumer accounts may look similar to account access attempts by aggregators and fintechs via shared credentials, or third-party fraudulent actors may use data aggregators to “stuff” illicitly obtained login- password combinations, hoping to bypass protections used for general consumer access.
APIs are a viable alternative with several benefits relative to credential-based access. First, an API that facilitates the transfer of consumer financial data coupled with authentication technology, such as OAuth, allows consumers to authenticate with a financial institution data provider, who would in-turn give the aggregator or fintech a token to access data in lieu of credentials, removing credentials from the aggregator/fintech ecosystem. Second, data transferred via API can be tailored to the consumer’s authorization and subject to enhanced security including encryption. Third, APIs are a far more efficient and scalable platform for the distribution of data. Fourth, Capital One provides access to its APIs for free and, as APIs become more ubiquitous, consumer access will continue to grow.
Because credential-based access is almost always overbroad and APIs are a viable alternative, we urge the CFPB to require aggregators and fintechs seeking consumer- permissioned access to data from financial institutions to use API-based connections when they are available.
The CFPB should exercise its authority under Dodd Frank Act Section 1024(a)(1)(C) to provide notice of its intent to require reports and conduct supervisory examinations of specific non-bank data aggregators, given the risks they pose to consumers and the consumer financial services market.
Although financial institutions and data aggregators store similar data, the substantive expectations that guide financial institutions’ data security practices set a significantly higher bar than what is currently expected of data aggregators. In that regard, financial institutions and data aggregators are both subject to the data security requirements established in GLBA. Banks and non-banks, however, are subject to quite different sets of implementing regulations and regulatory guidance.
Banks are subject to extensive regulatory, supervisory and enforcement scrutiny as articulated in the Interagency Guidelines Establishing Information Security Standards,
12 Federal Financial Institutions Examination Council, Authentication in an Internet Banking Environment, https://www.ffiec.gov/pdf/authentication_guidance.pdf.
7
adopted jointly by the federal financial regulators (the “Interagency Guidelines”).13 The Interagency Guidelines include numerous expectations regarding data security. For example, a bank’s Board of Directors, or an appropriate committee thereof, must “oversee the development, implementation, and maintenance” of the bank’s information security program, ultimately approving the program.14 This includes reviewing regular reports on the overall status of the bank’s compliance with the program, including issues such as service provider arrangements; results of testing; security breaches and management’s responses; and recommendations for changes.
Banks are expected to conduct regular risk assessments, as well as to periodically gauge the sufficiency of their policies, procedures, customer information systems, and other arrangements to control such risks. In so doing, banks are expected to consider and, where appropriate adopt, a number of detailed recommendations ranging from: (a) access controls on customer information systems; (b) similar restrictions for physical locations; (c) encryption of electronic customer information; (d) procedures designed to ensure that customer information systems are consistent with the financial institution’s information security program; (e) dual control procedures, monitoring systems, and procedures for intrusions; (g) response programs that specify actions to be taken in the event of unauthorized access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and (h) measures to protect against the loss of customer information due to potential environmental hazards (e.g., fire/water or technological failure).15
Importantly, banks are expected to exercise “appropriate due diligence” in selecting service providers and to require that such service providers “implement appropriate measures designed to meet the objectives” of the GLBA guidelines. Banks are expected to monitor their service providers, where indicated by the banks’ risk assessments, including by requiring audits, summaries of test results, or other equivalent evaluations.16
In contrast, data aggregators and fourth party fintechs -- which seek access to the very same consumer data safeguarded by banks -- are not subject to the Interagency Guidelines. Rather, as non-bank financial institutions, they would be subject to the more flexible regulations promulgated by the Federal Trade Commission (“FTC”).17 As one industry expert described the FTC’s Safeguards Rule, a non-bank “that is subject to an investigation and/or potential enforcement action by the FTC could quite reasonably argue that there are no specific requirements for the technical controls they are required to employ to control identified risks.”18 Last year, the FTC announced that it was seeking comment on
13 Interagency Guidelines, 12 C.F.R. Pt. 30, App. B (as incorporated into the OCC regulations for national banks). The Interagency Guidelines also apply to members of the Federal Reserve System, as well as banks and savings associations insured by the Federal Deposit Insurance Corporation, federally-insured credit unions, and broker-dealers, investment companies, and investment advisors. 14 Id. §III.A. 15 Id. §III.C1(a)-(h). 16 Id. §III.D. 17 FTC Safeguards Rule, 16 C.F.R. Pt. 314. 18 Rob Hunter, Ensuring Consistent Consumer Data Protection, The Clearing House,
8
proposed changes to the GLBA Safeguards Rule.19 If the FTC finalizes the elements of its proposal, the revisions would create substantive expectations for non-banks that are closer to the Interagency Guidelines but whether parity will exist with banks is yet to be determined.
In addition to the different substantive expectations for non-banks under GLBA, the process differences between the two regimes are stark. Banks are regularly examined by prudential regulators, including data-security related inquiries. In contrast, data aggregators and fintechs are generally not subject to regular examinations and other oversight by prudential regulators. Accordingly, even under a revised GLBA Safeguards Rule, if a data aggregator maintained sub-par data security practices and suffered an actual data breach, regulators and consumers may never know.
The CFPB has statutory authority that can bring greater oversight to non-bank data aggregators that now hold data on over twenty million consumer accounts.20 In our response to the November 2016 Request for Information, Capital One recommended that the CFPB exercise its authority under Dodd-Frank Act Section 1024(a)(1)(B) to promulgate, after consultation with the FTC, a rulemaking delineating the CFPB’s supervisory and enforcement authority over larger participants in the data aggregator market.
Dodd-Frank Act Section 1024, however, also sets out CFPB supervisory authority over a number of other market participants that do not require an additional rulemaking. In particular, Sections 1024(a)(1)(C) and 1024(b) direct the Bureau to require reports and conduct examinations on a periodic basis of non-depository covered persons that “the Bureau has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond,” based on information that such person is “engaging in, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.”
Given the growing concentration in the data aggregation market,21 the Bureau should initially bring oversight to the data aggregation marketplace by focusing on a small handful of specific firms engaging in conduct that poses risks to consumers, rather than undertake a lengthy rulemaking process to define the “larger participants” in this market. Data aggregators hold an enormous volume of consumer data and have the potential to cause large-scale negative externalities to millions of consumers and the financial institutions that
https://www.theclearinghouse.org/banking-perspectives/2015/2015-q3-banking- perspectives/articles/ensuring-consumer-data-protections (last visited Feb. 13, 2020). 19 Federal Trade Commission, FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules (Mar. 5, 2019), https://www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks- comment-proposed-amendments-safeguards-privacy-rules. 20 See, e.g., Kate Rooney, Meet the start-up you’ve never heard of that powers Venmo, Robinhood and other big consumer apps, CNBC(Oct. 4, 2018) https://www.cnbc.com/2018/10/04/meet-the- startup-that-powers-venmo-robinhood-and-other-big-apps.html. 21 See, e.g., Donna Fuscaldo, Plaid Buys Quovo In Its First Major Acquisition Forbes, (Jan. 8, 2019), https://www.forbes.com/sites/donnafuscaldo/2019/01/08/plaid-buys-quovo- in-its-first-major-acquisition/#55a1f6dc648d.
9
consumers have entrusted with their financial lives. Accordingly, Capital One recommends that the CFPB conduct regular examinations of high-profile data aggregation firms, coordinating where appropriate with prudential regulators, pursuant to the CFPB’s authority under Dodd-Frank Act Section 1024(a)(1)(C). Further, Capital One recommends that any such examination of non-bank data aggregators begin with the CFPB articulating clear expectations regarding appropriate disclosure, consumer control, data security, and oversight relating to data aggregators’ sharing consumer data with fourth parties.
Conclusion
We recommend that the CFPB continue to work with industry, consumer, and regulatory stakeholders in an open and transparent manner to continue to inform the CFPB on issues specific to section 1033, inclusive of the issues discussed above.
While we believe that the CFPB should act on the recommendations above prior to considering whether to impose any new regulations or binding standards under section 1033 of the Dodd-Frank Act, we recommend that if the CFPB does so, it begins by collaborating with Federal banking agencies and the FTC to ensure consistent treatment across the industry. In particular, the Federal banking agencies would be able to share their perspectives on safety and soundness, reputational risk, and trust in the banking industry with respect to practices in the consumer financial data services marketplace.
Respectfully,
Becky Heironimus
Rebecca “Becky” Heironimus Managing Vice President Digital Enterprise Customer
10
Capital One Financial Corporation 1680 Capital One Drive Capit~(JfUr McLean, Virginia 22102
February 21, 2017
Via Electronic Delivery
Monica Jackson, Office of the Executive Secretary Consumer Financial Protection Bureau 1700 G Street, N.W. Washington, D.C. 20552
Re: Docket No. Bureau-2016-0048; Request for Information Regarding Consumer Access to Financial Records
Dear Ms. Jackson:
Capital One appreciates the opportunity to comment on the Request for Information Regarding Consumer Access to Financial Records ("RFI") by the Consumer Financial Protection Bureau ("CFPB"). 1 Capital One applauds the CFPB for issuing the RFI, as Capital One supports innovations that empower consumers to manage their finances in a safe and convenient manner.
Technology allows consumer financial data to be broadly accessed and rapidly disseminated. Innovations that rely on consumer financial data can provide significant benefits, but also can put at risk legitimate consumer interests, including the security of and control over such data. It is vital, therefore, to ensure that long-standing consumer protections apply to consumer financial data across the data services sector.
Accordingly, we respectfully suggest that, in examining consumers' access to their own financial data, the CFPB take the opportunity to assess how best to protect consumer financial data throughout its lifecycle. In that spirit, in sections I-II of the discussion below, we provide the CFPB with information pertinent to its analysis. In addition, in section III of the discussion, we offer recommendations intended to ensure that industry pa:tiicipants can continue to bring consumers new and innovative products and services within a resilient market structure that advances and protects their interests.
1 Capital One Financial Corporation (www.capitalone.com) is a financial holding company whose subsidiaries, which include Capital One, N.A., and Capital One Bank (USA), N.A., had $236.8 billion in deposits and $357.0 billion in total assets as of December 31,20 16. Headquartered in McLean, Virginia, Capital One offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients through a variety of channels. Capital One, N.A. has branches located primarily in New York, New Jersey, Texas, Louisiana, Maryland, Virginia and the District of Columbia. A Fortune 500 company, Capital One trades on the New York Stock Exchange under the symbol "COF" and is included in the S&P I 00 index. Executive Summary
Consumers have long received special protections for their financial data due to its inherently sensitive nature and its value to third parties. The Gramm-Leach Bliley Act of 1999 ("GLBA'') is the bedrock law that provides consumers with privacy and data security protections over their financial data.
While all financial institutions are required by GLBA and its implementing regulations to deliver privacy and security protections on behalf of consumers, some companies that store and use consumer financial data believe that those requirements aTe inapplicable to their activities.
Many consumers who use new services that pull their financial data from a bank end up losing the safe and secure environment where their financial data is accorded the longstanding protections provided by law, by releasing their data into a relatively unfettered data services marketplace that may not grant privacy protections or adequately safeguard the sensitive data from security risks. Consumers are not sufficiently infmmed or given meaningful choice to consent or object to the privacy and data sharing practices of these new services. Moreover, the ability of consumers to understand rapidly evolving market practices is being outpaced by the proliferation of new actors, technologies, and techniques to monetize consumer financial data.
Despite the risks to consumers, much of the public dialogue concerning irmovative services using consumer fmancial data ignores the loss of consumer privacy, transparency, and control over uses for the data. These risks are greatly exacerbated when the·data is moved to a business that does not feel constrained by the requirements of the GLBA. Nor has the debate about these services focused on the security risks that consumers face when they part with their banking credentials, which, when stolen, provide a fraudster with control over the consumer's entire financial account and enables identity theft and theft of funds. Instead, many nonbank companies providing new services assert interests that stand in direct conflict to consumer interests, by calling for third pruties to have unfettered access to bank systems in order to obtain consumer financial data and by employing a caveat emptor philosophy of use and disclosure.
Given the current status of this market, we respectfully recommend:
• The CFPB should work with stakeholders to produce overarching principles governing consumer financial data that can guide the mru·ketplace to develop solutions that address consumer privacy and security risks. These principles should encompass the long-standing protections provided by GLBA, and address: (i) consumer transpru·ency; (ii) restrictions on the shru·ing of data; (iii) restrictions on use of data; (iv) consumer accessibility; (v) consumer control; and (vi) cost.
• The CFPB and its sister regulatory agencies should use their existing powers to make clear that GLBA's consumer protections apply to consumer financial
2 from
frnancial the Discussion
for privacy;
practices, Truth financia
traditiona an
2 emp
3
with law certa and to
4
Cred
(imp
(implementing
inf inter
T
1 1
ormation.
it
2 2 C 2
expectat
hi
s
s
GLBA,
I.
changeably
s
data
loyment
C.F.R.
pe
s
lement
it
in
the
and
a
sensi
.F
l
in
etter
c
Transact
safe
information These The
•
.R Cons
In
ial
l
ab
Lendin
sharing
sec
data
system
regulations
.
l
permi
addition,
§§ §
ti
gene
treatment
bank
i
data
The to
market market.
Consume
Accorded
ion
in
the
lity
environment
ve
main
urity
1005
umer
purposes.
1
g
pla
but
recommendation
026.5(b)(2)
in
rall
nature
that
the Fa the
ions
CFPB
to
g
held t
.9(
accounts
of
the
y
in
when
consumers
y
for
federal
Act
ir
coiTect frnancial
b).
a
under
Truth
Electronic
uses
data;
institutions
which
many
related
Credit
Act
United
role
by
nearly
that
of
r
and
w
Spec
referring
should
Financial
the
,
ith re
financial
all
("FACTA")
10
in
use its
law into
in
form
and
in
consumer
va
consumers,
terms
26.7(b).
Repmiing
financial
ial
to
this
data
States,
two
acc
Saving
direct
lue
choice
s
spect
of
a
bring
the
to
Fund
other
that
Protections
s
the
uraci
provide
consumer
largely
data; ecosystem.
to
l
decades.
would
ega
has
data
consumer's
Data
s
foundations
potential
to
regulate
as
Act
up
l
the
Transfer
about
consumer
es
tr
l
institutions,
requirements
.
sec
periodic
ong
Act
ansac
a
ervis
i
with
The
s
when
unfettered
prevent
Has financial
result
cons
with
financia
reflected
urity
been
(
how
"
ion
spec
one tional
the
FCRA"),
bad
Long
um
3
respect
Act
that
;
acco
of
stateme
asset
and
by
l
accorded
their
treatment
of
ers
ial
click,
the
, gene
data
actors.
these
aggregator
including
with
data
acco
designating in
and
consumer
unt.
Been
protections
accessibility.
with
continued
accounts),
and
data
a
to
r
ally
and
can
nts
unpro
comprehensive set
will
unt
laws,
respect
2
periodic
nonpublic
Regulation
transparency
Given
special
uses
is
The
for of
s
the
unwittingly
be
require
non-bank
used,
tecte
fall
consumer
and
protections
credit
the
po
Fair
used growth
to 4
larger
provided
and Special
statements
l term
into
status
personal
periodic
consumer
d
icy
These
and
and
marketplace.
periodic
for
Z ( Z
ca
Regulation
participants
and
nonpublic
five
inno
provide
rd
into
of
impl
transfe
frnancial
Accurate
el
under
categories
s),
Status
to
information
in
a
i
regu
g
categories:
statements
of
vators
shadow
their
3
ibil
consumer
ementing
both
financial
for
Regulation
disclosure
well-sett
r
U.S.
latory
per
consumers ity
their data
depo
and
data
DD
privacy
data
so
Act
that
for
or
nal
law
share
s
basis
da
this
it
for
are the
l
seek
ed
due
of
t
E
a p
d
t from
pr tran
accounts
opt-out environment s
r "
financia
6 co for a in
companies app unknowingl ob us free
5
sa access
pr 8
7 th inv
o
e
p
fintech"
p
i
e
1
e
fety
Fo
o
sclos
s
1
1 ov lati
ec
r
n e 2 p
keep
li
esto
2 2
titution
vid
comm so
co
s
l
li
II
sact
th gate
l u
r
y
C.F.R
U.S
i
um
id
y
cable
al
ve
n
in
s
.
e
and
.
e n
consumer
s.c
r
to
uch
es
d
s
s
ure
"
s
concerning
D
l
protections
Section
A. C
consumer's
tance .C.
ion
e
e
mechanisms.
direct
their
l
um
a
d
y
e
them.
v
r
. n
so
un c a
nt
held
ata
.
data
co
to
unregulated
d
e
§
"
fi
§
§
of
covered
s
to
undne
The Data
Should
l Protections
According
er
co
l
r
548
nancial ,
op
e
y
,
onsumer
under
5533.
e
10 mpanie
esea
provide
aggregators
tt
nt
the
t
and
d
where
a
financial
ntend
be o
financi
30.6(a)(3).
er
in
at
a
financial
1
products
con
ta
Whether
the
(4). market
1033
rch
Fast-Evolving
ss
on
Wall
pulling
depositor
unf
a
Aggregators
sa
W
a
G
new
s
th
the
person
nd
firm
required
Take
account
ette
s
d
umer's
e
cred
that
fe
it
LBA
is
the
Stree
al
ata
bas
ri
do
of
to
,
i By
RFI
d
r
data
consumer
s
s.
gh
Special
institution
secure e
pra
data
format
ata,
n
pro
the
d
e
the
for
accorded
t e
their
se
the
ot
t
"
,
See
are
r
ntia
t
Action
pr
d
,
ansparency
y
Jow-n b
o
c
access
r
tect
to
w
b
includin
y
finan
y
s
v
on
r
Dodd
tic
ov
th
in
including
y
b
e
er
by
ith
i
t
W
a
th
l
li
access
can
ecause
h
ces
,
s
n
st
argue
ir
eve es
co idin
v
e
the
cla for
o
a
and
a
A
o
a
Status to d
l
ice
itution
Consumer
u
ll
C
l
t
n aw.
n-public
cial
t
void
t
undermine
reported
o
fin s
s pa1
St m -
to
l
avoid
section
ss
that
ea
h
acces
th
Frank
um
the .
g
co
s
bank
aving
r
privat
ar
g
rin
ee
a
e
Ameliorate
ii
Without
third that
market
of
information
th
n
account e
ncial
k
s
information
t
protection
r
es
Longstanding
consumer
costs, charges, and
s
g
s), ection
s
et
Journ
ey
to
businesses
um
sys
s
Hou GLBA'
from
fi
on
they
th
5
Act,
,
appear
th
e,
rst
1033
patty
Consumer
s
persona
tem
are
er's
u
pr
a
tand
Yod
e
se
a
Financial
and
s
t
where
sec
1
t
r
l
e
od
co
4
033
,
GLBA coverage, ex
he
s
i
informatio
up
do
Assoc
sk
am
Provider
li
in
fmancial
ured l
a
n uct
ee
access
s
ploit
in w
mitations
ll s
,
lon of
o
s to
or
order
not
this
o
in dat
as
's
n
umer
ows
ithin
of
l
relating
tha
ng
the
h
providers
,
i
take o
adeq
provi
sa
implement
at
a
g
a
the
fmancial
a
r
rm
the
meet
the
matter ion
l
t
Financial Failure
the trad
and
e o e
Data
to serv
se
s
of
Data
them
to
. gat
's
t
u
ho
control
h
the
permit
curity
L.L.C.
ate
law f n.
Personal data.
For
consumers'
de
e
their
p
r
iti
cred
es
u
her
observed
equirements
ic
the
erso
t
consum
of
sage
o
contractual
Privac
on
posit
serv
furt ,
e
to
Services
of
m
any
i
a
law
data
t that
and
any
definition
atio
nd
Some
dat
n
of
and
avo
car
ay h
these
th
or
i
a
er
data.
,
Data
Finance
ces
i
l
e
transaction,
on
requires
d
consumer
releasing
a,
un
not
possess
p
n
the
from info
i
informat
y
e
privacy
cons and
d
r
co
r
by
consum
through
esent
themselves t
and
's
companies
companies
the
data
protections
6
h
n
nfirm
Market
g
cons
and
a
d
nat
rant
b
con
imposing
t
um
e
a
Tools
anks
bit
of
covered
GLBA
GLBA
Data
.
i
ion
safe
8
on,
consumer
ed
um
tr
er
the
r
it
a
ca i
th
e
trust
on,
e
o
rulemaking,
"fi
third
r
p quir
rd
Tracks
int
w
and
of
l
e
er or
s
and l
,
is
ease
CFPB
through
Security
7
h
data
data may
as
n
persons
o a o
sa
a o are
i
or
does
series
en
these
not
ancial
i
n
period e
party to
n
b
may
a
covered
fegu
m
secure
ta
the
r
through
Bank
matter
they to
efer
banks
not
the
e
in
nt
not
ed
a
o
to
s
to
i
rd
f
c
of
s Moreover, because many data aggregators inconectly conclude that they are free ofGLBA's rules regarding reuse and redisclosme of non-public financial information, they do not limit their use of consumer financial data for purposes beyond the specific consent to receive the service that the consumer sought when she provided her credentials.9 The additional uses are generally ones that will allow the data aggregator to monetize the data through consumer·identification, risk management (like fraud analytics), or aggregated insights.
Overall, these companies have built their business model around a legal theory that allows them to treat consumer financial data as data that carries no special legal protections. Effectively, these companies are choosing to treat consumer financial data as though it were any other data, like the webpages that the consumer viewed.
B. Data Aggregators Are Financial Institutions Subject to GLBA
GLBA provides a set of protections for the "nonpublic personal information" of a "consumer" that is held by a "financial institution." GLBA regulates the collection, use, protection, and disclosure of consumer nonpublic personal infmmation by financial institutions. As noted above, GLBA protects nonpublic personal information by, among other things, requiring financial institutions to implement appropriate safeguards to protect the consumer's nonpublic personal infmmation, and requiring financial institutions to satisfy an exemption or various conditions prior to sharing the consumer's nonpublic personal information, including providing a consumer with notice of the institution's privacy practices and the right to opt-out of cetiain types of sharing.
Congress included an intentionally robust and expansive definition of "financial institution" in the GLBA. The definition of a "financial institution" incorporates by reference any business that engages in financial activities identified by the Board of Govemors of the Federal Reserve System ("Federal Reserve Board") pursuant to section 4(k) ofthe Bank Holding Company Act of 1956 (12 USC 1843(k)). 10 Section 4(k) incorporates the § 225.28 ofthe Federal Reserve Board's Regulation Y, which is a list of nonbankirlg activities that are so closely related to banking "as to be a proper incident thereto" and a bank may engage in them. 11 This list includes "data processing, data storage and data transmission services, facilities (including data processing, data storage and data transmission hardware, software, documentation, or operating personnel), databases, advice, and access to such services, facilities, or data-bases by any technological means, if the data to be processed, stored or furnished are financial,
Cards, Sells Data to Investors (Aug. 6, 20 15), available _ill: http://www.wsj.com/articles/provider-of personal-finance-tools-tracks-bank -cards-sells-data-to-in vestors-143 89 14620.
9 15 U.S.C. § 6802(c). 10 15 U.S.C. §§ 6809(c), 6809(3)(A); 12 C.F.R. § 1016.3(1)(1).
I I 12 C.F.R. § 225.28.
5 provisions foreca
"
aggregators credit Internet under act site." ind
genera as Accoun Regulation conducting activities" other restated. within [p]roviding 2 info consumer n a banking instructional
[f]umishing
finan and
1
1
1 14
17
18 19 l6
3 2
5
data
n
0
o
y
1
See
See
See 65
npublic
C~:
1
1
a
15
i
ividua
6)
2
2
vities
a
r
service
c
m
cetiification
l
mation
so
C.F
Fe
C.F.
U.S.C.
i
16
("TCH
proce al
ac
The
g
76
s
1
the card
t
lly
s
2
r
the
ting
d
"Financial
Also,
mean
ess
products
I
tiviti
The
.R
.
company
C.F.
Fe
or
R.
Thus,
R l
I
include
C
1 will
GLBA.
nformat
.
,
s,
9
personal
eg.
d
defined
expans
as
of
§
§
l
§
economic.
who
ss
P
financial
ea
services,
.
"
Wh
perfotmed
s
tax-planning
to
R.
as
general
FTC
22
225.8
6809.
es
motigages
R
,
materia
the
ing
the rin
we
33,646 ("NPI")
the
eg.
i
follow
.!!
§
5.28(b)(l4).
i
financial
ssued
g
t
may
or
g e
225
may
ll.
l
i
financial
"
i
paper
ega
authority
o FTC
79,026
ven
6(a)(2)(iii).
's
GLBA, Hous
th
"a
15 i
se
that
institution
n
ve
in
e
.
rvice
regulation
2
information
cting
Through
(May
l
In
also
economic
term
l
s
8(b).
and
r
and by
s then
definition
")
their
e
the
e
ection
12
a
determined
compiles
pr
to
fo
the
s
.
,
e
(Dec.
s
the
t
ese
institu
and
Section
per
"co 2
ind
r
w
and indu
at. nonfman
guidance
as
consumers
the
institu
000).
access
t
fundamental hi
preamble
for
ntative
he
,
Use
n
CFPB
so
ch
ependently
inve
s"
2
225.28
Risks
s
l
FTC
oans)
tax-preparation
um
s
1
con nall
digital
implementing tions
,
try
a
under informa
of
r
,
20
of
that
tion
e e
st
225.28
or
of
a
r
Co
R
to
" s
11
y
s
that
ment
cial
financial
ex
ll
po
umer;
ega
i
tudies
s as
at
aggregates,
ss
).
nsumers' id
b
"b
;
if
u
of
they
to
plaine
on
e
s
c
the
r s
"
ued
rdi
e
that
t-Dodd-Frank.
h
es
the
i
u
transactions
rings
data
a
tion
ntifiabl
its
gnatures
the
sed
n
an
data fall
or
individua
ng
li
ulting
GL
indi
...
or
y
obtain
sts
by
account
company's
ind
financia
primarily
d
Data
FTC's
engage
and
aggregators
[p
institution
under
otherwise
Login
into
BA
v
6
processing
that
i other
other
the
services
idua
vidual."
]ro
e
from
Aggregation
an
advice,
financial
.
and
have
v 18
the
GLBA
the
l
and
l
iding
regulation
the
who
infmmation
l
,"
individual
financ
agencies
activities
in
for
Congress
advisory
any
definition
authenticating
17
may
broad
Password
1
one
.
cettain
GLBA
web
p
"
ob
5
obtained
in
erso
general The
13
education
qualify
activitie
U.S.C.
ha
tran
ta
ial
th
infotmati
of
also
i
In
Services
s
n
na
site
language
e
s,
whose
been management
CFPB
sac
that
those
l
implementing 's
GLBA.
addition,
,
to
definition
obligations defined
fr
Credentia
§
f
be
o
of
as
a
throu
on-
economic
as
tion
68
b
any
mily
m.!!.
s,
would
y
financial
a
in
a
09
that
courses,
"financial
data
act
lin
on
ha
the
re
financia
the
se
corporated
, financial
(9)
per
w
g
or
u
g
e
s
i
r
h
"nonp
Access
eithe
ith
vities.
Dat se
l
v
ulation
any
s
(e
financial
s
h
acco
identity
aggreg
so
that
ice
tated of"financial
qualify
o
at d
mph
u
for
the
n,
matters;
s
a
se
to
1
r
entity
a
tati
institution
to
2-
privacy
l
in unt
ublic
aggrega
Intemet
h nd
Consumer
including
as
provided
institution.
describe
the
in
o
s consumer
s
These
that it
1
the
i ti
ld ators
st
s
3
st
s
in
CFPB
tutio
of
added).
ical
(Ap
purposes
itutions"
(s
"
personal
persons
uch
[a]cting
and
n
ril
fall
tors'
,
Bank
has
...
by
an
as
or
,
1
4
a agg co
con pr financial m
the for agg d
22 w 23 24
in information
except in
infmmation co institution. 20 GLBA.2 2 and i b third wi
nondisclosure di th t in in
information par·ty
i inf
n hird
s
1
esp
y
fo
i
sti
a s ost s
st
otec
stitut
1
ini
n
n
th
t
1
1
1
1 ormation
titution
clo
2
n
GLBA.
h
rm
5
s r
5
5 any
5
regato s
itu s
co
the
tution,
ega
picu
um
um
C.F. i
tia
cus
the
consumers. U.S.C.
U.S.
U
U
te
party
party
exte
a
of
n
s
t
tions
ions),
t
.S.C.
.S.C
ur
ion. ion
io
s
lly Co
When
er personally
er's
many
tor
co
R.
t
um
1
b
fmancial
C.
n
o
o
e
infmmation
n
r h r
ot
).
u
m
.
that
Rather
ngres n
's
;
,
§
s
di 20
may
would
"
s
§
§
§
and er
s
s
when
h
B
the
di
ive
24
er
per
h
§
l
101
under
fi:om
um of
to
as
privacy
s
6809(4).
6802(a) 6802(b); pr
y
the eca
av
clo
GLBA
sc
data
6802(c);
a
a
option.
the
in
Finally o
di
a
a
6 obtained
so
consumer
regulation.
not
e
the notic
s's
lo
e
data
hibit
sed,
nonaffiliated u
r i r
"c
s
,
fman
describin
nall
obligations
it
b
s
clo
a
se
institution
a
data
aggregator
e
GLBA
identifiab
e
s g s
onsumer
in
data
;
disclo
fin
is
con
see
see
s
aggregator
policy
la
of
e s
ses t
does
, ten
to
y
uch
see
23
i
,
being
a the
wfu th
a ven c
id
aggregator
a
th
ial nci
also
s
a
direct
fmancial
aggregator
t i t
a
in
umer' And
a
l
financial
entifiab
so
o
e
se
t
l
infmm
i
s
infmmation and
s
not
l
g
s
a
in
an
o
complie
.
any
broad
the
22
In
1
l
i
,"
1
abtmdant
g
to
the
,
h
2
f
le
2
st
1
, a ,
institut
i
s
f
el
2
and
explana
made
unl
C.F.R.
ven
t C.F.
th
parti apply
o
itution
carries
Moreover, s
a
financial
hir
co
purpmtedly
C.
manner.
d
r
nonaffiliated
receive
ca
at
nonpubli
atio
"
l
a
F.R.
by
n
ess
e
in
scope
non
d
i
R
n
te
the
in
s
h
s s
cul s
financ
.
y
sto
s
pa um
u
as
dir
gory
th io
§
§
s
n
on
ti a
w
c
s
l
p
§ titution
af
ti and
w tution
y
rt
h 1 101
a
uch e op financial
n
to
res
e
ith
ob
fall
ec
l er 0
101
on
r
r
s
filiat
y
r
ith
y clear
information
"shall
of
,
efore
1
information
so
p
The
any
th
6.4(a)(2)
tl
6.7
t
c
exce
of
unl th
whe
ia
this
the
a
[th o
6.
s
that
of
financi
y
nall
the
e
p
it
in
r
at
n
l
within
11
nonpublic
t
(2017)
ersona
e
from
to
ess
at consumer's information
o
r
7
uni
e
how
a
other
from
t
is
d
sec
efore,
n
s
pt
a
t h t
d
hird sect
(
ll
GLBA
]
consumer's
y
not
2 u
s
third
r
a
customer
institution.
in
receivin
uch
017) ty,
c
accordant
the
identifiable
eq
av
as
tion
(20
h
a
co
,
t
disclosing
ion
(opt
any
l in
he
part
the
its
p
l
uir in
directly
inform
b o
n
1
fmancial GLBA
inf
e
ot
(
no
efo
therwise
party"
7)
of
g
s
limits
r
requirin
,
consumer
e
s
u
(w
so umer
her
out
definition
d
y mann d
titution
on
personal
(ini
t
o
se
re
a
a
g
rma
n
be
ith
th
to
permi
t
con go
from
n
under
a
third
ti of
ation
person
th
that
on
otice
at
rights
per
a
or
imp
d
aggregator
applies
any
In
in
certa
has
l
t
e t
e
financial
t
isclosed
nonpublic
re
i
sumer
receives
privacy
he
g
r.
on
institution
pr
g cu g
so
thro
other
di
i
provid im
ss
a
to
disclosure
ose
party,
s
may
ov
a
Regu
nonpublic
noth
inform
can
n
s
te1
in
has
ion
of
cl
and
a
co
e
b
a
continuing
u
stomer
id
os
m
y
lly
nonaffiliated
tha
adequate
n
enumerated
to
g
n
that
n
exe
su
e
wo
ur
t
b
e
to
h
ce
onpublic
ot
protections
h
lation
to
es
d
consumer
r
unl
e d e
nonpubli ident
dat
inf
e
t
me
s
a
e
i
,
ation r
fin
ce
o
rd
s
per
and
r n
tain
have
a
suc
or
the
financial
uch
b clearly
cise
rs).
o
i
ess
a
s,
to a r
sc
fin
tain
anc
of
rm
e
perso
ffi
aggregators
sonal
h
ifiab
r
h
lat
P
lo data
consume
e
d
as
ri
a
s
the
suc
safeg
informa
u
a
relation
l t
obligations
thir
a
i
ubje n
sed of
gh
iate hat
se
ti
a
the
i
personal
ta
provided
o
c personal
cial
l
on
l
r
a
n
h n
of
third e
t
th
d
at
s
nd
applied
a
s
to
uard
c
of
hip
e
l
party;
and of
h
t
r
s)
er
s
to
s
ti
[that]
u
a
.
s
hip
o
ch
s
the
n
to over the security and confidentiality of nonpublic personal infmmation.25 The implementing regulations and guidance concerning the safeguarding of nonpublic personal information is extensive for financial institutions subject to the safeguards regulations promulgated by the Federal Reserve Board, OCC, and FDIC.26
As noted above, some of GLBA's notice and opt-out requirements do not apply if the financial institution is disclosing the consumer's nonpublic personal infmmation with the consent or at the direction of the consumerY Data aggregators may argue that they have the consumer's consent or are operating at the direction of the consumer. The exception for consumer consent, however, pertains to the specific act of a particular disclosure to a pruticular third patty, and does not provide a financial institution with a general exception to the application of GLBA for unlimited sharing of that data to other third parties.28 Under the GLBA's implementing regulations, a financial institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares infmmation with a new category of nonaffiliated third patty in a manner that was not described in the previous notice under which the initial data sharing occurred.29 In other words, the exception for a consumer's consent is not intended to permit a fmancial institution to obtain a consumer's blanket consent to avoid GLBA restrictions on third patty sharing altogether. In addition, under GLBA, reuse and disclosure obligations continue to apply to any subsequent third-party sharing of the customer's nonpublic personal information after a customer receives notice and opt-out rights from the originating financial institutions, and are controlled by the privacy policy of the originating fmancial institution.30
Given the clat·ity of the statute and implementing regulations, we are concerned that some data aggregators at·e embedding into their practices a data regime that declines to provide nonpublic personal infmmation with special protections, ostensibly by using consumer consent as a way to "opt out" of the GLBA in its entirety. This practice is not only wrong as a matter of law, but also because consumers are not knowingly consenting to the loss of privileges for their nonpublic personal infmmation when they consent to its transfer out of the regulated banking system.
25 See 15 U.S.C. § 6801(b) (requiring agencies, other than the CFPB, to establish standards for the protection of consumer information). 26 Interagency Guidelines Establishing Standards for Safeguarding Customer's Information, 12 CFR Pa1t 30, App. B. See also TCH Whitepaper at 13-14 ("there is currently no notification requirement imposed by the FTC on non-bank financial institutions that experience a breach resulting in the unauthorized disclosure of customer data"); The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 20 15). 27 15 U.S.C. § 6802(e)(2); see also 12 C.F.R. § 1016.15(a)(l) (2017) 28 See 12 C.F.R. §§ 1016.14(a)(1), 1016.15(a)(1) (2017). 29 12 C.F.R. § 1016.8(b)(1)(i) (2017). 30 15U.S.C.§6802(c) ; 12C .F.R. § 1016.11.
8 the
not emerge protections se entity accessible and
and
aware aggregator accurately,
data
are
environmen consumer have
when w under subject
31 purpo s the 32 Consumers
33
3 d
Co that
4
t
ata
a
ho
rvices
See See TCH
For
ndards
n
se
term
inadvertently
made
enforced the
s
the
aggregators
may
will
um
full
stan
risks
nes
ses,
TCH
in
they
with
1
2
Whitepaper.
New
C.
In
Consumer
sta
Co
Consumers
to
Financial
during
data
s
e
have
U
s
transparency
employ
rs
d
not
fully
n
and
order and
or
.S.C.
a
in
n
location.
are
ce, Whitepaper
prov
and
Data
which
services
and
that
s
under
t.
are
are
s
technology
umers
order
will
aggregator
trict
be
by
some
increased
conditions
practice
lacking
Consumers
§
a
aware
exp
not
general
i
effect
the
to
s
5532.
as
time
contract
Practices
require
ion
create
subjec
screen
l
Serv
Regu
it
egal, risks
prov
data
to
lained
safe
have
made
may not
credentials
becau
has
Recently,
at
an
i
enter
of
when
vely
s
i
in
aggregators
about
l
ces
6-
i
lation
y
regulatory
are
t
in
of
de
and
ne
litt
inn
wil
the
has
ing scraping
l
consumers
l
the
of
to
ong
not
awru·e
how
se
l.
are
w
para
other
l
their
Roundtable
into
disclo
in
ova l especially
e
th
the
mitigate
costs
sec
be
themse
enabled
the
products
copy
consumer
the
prior
aware
E,
ei
g
the
not
bank
however
tiv
ll
rown
will
awru·e
u
the
population
r
that
d nature
el
participants
nor
re
consequences
are
fmancial se
,
a
e
to
made
Cons
,
and
t
benefits,
with
experience,
d
a
once
consumer's
ap
and
s
l
b
of
to
m ves
obtain
th
data
them
t the
serv
to
e
are
arket
plic o
of
and
concerning.
a
store
provided
part
the
financial published
and
u
, tru
consumers. t
supe
the
awru·e
to
it rapid
the
the
beginning
providing
me
ice
aggregators
a
.
in
st
se
differences
3
acco
is
tion
security
feels
the
with
s
1
g
g
and
their r
s
rvisor ful
ri
rvices cope
that
9
rowth
in
removed
id
to
Financia
s
proliferation
that
e
consumer's
and
k
l
to
of
J
unt.
t
secure
nti
ri
he
s
to
end-user
their
ran
comfortable
data
re
data,
s
a
obtain
of
of
ty
that
y
ks
a
33 gu
32
marketp
Effective these
u
that
th
paper
of
and
to
ge
regime
m
s
these consumer
third
ei
of
ing
s
lated
a
collect
credentials.
the
use
in
decision
from
ervices
of nagement online
will
r
l
financial does
using
Data
credentials
their
the
prac
the
activities
in
fmtech
market.
p
rules
serv
financial
financial
lace,
at
u
to
offmtech
the April2016
legal
se
not
ty
consumer
and di
t
conducting
financial
fmancial
ice
consumer
market,
safeg
Services
ice
.
financial
sclosure
the
product
and
banking
-
and
They
have
s
risk
transfer
companies
s
the
and
In
can
The
data
of
often
uard
standards
may
in
data
that
s,
so
data
s
dat
companies
any
s
s
likely do
as
.
shift
's
account
as
Clearing
up data,
titutions
th
Marketp
for
and
doing,
system.
data
fmancial
consumer
are
a
be
bu
data.
their
consumers
by
not
at
erviso
they
aggregato
physically
aggregators
o
si
loss
,
a
consumer
described
acting
not
ther
includin
to
aggregation
ne
only
violation
34
agreed
consumer
do
consumers
ss
date
r
not
a
fully,
House
y
r
l
to
not
ace dat
e
with
the
d
as
,
r
ata
are
g
a
most
to
the
d
.
an
of
ata philosophy
pract provide
protections their unconstrained
aggregator information protections privacy as necessary
t unattractive compa co fin
th exacerbated
of protectio d want co in consumers' consumer
s sc industry 3 29, applicat
been
o
5
hifted
eter
rap
ro
sti
n
ll
See
take
i
s tec
2
s
sumer
ection,
uch
u
tutional 0
i
typica
i mined
pos
ng-debate
g
transfened,
to
1
h
ces
L
6),
h
ni
a
advantage
t De
Arguab
In The
industry
D.
Overall,
o
a
i
use po
o
lit the
es
on sess
for
n
u
ava
relating
philosophy
a
th
t
for li
or
sp
intere
li
for
ll u
may
h
Bank
C
its
for
g
that of
of
data t
e
and what cies
CF
il
data
fear
se as
cho
ave y
hat,
whe di
ite
l
ion
h
any
able
.
oze~
consumer
the
t
the
their
th
caveat
scretion
lif in
l
PB
a can
con
of
these
y,
s
ic
have
under
obta
nd
trade
e
for
and
n agg
been
ecy
as
such
thr
ts.
at
t
oppmtunity
and
consumer
Operation
to
American
heir
es:
case
special
in
t of
downstream
ha
h
s
be
http
di
financial
a
oug
umer
e new
re
cl
the
in
Bri
data
today's
any
s
- ssem
matter
tr
concerns,
emptor:
the
le
changing
re
increasingly
gro
data
obta
e,
ga
s:
a
the
the
wit
to
a
more
a
h
bili vel
a
//
linqui
s
and
diti
th
t
activit n
l
h
www.americanbanker.com
n
up
or
type
contractual
practice
financial
make
ack
safeg
h
r
ar
in
ew in
au ereby
Banker,
Peters
ty
will
egime
of
onally
),
to
wit th
at in
the
of
ed
a
mru·ket
th
information
data,
to
to
s
of
privacy
has
and e
l
i
g
of
use "It's
on
ority h
.
u
consume
i
Risk
h
clients
not
fi
changes
ri
deployment
es
of
consume
transfer
opt
ards
s
cont
ensur
For
,
financial
access
nt
sk
s
u
Why
envis
of
rut
Execut
inn
applied
r
the
and
ffic
th
voca
d of
ec
egard be
up
p
environment,
o
to
ata.
consumer
i
Management
e
in
r
l
ri
to
cu
ut
ovative
h
ace,
o
data
Silicon
and
in
new
ient
prote
consume
of
e
stance, n
g
to
l
i
companies,
consume
l
l
n
of
o
h
r
g
ew
to
ated
ove
data
to
l
r
in
s
n
iv
ts
th
the
protect
the
ess
cons
ur
absent
ed
can,
sec
institution t
aggrega suc
transparency
addit
privacy
financia
e
o
an
c
asse1ting
and
so
r
e
of
10
Valley
t
Director
th
data
of
cons
th
into
ed
the
prod
and
urity
urces
t
h
autho
um
in
h
e
sing
da
wit
at
r
/
.
o i
changes,
at
where
new
's
r
i onal
consumer's
the
safe
on
bli
t rea
That
these
exe
e
the
um
aggregators
uct
many
financial
Is
a,
cons
h
t
personal
rs
they
p
l
le
data
o
s
gat
of
ri
o
Watching
and
/
ract product
so
consumers
r case
why-s er
s
rci
ty inter
h
using
s
broader
financial zed
n
sign
of
nable
ave
revenue.
the
an
i
e
i
um
reveal
technology
s
to
ons
of
sed
want."
and
aggregator
ices
fmancial
click
Financial
safety
d
not
in
of
i
ests
-
er
decide
i
f
th
data
on
a
li
serv
cluding
or
data,
is
by
financial
the
co
screen
the
eir
stable
financia
rule
or
the without
financial true
,
mru
the
capability.
n
both
stor
that
a
35
o
t
accounts
-va
ices
and
o
l se
consumer
he
persona
Screen
p
ru·e
reservation
so
These
ri
s
data
t
·
what
poten co
Indeed,
rvice,
ket,
ll
institutions
i
se
ginated,
of
ng
out
Innovation
s
ey-
s
an
prudent
lack
companies
scraping,
any
left
t
sound
outside
n
,
and
companies,
l
the
s
notice and
d
infmmation.
i
the
aggregators
s-wa
Scraping or
um
d
of dat
techno
ri
t
consistent
ata
l
with
changes
suffic
ial
but
of
in
sks
road
to
d
a
er
n
a.
data
l
the
credentia
tch
arge
ata
ll
w
ess,
consequences
t i
confl
u
a
of s
also
he
c to
of
the
Without can
nd
here
i
ti
two
h
ng-the-screen
safeguru the
cunent
i
h
logy
o
.
for
Now
li
Debate
oice
the
ent
t
emp
full
consumer,
ave
r
techno
protecting
he
ze
necessary.
spec
ict
as elect
to
be
ri
dat
the
it
l banking
ru·e
sks
data
.
eve
they
l
l
much
to
further
h
(a
oy
s
a
ial
(Dec.
as
the
·ded
not
logy
l
are
new
a
in
of fro a a More
in
th diff
products
36
sec (or int
co sec risk co
safeg a been
37
int to
( offe
F
uthentic
n
bov
at
e
n
n
d
th
OC 8
er
ensure
eres
m
b.
ti
urity
rin
that
e
sume
s
Til.
1 Fed.
thereb
wou
e
e
e
o
um
rent
e,
2
u
g
C
rodin s
g s
n
re
8
broader
haring
ard
t
r
t
,
s
aggrega s. Bul
In
"T
s s
so a
More data
concetns."
that W
Therefore
been
We
III
t
e
cen
2
om
hm·e
nted
considerat
h
ld
r
r
atio
of
perspective:
001
and
R
that
m in
e
e
he
the
In
financial
int l
y
eg.
e
g
b
be
e tl
Recommendations
agree
CFPB
re e
consumers.
g
are
tin
e
).
in enab
th
y,
n
particular adequatel
eres
market
Bureau
l
common
market
credentials and to
fundam
of
spe se
risk
83809.
ow.
tion
industry
face
2
consumer
e s e
and
ways
consumer
r
001
broader
the
l
v
ctfull
t
egi
l
lowl
,
with
ice
serv
s w s
e
37
discu
would
d
we
-
Thi
ion
tran
market
1
data
CFPB
timat
iftmst
2
pmticipant
that
s
participan
b
ill
e
i
ces.
y
s.
ur includ
e
w
y
ntal
s
y
,
the
views
s
participant
-built
li
ss
we
mi
than
wi
be
i
off
repr
ge
serv
eves
thin
financial
W
und
want
e
ion
dat
OCC
CFP
ss ll
t
s
prot
cons
e pmticipants
the
hr
es
d
e a
in
till
r
ese
enable
ion
o
i a
ermi
nece
a
sc
,
a
a
o
w
ces
re
the
the
ls
nd
h
not sec
bout
,
u
Bu an
B
ec
CF
re
ts
put
ithin
ree
s
um
nt
oweve
the
o
g
of
are
s
y
h
t
marketplace
that
ssary ma ll
CF
l
n
e
urity
s
b
atio
ed
banking
ilient
PB
o
data
n
e
believe
d
e
er
e
t
entities
d
n
tin
can
Bureau
consumer
h m
li
sc
a
PB
cons
y
the
in
g
con
across
e
n
int
ta.
eve
a
th
to
-
200
r d
r
ri
standing
GLBA
rketplace
se ri
t
t
aping
co
t
e
e
that
mm·ket
s
h o
eres
RFI,
th
o
ce
address
sks
cid
k
ume
rvice In
is
market
1-1 that
s
address
n
responsibly e
that
sys
rn
to
t
amon
doe
area.
e
th following
inu
addition
2:
t
s
11
h
e
s
uch
th
to
r
t
,
wa
ave
e e e
tem
d
protection
and
o s
by
through
any
absent
interests
Ba
s
e
e
structure
g
a
mm consume
m
re
ive)
leg
not
p nt
to
i bout
n
CFPB
the
u
The market
s
mt r
o
legitimate
s
k
were
th
ire
s
eq
mm·ketplace
trict
-Pr
r
not
·ke
bring
itim
in
e
ri
e
i
b
to
l
uir
c
s
g
e
ov
s eg
sec
consumer
the
Bureau
t.
Dodd-
recommend
i
s
k
u
li
con
pants
a
hift
the
the 36
s
a
consumer-petmis
affected
speaks
ident
ed
id
ch
ligne
itima
eve
te
and
r
that
th
ur
pmticipant
con
e
sig
tm
d
tr
at
the
effo
e vm-ious con
consumer
resource
ac
Account
tha
n
F
ni
privacy
and
ifie
to
sume
other
st
protects
d
te
ational
i
r
t
fica
marketplace
s
sume
ank
r
s
to
o
t
in
have
consumer
partic
ts,
concerned
fi d
n
by
and
consumer
modern
the
nan
the
in
a
th
r
n
consumer m
s
Act,
au
ti
practices
t re
Aggregat
bank s
s
r
e
o
ne
sectio
se
a
other
and
confidence
do
cia issues
i
th away
financial
int
rket
and
n
consumer
pa
pu
w
s
i
orities
s
as
ss
e
l
not
n
that
security
a
t
s
r
mechani
and
d
ts
privacy
at
r
advances
i
es u
p
,
n
mechanisms.
spec
e
oned
ata
views
es
to
i
from
mt
therefore,
i
o
spec
s
expos
ts
n
o
1033
n
and
are
hould
in
ecessar
innovative
n
move
b
i
th
ecosystem,
Services
in
cipants
a
syste
i
terests
ut
's
fied
l
at
access
ified
that
in
e
th
the
failures
have cos
from
s
-
d
a
b
h
te
e m
nd
es
i
to
th
and
ave m.
gnore
away in
nd
il
s
t
t
s
.
e
in
t
y
for
h
e
to
a
at
d protections financia
This marketplace principles consumer Dodd-F author
recomm define this from
accessibi tran
cany consumer in
l and 38
t the http Spec
h their
Report, Cons
regu l
aws.
he
ong-s
as
t
[n
h
s
d
da
b
l
spa
remain
:
mru·ketp atory-principles-onl
eve
umer
/ /
e
2009,
i
a
app
da
the
fica
out
www.
ta
nks
tanding
consumer
i
Self-Regu/a/0/y pr
ty
r
l
B.
We
A.
In
We
t Congress
r
1.
ope
ency,
l
e
a
wi
ank
r
in
li
P
consumer
nd
data
ll
oach
the ' u
the
can
pru·allel
data
r ty, financial
governing
y,
nder
cip
d
server
ftc. ll
ivacy
Aggregators
and
We
CF
G
recommend
recommend
provided
protected.
l that
a
Ac by
FTC
not
ace
LBA
th
purposes
,
gov consumer
les
Consu
res
be
protections
PB
the
would
privacy
e
Recommend
t
Dodd-Frank
describing
ce
Bill
financial
/
the
tricti
bu CFPB
sold, under
an
s,
fo
s
developed
exp
rt
i
wit
r Should
te
Authority
m
w
es
r ild
d
prior
of
data ain
s
Prin
CFPB
er
consumer
i
/
ill
r
consumer
the pon
by
ne-be
h
de
o
be
R
ess
t
but
of
n Privacy
Moreover
and
h
of
direct the
i
is
fa
enab
gh
contro
that
s
c the
GLBA,
across
e
co
to
other data
l
iples
Using
sibi
u
this
ir
y
on
ts
permitted
data
these
w
h
I
se
rather
C
tl
the
n
avioral-advertising/p08540
effo
u
provided
secur
shru·ing
CFPB
to bu
h
fi
l
s
t
larify
se
l
f-regulatory
li
the
h
for en
e
istent
le
the
s
s
Act
Bi
commerc
ties
s
e
l
up
CFPB's
s
mru·ketpl
ubch
co
,
t
it
fmancial
ine
the
/
financ
ts
It
statutes
ll
do CFPB
th
and
and
Online s
s
aro
it
,
ervis
n
CFPB
harin
s
of
e
the
y,
c
ex Authorities
of
to
ss
work
s
and
entire
Ex
u
ir
a
and
d
um
apter
Rights
und
to
ment
nd
cost.
i
include
and
mode
defin
a
financ
the
sting
non
data
i ta
i
ion.
i
a
a
Behavioral
prescribe g
s e
work
principle approach
l
S
complimentruy
ace,
l
privacy ,
tin
rs
app
together
s
se consumers
of
C
data
CFP
tren
data. re
to
p
/
w
financial
a
report
e
ctors
ublic t
lose
l
agg
nd
r g
stric
o
i
Ensuring s
ial
data
the
egu
princip
li
th
1
to
with
at
GLBA
aro
both
cab
2
B
ca
gt
that
regato
respect
d
s
s
that
make
These
Identified
least
efforts
ll tions
latory
hen
w ,
/
a
p
p
und
for
federa
ed
Adver
l
regulation
t
incl
with
to
e
rotect
i
erso
a
s
encompass
0
benefit
th
are
t
les
to
for
behavadreport.pdf
institution
online
se
ake
consumer
choos
R
the
and
consume
udin
r
GLBA
on
that
clear
r
s
ti
l nal
not
n
principles
authorities
eg
Co
-
to
vices
other
for
of
s
trade
h
on-financial
i
and
i
to
on
use
ng
following
o
ulatory
ngr
financial
s
behavioral
g
Dodd
the
consumers information
l
from
u
in
consumer
international
ders
Gaps
that
bject
(Feb.
s
-
th
l
ess
fintec
aws
co
g
under
of
regulatory
ru
that
e
FTC,
r
serv the
mm
mru·ketplace
access
t
s
l
requi
data,
o
to
emaking GLBA
-Fra
techno
t
2009),
sacrificing
o
enforce
can
pass
Us
O
"may
i
to
h
long-standing
ex
ss
develop
i
institutions .
adve
section
ces.
categor
vers
which
companies
ion-
in
i
address
institutions.
nk
r
In
s
consumer
financial
guide
le
ed
tin
do
to
g
availab
moves
log
g 2
rti
applies
sta
be
g
stake
01 i
i
Authority
GLBA
efforts
s
d
consent
thei
g
not
sing.
authority.
Fede
lation
ff-
i ht
2,
has
by
cal
necessary i
,
overarching
1033
the
es:
r
pr
the
and
r
ep01t
le
shortcomings
lose
of
h
the
r
away
own
FTC
otection
a
o innovation
enforcement
ill
that
data,
and
to
accessing
l
White
Data
to l
Authority
ders
da
38
to
of
-
needed
their
CFPB.
se
protect
app
t
Staff
a
b
other
l
the
from
f
we
privacy
rin
Hou
to
t
lie
o
so
g
s t s
se
h
e regu regulations persons
2010. provided separate
re
of2010 a
enforce consumer an its the competitive. that
re to
39
und 40
41 4
2
person
spec
spec
d
carry
1 15 1 1
lifecycle
2
5 5
exercise
e
l
that
all
r
ations
U.S.C. U.S.C. U.S.C. U.S.C.
4
exis
t ° t
2. The
We
and responsible
cons and
( (2) Section (3)
s (4)
identified to
to
existing
s
out
within
1)
tatu
Congress
markets
de
ubject
fmancial the
consumer tin
Fe
consumers
consumeTS
outdated,
Dodd-Frank
§ § §
§
sc
recommend
for
with
from
the
CFPB
umers
in
s
42
of
6804(a)(l)(a). 6804(a)( 6804(a)(2). 55
g
ribed
d
prescript
of
the
Federa
era
a.
this
the
11.
the
That
purposes
1021
to
Fede
a
re
for
discrimination;
and l
author person
their
called
consumer
has
s
Section Services Competitive
security have
Dodd-Frank
in
consumer
authority
deci
pect
data
l
s
financial
consumer
unnecess
)(c).
of
ection r
l
section
addressed
a
are
ar
i
rulewriting
consumer
on
l
respective
s
the
that
access
e
to
i
i
ion
consumer
on
Act
s
of
ty
as
prov
protect
of
accorded
the
1021
of
DF
s a s from
thi
the
a spec the
financial
and
regulation
financia
Authority
1
products a
depository
consumer
bout
s
s s
i 029(a)
A
finan
ry,
t
ded
tandard
agencies Act.
o
CFP
Markets
in
of
ifi
e
ubchapter
prescribe
calls
financia
the
m
d
juri
authority
or
cal
o
fmanciallaw
the
with
financia
arkets
f
c
rd
it B
rom
CFPB
undul
ial
l law
s s s
of
sd
l
data
e
for
y
consult
s
and
s
Dodd-Frank
r
i
pecial products
nonpubli
authorizes
the
tim
ct
under
pursuant
to
to
in
l law l
unfair,
the
for
for
i
y
services
regulations
s i
on
reduce unwananted services
consult
with
l
to
s
e
under
1 titution
Consumer
burdensome
tran
l
3
enforced
CFPB
y
consumer
Consumer
pre
(the
with
protections
for
sec
and
deceptive, respect
consistently
sact
c
sc
and
to
tion
the
th
CFPB
information).
,
-
the
and
marketplace.
ribe
the
understa
e
to
those authoritie
in
ions;
Act-
services
Consumer
purpo
6801
co as
implemen
CFPB
Financial Protection
order
banking
coordinate
finan
regulation
to
n
are
regulation
Financial
i
s
s
under
any
ist
or
Fair,
ses
not
n
of
to
necessary
for cial
dable
ent
to
abusive
are
this
financial
promote
of
authorized
regulatory
agencies
exercise
39
the
l
t
Financial
the
products
Transparent,
y,
fa
s
and,
ensuring
with
The title,
s
inform
"as
without
Products
ir
s.
purpose
GLBA
are
,
41
ac
transparent,
where
to
ma
FTC
each
which
fair
in
t
r
it
and
s
eg
ensure
sti ation
s a s
and
y
burdens;
Protection
and
to
that,
Act
throughout
ul regard
b
compet
tuti
of
was
u
other
the
prescribe
e
app
arly
t
and
services
covers
h
practic
necessary
ensuring
to
of
and on
orit
with
FTC
that
lic
make
with
to and
that
ies
ab
iti
Act
the
es
on;
le
in
is
, fmancial responsible
rules
ensure
Frank ensure of financial disclosed circumstances. benefits,
initially over 4 consumer 44 conduct 4 consumer 46 or consumer
about that
3
5
consumer
12U.S.C.§55ll.
procedures
12 12C.F 12C.F
the
covered
u.s.c.
to
the
Act
that
that
(5) and
We The
We
Section
Given
ensure
CPFB
. .
and
periodic
R.§55l4.
R.§55l4
and
data
data
to
co
financial
financial
financial
provides
markets
§
consume
consumers recommend
recommend
effic
decisions
CFPB
ll
consumers
over
5532.
financial
risks
persons
ection
operates
serv
of
the
"
s
b.
c.
that
44 h
1024
i
en
.
s
ould
examinations
the
uch opaque
i
Section
and Effectively
has
associated
Participants
Section
Services
ces
tly
for
the
products
la data
the
r
and
s
of
term
w;
about
that
exercise
person;
products
to
specific
understand are
market.
transparently consumer
features
Se
CFPB
in a
that
the
the
market.
obtain use
facilitate
nature
rvice
t
provided
of
h
1032
1024
CFPB
Dodd-Frank
their
manner
e
the
of
or
the
with
agency
and
with
Disclosed
its authority
s
consumer
to
information and services,
of
CFPB
46
in
of
of
of
product
fmancial
financi
assess
authority
the use
any detect access
the
the
general the
the
the
services
with
that
and
declares
costs,
product
its
u consumer
practices Markets
Dodd-Frank
Dodd-Frank
se
a
Act permits
under
compliance
efficient
after
timely
and
or
Features
mlemaking
l and
fmancial
transactions,
its ex
products
supervisory
to
service,
about
14
benefits,
that
provides
assess
innovation.
cons collect
as
or
1
and
i
032
of
consumers
sting
for
are
financial
a
l
service,
y
the
ult
larger
infmmation,
of
many
to
and
risks
understandable
are
provided Consumer
ofthe
with
Act-
Act- authority
at
information
and
activities
the
Consumer
Dodd-Frank
facilitate
i
authorities, and
fully,
on
se
43
participant
to
data
in
CFPB
the
risks
r product
Dodd
with
vices
Fully,
S
consumers
to
that
light
up
requirements
accurate
through
aggregators,
understand
under
associated
and
access
erv
the inc
Financial superv
the
-
operate
Frank
of
Financial
from
Accurately,
or
Act
lu
i
to
compliance systems
FTC
sio information
market
the
of
ding
section service,
require
l
the
and
n
y,
i
authorities
and
a
data
sory
facts
Act
.
transparently
45 for
market
and
with
information
the
consumer
Products
innovation.
we
of
to
for
The
to
aggregators
Products
authority
Large
and
1
effectively
both
repm1s
costs,
Federal
the
032
"prescribe
believe
their
consumer
and
Dodd to
for
to
to
make
other
use
and
and disclo brokers. disclosure.
primary about consultation aggregators authority participants from monitor
consumer and
determining transmission consumers section authentication Whil authority. inadequate fmancial provide authentication practices access this time CFPB invariably 103 CFPB
invest technologies
3
1.
understand
e
screen
of
s
their
's
in
decide we
ure
or
In
C. security Data While
We
In
103
a the
ri
concern
promulgation
We
the
that
data.
over
wit
authentication
s, sks
mechanism
addition,
that a
financial
outpaced
subse Develop
data
l 3
to
believe
Dodd-Frank
so
to
in and
scraping
the
w ,
h
development
Security:
a
from
ofthe
the
to in
we
ensure the
regard, ith l
these provide respect
the
and
and agree
so
However,
the
of
access
potential prescribe
the
a
quent
of
CFPB
ll
believe
the
CFPB
believe
data
consumer
the
data
access
access
data
we
other
the
Dodd-Frank
data
consumer
consumer
Priorities
by
that
secure
FTC
as
for
we
to
perspective
of
sha
recommend comprehensive
rights
aggregator
How
CFPB,
technological
access
shou security
a
serv
practices
considers
Act,
credential
data
consumer-facing
that
guidance
data
contours
believe
th
given
data
technologies
,
standards rin
issues
of
to
at
and
financial
should
ic
ld
g
new
under
there
mm·ket
impose
sec
the
transfer. financial
es
financial
as collection
are
of
and
prescribe
the
effective authentication
Act
is
spec market,
urity
well
that
this
CFPB's
technolo
or
of
functionally
market.
how
of
concerning
one
m·e
s
that
Policies
variability sec
marketplace
and
hm
technologie
that
participants both
ific
developments.
access supervisory
information
the
as data
i
information
tion
other
·ing,
s
should of
to
data
the
We
data
requirements
the
many
WatTant
standm·ds
tool
we
to
CFPB
the
address
authentication
data
g
communications
Once
at
CFPB
103
i
believe
s
in
1
for
market
es fi.mdamental
requirements
questions
believe
aggregators,
ection
5
primary
into
transmission?
of order
.
be
the
different,
3 collection
marketplace
Section
should
s,
participants
of
the the approaches
are
used.
and
the
a exercise
with
need
as
about
or
the
that
1033
more
through
to
the
CFPB
CFPB's
best
regulatory
We
risks
guidance
considerations
in
enforcement
and
incentivize
other Dodd-Frank
examine
to
Accordingly,
current
CFPB
and 1033
accordance
and
they
their
of
do,
effmt
secure the
i
situated
under
move
ss
considerat it
that
ha
relating
patticipants,
the
ue
it s
transmission
data
and
da
however,
CFPB
attention.
and
s
are s
of
1024
privacy
should
to
supervisory
ta exercised
mandating have emerged Dodd-Frank
s
market
standards
away
section access
data
h
the
th
combined
address aggregators
access
ould th
to
mm
e
author
authority,
e
to
can
Act,
w
decide
Dodd-Frank
availability
i i
security
we
CFPB
n
ons
·
continue from
ket
ith
policies,
data
require welcome
practices
technology.
affordi
appropriately
10
is
technologie
shou
do
supervisory i
i
within
s
of
patticipants
or
ts
ty
particular
33
pecific
to
use
authorities.
insecure
which
in
not
Act.
rul e
consumer
guidance over
.
nsur
move
ld
after
at
in
and
n
order
data
While
emaking
and
to
consumer
g
believe
the
the
the
of m·e
section
A
larger
e
study
t
data
Act
o
new
the
away
to
s
in
to
are
at -
practice
exp
credentia services The
to o i
cons authentication. consumers effec Financia se e p
pr Moreover, thi a sc as OAuth
inespective pmtici scra above, 47 Open that FFIEC h ("A their h 48
sec access
whitelists
s
mployed
uth
ttp
ttp
ro
btain
data
rvices
ov rape
p
FFIEC
ld.
en
though
s
vi
ur
:
:
ermiss
l
Pis
//
//
p
o permit
e
tr
proliferation
i
um
t
ti
i financia
i
din
e
e,
nticati s
red
thandbook.ffiec.gov
thandbook
er
,
affic
Financia
i
ve
pant
d
from
A
and
")
o
o
techno
cons
offer
Screen Customer
D
transpm·ent
er
,
th
u
n
uth
in
g
in
l
ecosys
offered
.
A
l
method
a
a
t,
s
Institutions
io
e
of
s the
th
permissioned, for
ta
nd
s
u
s
e '
the
and
titution
s
scree
hould
and
authentication thentication any
o
umer
nti
consumer's
tore ned
the
e
l
of
are
authentication egal Access
improvements
n
l
imp
l
trusted
co
data
cat
ogy.
.
l
ins
47 consumer
credentials,
Scraping.
ffiec.gov whether
cost
tem
use
data
co
Exchange
lar
and
n
n-scraped
and
a
i
s
s
o
s
lemented t
of
FFIEC
rights
A
be
itutions
n
n
consumer
to
umer
are 's
ge
aggregator
,
s
uth
them
incre in
l
Needless
and
consum
refer
um
Te that
oad
the
commensurate
infra
l
auth
int
y
Examination
an
in
not
/ /
e
m
m
c
.
e
t
a
e
nticati
account
an
the hnol
effic protection
E
h
ed ed
ases
r
l
is
continues
rm
or
s
guidance
data
In
to
e
i
st
's
e
l
Screen
m
gned
ec
have
without
nticate
protocol
institutions
i , i
to
Int
pr
a/5400
a/
ava
ructur
pott
con
c
e
sat
to
with
ab
ade
addition,
account
tr
e
's
reso
og
reden
i
di
offer
e
r
o th
th
e
to
se
rnet
i
o
ni
ility
credentia thi
nt
c
i
i
aries
s
i
e
tain sfy
la
e
al
n T
on
e
r
rvice
es: c
well
ur
say,
po
th
e
mplo
ac
a
s
1
secmity
access
bl e sc
Ba
the
d
/
i
ces
Bankin
t
e
these 04-25-
s the
the pr
prim
ec
i
r
i to incre
e
the
e s
to
of
Cou
t
rapin
("OFX
s
a
nkin
ta
w
ntials
Co
to consumer
limit
in
/
of
multip
act
l
to
give
s
aware hno
3456
b
the
s
id
l
access
incr
i
se
yed
n
, forma
n
ased
are th
financial
m
ena
mpani
for
e verifying ncil
g E g
t
ary
ee
data
eed
i l
g
n
ases
h
credentials
11
t
s.
ntity
ce
g
a
l
e
ec
hi the
n
s
/ Envi
e
ease
rketplace
og
risks
d
occ
d td
requ
b
one
iti
ble
n
r "
u
g
these co
06-28 hn le
focus
efe
by
viro
eing
on
).
for
of
to ("F
se
ie
1
ve
tion
h t
aggrega
o
th
the risks
-bul
es r
6
n
accounts
of
o
s
co
on
New
r
the
transition
of u
i
the
the as
ir
e
in
s
nm
r
:
l
FI
to tse
s
a
customer
s
ogy.
affic umer
th
-
ed
m
in
n
held consumer's
customers
costs
i
to
Authentication
s e
data
11
the
two
more
sc n
2005
EC")
e
on
s
e
consumers.
ignific
a
l
u
n
s
as
s
princip
nt
um g
n
f,
t
titution'
t
th vironme
in
reen
se
today
t
access
to
o
-
so
t
obtain t
(A
Application
(Oct.
a
identity
load
ors o
ec
g
e
by
-
throu
approaches:
bu
u aggregator
ers
nd
of 35.p
for
the
l
ciated
u
se
pra
for e
has
consumer
hnique
g.
ll
scraping
a differ
from
screen scrap financial
et
th
informati
to
l
nt
12
in is mana
df
tha
8,
bt
consumer's
e
ct
in
techno
th
gh
ereby
publi
and
s
co
,
ef
nt.
that
2001)
obta
ain
to
i
ri
at accounts.
2005),
authentication
ce
t
with
and
of
n
fi
sks,
that
sc
e
s
New
gets
obtain
s
cons
gi cien
n
As
t
of
-
the
ume
the
re
in
hat
s
refers in
t
s
Pr
n
or supplement
o
hed
l
avai m
such
en
en
ogies
the
marketplace sc
account s
use
co
envi
bt
g
o
avai
their
p
noted
titution
t t t
og
consumer's
ay
con
um
techno
n
other institution
the
r
titi
ree i
laced
ain
ll
ts
l
sc
. in
ec
ab
th
guidance
financial
48
rammin
produ
l
ect
fmancial
affect
data
ab
r
to
er.
es
as
raping
g
s
The
infr
n
e
hniqu
l
onment,
technique
are
e~
data
access
umer
The
l
or
i
e~
above,
how
consume
sc
tokenization
in
ng
onto
l
s s s
Also
that
astruc
ogies
agg
rapin
requirements.
h
bei
Federa
cts
combined
t
t -
through
h
ow
h
p
es
h
g
an
e
data to
ou
r
e
n o
r
d
to,
the a
on
eva
the Interf
ega
institution
data
such
r
as
g
nd
d ata
i
g
th
a
ld
ture
n
l
s
scrapi
ike
r
and
and
more
e
l
noted lent
order
screen
ti
access
's
u
f
.
on.
t
r pdf
se
,
aces
as
o
t
o
hi
and
the
m
; n
IP
s
g
ap havin practice
other Map efficient, thou data. enable with
49
modern to a sys
In sec that OAuth
be
li regarding
i
nfmmation
nd
a
pli
for
See,~'
bilitie
addition,
enforced,
t
ure
2.
3.
e
a
API
s
s
cations.
m
a
uthori
and
g
companies.
that
i
n
s
than
implementation.
AP
permissioned
as
asked
Legal
ubiquitous OFX readable? must
e
responsibilities
W
We
Ubi
authentication
technologies
s
through
a
n
in s
and
gi
e
an
common by
consumer-permissioned
consumer,
I
TC
offinancial
quity:
za s.
the
believ do
neer
s
we
u
the
creen
which
authentication
c
H
tion
only
s
sc
Risks:
An
o
OFX API
ing not
software.
Whit
ntract
belie
alable
s
CFPB
OFX
.
API
e
techno
Ar
An
commonly
b
enough
for
refer
sc
the
e
exampl
creates
is
e
p
ve
e
li
raping,
How
a
and a
regardless
to
API
a
for
p
eve
a
platfonn
i
existing
in
t
for
TCH
s
e
th
ec
issue
that
s
data
s
r.
the
st
In
l
for
ub
to
ir
ogies,
APi
hnology
need a
th ituti
should
that
to
e
the
d
areas
addition
particular
se
a
technolog
mark
extent
e
d
party
tran it
of
Whitepap
technical
meet
se
a
t
s
known
CF
o
s.
can
marketplace
ta
of
faci
tra
are
an
t
n
over
suc
of
s
s
of
for
et
P
agg
Apat1
mi
th
th
n
API
B in
s
the
data
permissib lit
to
be
whether
pl
ex
sfer
h
uch
e
r ,
e
ss
o
improv
today
shoul
ace r
a
OFX
t
sys as
data.
tr
obtain
marketplace ega
r utin
h y
implemented
t
ion
definition
e
o
es
standa
e e
that
a
access
r
in
from
as
APis
utine
m
t
United
nd
participants
pr
tor
e
the
es,
s e
d
it
m
's OAuth
s
pecification
ov
l
has
participan
tandards
the
s
e
y
authorization
s
issue
s t s
1
its
l
method
ment.
protocol
transfer
7
technical e
l
to can and
rd
preval
ide
at
ha
and
b
consumer
co
been
s e
obtain
States.
y
of
s as
s
t
to
easily
n
OAut
t
t
would
ex
are
ec
and
l
su
data
stan
in
ega
OFX
meet e
robu
s
have
i
hnic
insetied
nt
s st
m s a s
of
easy
of
multiple
hould
t
s
limitation
th
and
ing
l
er
dard
h tha
in
nd consumer
OFX
be
i
when
clarific
obtaining
s
,
provide
e
n a n
a
the
financia
r
t
and
permit
not
t
l
technolo
equires
t
CFP
la
echnologies
to
analysis
in
tool
s
s
s.
ha
tore
r w tand
machine
s
definition
ema
into
impl
rec
been
it
erte
s
consumers
While
and
s
ways
B
s
at
b
s,
for
all
ards
omme
reque
the
ee
a
i
in
clarify
d
the
o
l
technical
e
financial
consumer
the
far
gy
updated
regulation.
n
n
m
data?
of
int
data
free
building
s
tran
and
.
incorporated
ent
OFX
software
readable
today.
th
more
o
th
st commonplace
E
nd
of
mechanisms
at
in
code
xisting
e
sfer to
that
legal
b
standards
s
have
machine
l g
y
are
ega
can
the
c
to
data
expe
technology
institution
secu
l
a h
of
finan
software
Goog
that
ri
n
su
ave l i l
u
of
format
b
eeded.
fy
transfer
se
e
ss
r r
pport
co
e,
ts
many
uses
more
u
c
l
access
by
of
upl
ega
l
cannot
ial
es
e
to
49
ed
all
l
or throu
fall
potentia T consumer consumer Consistent position would customers s and this decisions, mandate affo th gove co cou under any provide o ca c consumer Dodd-Frank so se
in
uch
un
pp01tuni
hi
e
sti
p
ttin
phi
nc
ir
ab
l
s
4
5.
6.
within
rd.
e
other
d
a
question,
tuti
erns
rning
.
would
n
anangements
g c
n
st
g
iliti
clarify
written
u
t
h
d
b
ic
budg
Applicability
Section
F
apply?
We
consumer
th
Cons
stome Cost:
on.
marketpl
One
l
e
their
s
innovations
all
wo
in
at
es
int
ey
w
ty
easi
that third
fmancial fin
requests
s
different
consumer
i
anc
the
with
hich
uch
on,
believe
d
uld
work
The w
e
to
e
be
um
of
ata
Act.
rpr
a
the
ts
r
banking
l
ith
contracts
in
lvfust
nci
i
s,
bank
y
sco
pro
a
,
w
partie
t
1033 t
c
as
ers
ransferred
e
l
he
da
and
creating the
t
order
and
ace,
company r
scope
r
ill
tation hat
a
institution
ea
a
has
es
pe
v
The
l
how
ta
t
foundati
a
s
that
are
h
i
te data
product
be
TCH 1033
pect l
de
cross-purposes
imm
in
ave
evels
a
will provide
s
of
protection,
co
Data elemen
of
th
the
.
d
technologi
to
covered
ab
fully
s
their
e
d
mp
of
much
Access
is
i
the
betwe
con
To
t
s
ata
from
atu
a s a
to t
ensure t
l automatic
ediate
incen
r
data
right ransfe comment
that
e
sect
es
that
of
a
Elements:
to
the
consumer
s
th
t
to o
n
s t
and
a
atutory
t
v
umer
d
ult
e
nal
y
s
nd
access capabi
pro
eir
e
i
e of
the
ion
their
provide
i
the
ews
fall
tives
lin elements
t
r
s s s n
Right:
extent
e
to
l
o
eceives
in
r
y
ntity
se
o
a
p
v
questions
the
c
h
es
of
eate
access
il
th consumer
s s s
access? t
u
rivacy
ide
sect
10
monthly
a
a
r
ransfe
w
e
to
stomer's
.
consumer
v ll t
er
sav l
to
liti
for
nt
a ri
etter, hould
to
3 ithin
bank
i
a
Fo
ces.
in
d
ght
m the differing
3
co
right
ll
i
that
services
What
the
a
on
o
es
To
their
in
and
st
of
akes in
r
that
n in
be
n
co
th
tT
and
gs
ex
ituti
CF
s
for
to
st
t
the
st
a
10
how
whom CF
th
s
ed
The
at h um
n
ha
fo
transferred/or
nd
of h
itution
uch
itution
ample,
undertaken e
tools,
s
access at
are
r
customers'
e
PB
33
data,
ome
1
ava
r
i
co
p
ve
e
data
ons
PB
8
to
section
cos
s
e
financial
D
access
qu
the
e
sec
eve
tent
cost
r
t
CFP
level
n
r
co
o information
's
o
other a
o the
so
il
's
su
does
est t
dd-
retaining
n
th mort
ab ti
n
be
s
comprehensive
sec r
third
financi
a
o
s,
n
,
, go
mer
type
certain
o
s
th
nd
a
f
to
B
e
a section
or l
um s
we
co
n ca
re
Frank
ir
e
th
l
timely
e
and
urit
al
10
of
s
in
section
financi
in
gage
1033 ir
conductin
to
ga
mmonl
u
hould customers.
e
on
's
product
er part
do
in
to
se s
33
finan
and
vest
infmmation
data
y.
tran
rdle
tituti
th
a
dat
en
right
a
full
l
pr
free
financial
t
not
the e
Act
consumer
h
y
data
p
1033
su
ofthe
We
cost
b
i
amount
a
omote
smission
e
ss
customer.
in
s
ayment
a c
be
to
under
asis.
o
y
1033
re from
va
l i
compliance
provided,
believe
incentive
n
a
to
of
to
of
n
emp
manageme
or
ensure
believe
l
s
careful
g
plus
begins
ew
lu
that
data
data
t right
the
ident
size
access
assessments
Dodd-Frank
hat
serv
e
innovatio
ofthe
sec
a d a
l
institutions
and
of
of
oys
to
could
those
right
basis?
consumer
of
ob
via
elements
that
a
i
ic
ti
the i
their t d
ffere
their
when
fy
nd
in
Such
o
th
on
e p e
i
ata
t
t
it
a
t
sho
nnovative
o
a
h
access their
Dodd-Frank
at
data
all
i approaching
with
data
nt
a
s
technical
of terms
section
entities
con
n
a
ro
1033
hould be
t
r
n
the
in
uld
c
egar
n
custome
that
data.
t
t
vider.
access entities
an
the
ools,
ustomers
s
vest
financial
aggregators
ti
of
Act
agg
the
that
in
offer
or
CFPB nue
expansive include
of
of
di
data.
financial
ment
may
have
1033
r
ng
In
s
l
any
the egator
.
aws
u
a
to
d
t
r
that
c
the
One
h
one
h
Act
e
an
ir
as to obtain the consumer's data and provides the data aggregator with the consumer's credentials to enable the data aggregator to screen scrape the consumer's data or obtain the data through a structured feed, like OFX. In each case, financial institutions provide the consumer's data to data aggregators at no cost. Data aggregators, however, charge the original requesting company a fee to obtain the data that the data aggregator obtained for free.
These marketplace characteristics are at risk of rent-seeking behavior at the expense of the consumer's best interests. The cost of the consumer's section 1033 data is completely dependent on the revenue and profit requirements of the data aggregators. In addition, the market could further fracture (for instance, through the emergence of a new class of data aggregator that specializes in personal investment data) and lead to elongated chains oftransfer and subsequent "value additions" by companies in the chain of transfer, with the result that consumers may face spiraling costs to obtain their data under the consumer right to access their data in section 103 3. We believe the cost dynamics of the marketplace are not in equilibrium, and that the 1033 data elements should be transfened either for free or at cost to the consumer. In this way, consumers never pay more than cost to obtain their data, no matter how long the chain of transfer has become, and market patticipants will not be incentivized to charge for the data or make "value additions" to the data that are intended solely to capture revenue. Moreover, the CFPB should through advisory opinions and guidance address how to impose that stmcture equally across all market participants, so that if any market patticipant is entitled to charge cost for the production of data, then all market participants in the chain of transfer are entitled to charge cost for the production of data.
We recommend that the CFPB continue to work with industry, consumer, and regulatory stakeholders in an open and transparent manner to continue to inform the CFPB on issues specific to section 1033, inclusive of the questions above. While we believe that the CFPB should follow the recommendations above prior to considering whether to impose any new regulations or binding standards under section 103 3 of the Dodd-Frank Act, we recommend that the CFPB formally begin consultation with Federal banking agencies (such as the OCC) and the FTC under section 1033(e) of the Dodd Frank Act. In patticular, the Federal banking agencies would be able to share their perspectives on safety and soundness, reputational risk, and trust in the banking industry with respect to practices in the consumer financial data services marketplace.
19 Conclusion
Once again, Capital One would like to express its appreciation to the CFPB for formally and publicly examining important developments in the market for consumer financial data. We hope that the comments and recommendations provided in this letter are useful to the CFPB. Please do not hesitate to contact the undersigned for any reason.
~~~~ Andres L. Navarrete, Executive Vice President, External Affairs (703) 720-2266
cc (by email):
Don Busick, SVP, Digital Product Management Rebecca Heironimus, VP, Digital Product Management AI Ciafre, MVP, Regulatory Relations Sebastian Astt·ada, Senior Director, Regulatory Relations Eulonda Skyles, Director, Regulatory Advisory
20