On November 17, 2016, the Consumer Financial Protection Bureau ("CFPB" or "Bureau") held a field hearing in Salt Lake City, Utah, and published a Request for Information ("RFI") regarding access to consumer financial account data. Through the RFI, the CFPB is seeking information regarding consumers' ability to access, control and share personal financial data relating to them in a usable electronic form. Such access includes access by a third party authorized by the consumer in connection with a product or service offered by the third party (i.e., "data aggregators").

The CFPB states that it has authority to issue the RFI under Section 1033 of the Dodd-Frank Act, which requires that consumers be able to request "information in the control or possession of [a] covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data."1 Section 1033 further provides that this information "shall be made available in an electronic form usable by consumers."2

In prepared remarks delivered at the field hearing, CFPB Director Richard Cordray summarized the goals of the RFI. Specifically, the Bureau wants to learn: (1) the extent to which consumers authorize access to financial records; (2) how safe and secure the sharing of financial records is, or can be; and (3) how much control consumers have over financial records pertaining to them.

The CFPB states that it plans to use responses to the RFI to determine whether the agency will issue guidance or engage in rulemaking with respect to data aggregation and consumer access to information. Any such guidance or rulemaking would have to address complex issues related to data security and unauthorized account access.

The CFPB encourages a wide range of commenters to respond, including bank and non-bank consumer financial service providers, consumer reporting agencies, data brokers, technology firms, consumer groups and regulators. Comments are due 90 days after the RFI is published in the Federal Register.

The RFI contains 20 questions about current market practices and potential market developments with respect to companies that offer products or services that utilize financial account data with the permission of the consumer. These include:

  • What types of products and services are currently available?
  • What are the benefits of these products and services for consumers?
  • How many consumers use these products and services?
  • What are the security and other risks associated with consumers permitting access to financial account data?
  • How do consumer financial account providers evaluate aggregators to ensure they meet security requirements before providing them with account information?
  • How do data aggregators and other service providers access, store, use and share consumer financial account information?
  • What is the current state of competition among companies providing these products and services?
  • What obstacles do data aggregators and other companies providing these products and services face in carrying out their business?
  • Do consumers understand these products and services and have the ability to control what companies and financial institutions do with data relating to them, including the extent to which entities may retain data?

During the field hearing, a panel of industry representatives, including representatives of bank trades and technology firms, and consumer advocates discussed the benefits and challenges related to data aggregation services. Panelists identified benefits such as encouraging and automating good financial habits and savings; avoiding unnecessary fees; promoting sound investment strategies; and providing account verification and fraud reduction services. The challenges identified by panelists included data security, consumer control and liability for unauthorized use of financial account information and technology standardization of different legacy systems for efficient sharing of information. Panelists also discussed the desirability of innovation and competition in this space.

We will continue to follow the CFPB's work on consumer access to financial data and data aggregation products

ervices, including any initiatives resulting from this RFI.


1 12 U.S.C. § 5533.

2 Id.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved