Compliance Blog

Nov 13, 2017

CFPB Issues Consumer Protection Principles on Data Sharing

In the wake of the Equifax breach, data security has been on everyone's mind. Various stakeholders have come together to see that the industry is held responsible – everything from punishing the guilty to establishing nationwide data security standards is being suggested. With most of the conversation focused on what industry can do to improve the situation, the CFPB has come forward with a consumer-focused approach to data security and sharing. Last month, the CFPB issued its Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation.

The CFPB recognizes the importance of financial institutions and the vital role third party financial service providers have in the market. Those companies that use financial data to provide consumers with financial management tools, account verification, fraud prevention and other servicers need access to information in order to provide these services. The CFPB stresses that companies need to keep their consumers in mind when designing their information sharing policies. "Consumer interests must be the priority" and "a common understanding of consumer interests is essential so that effective consumer protections can be integrated consistently into [the] market." The Principles are intended to provide that common understanding and provide a frameworks for protecting consumer interests as data is shared between market participants.

The nine principles are:

  1. Access: Consumers should have access to information about how they are using financial services and products. Financial institutions, or other service providers, should provide the information requested in a timely manner. Account agreements, or other user terms, should promote access to information.
  2. Data Scope and Usability: Information that consumers have access to should include transaction data or other usage data; account terms, such as fee schedules; costs, such as interest paid; and benefits, such as interest earned. Information should be provided in a readily usable format.
  3. Control and Informed Consent: Consumers should control their information. Financial institutions, or other service providers, should fully disclose, in an understandable manner, account terms relating to the access, use, storage, and disposal of information. Consumers must give prior consent before third parties may access their information and consent may be revoked at any time. Revocations should be implemented in a timely manner and include deleting information when the consumer makes such a request.
  4. Authorizing Payments: Authorization to access information is not authorization to initiate payments. Financial institutions, or other service providers, should obtain separate authorizations for these two activities.
  5. Security: All information should be accessed, used, stored, and distributed in a secure manner that mitigates the risk of data breaches, transmission errors, unauthorized use and fraud. Security procedures should be updated frequently.
  6. Access Transparency: Consumers should be informed of each third party that has access to their information, what information that party has access to, and how that information is used.
  7. Accuracy: All information should be accurate and consumers should always have a means to dispute and resolve inaccurate information.
  8. Ability to Dispute and Resolve Unauthorized Access: Dispute resolution procedures should cover instances of unauthorized access, sharing or payment as well as failures to comply with the terms of a consumer's authorization. These procedures should be reasonable and practical and should not require consumers to identify the parties at fault. Parties at fault should be held accountable.
  9. Efficient and Effective Accountability Mechanisms: All parties involved – those that use, share, store, or dispose of information – should have similar goals and work together to enable secure transmission of information and deter misuse. Each party should be held accountable for failure to do so.

While these Principles provide a framework for financial institutions and third party service providers to follow, it is important to keep in mind that they are not binding. The Principles are also not meant to replace or interpret any current regulations on data security. Rather, these Principles may assist credit unions in making decisions on how to use and share information. These Principles can also assist credit unions in determining a course of action in dealing with its members or other financial institutions in the event the regulations do not directly address their situation.

The FTC has also put together a few resources on data security that credit unions may find helpful: Start with Security: A Guide for Business and Protecting Personal Information: A Guide for Business. Again, these are not binding, but they do provide some key principles that credit unions may want to consider when assessing their data security programs.