InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Reserve Governor Calls for Collaboration Between Regulators, Banks, Data Aggregators, and Fintech Firms for Financial Data Sharing Standards
On November 16, Federal Reserve Governor Lael Brainard spoke at a fintech conference sponsored by the University of Michigan regarding consumers’ right to understand and control how their financial data is used by third-party aggregators, and in developing fintech technology. “There's an increasing recognition that consumers need better information about the terms of their relationships with aggregators, more control over what is shared, and the ability to terminate the relationship,” Brainard noted. “Consumers should have relatively simple means of being able to consent to what data are being shared and at what frequency. And consumers should be able to stop data sharing and request the deletion of data that have been stored.”
Brainard emphasized that regulators, data aggregators, bank partners, and fintech developers should jointly develop a common, consistent message for how customer data is shared and protected within the fintech space and “other areas experiencing significant technological change.” As previously reported in InfoBytes, on October 18, the CFPB issued principles concerning the security and transparency of financial data sharing when companies—including fintech firms—get authorization from consumers to access their account data that reside in separate organizations to provide products and services.
Missouri AG Announces Investigation Into Tech Company’s Privacy Policies and Use of Consumer Data
On November 13, Missouri Attorney General Joshua Hawley announced that his office has issued a civil investigative demand (CID) to a major California-based technology company as part of an investigation into suspected violations of the Missouri Merchandising Practices Act and the state’s antitrust laws. The investigation is focused on certain business practices, including, with respect to privacy issues, the company’s collection, use, retention, storage, sale, and dissemination of information and data about its users and their online activities. The CID requests documents and communications related to, among other things, (i) the company’s privacy policies; (ii) the collection and sharing of data that constitutes “personal information” related to the company’s users; (iii) disclosures concerning the collection of consumers’ credit or debit card transactions; (iv) data the company discloses or shares with third parties, and the identification of third-party partners; and (v) how the company tracks users’ online activities. The company has until January 22, 2018 to comply.
OCC Issues Updates to Risk Management Principles
On October 20, the OCC released modifications to its risk management principles for new, modified, or expanded financial products and services (collectively, new activities). Bulletin 2017-43 rescinds OCC Bulletin 2004-20 and section 760 of the Office of Thrift Supervision Examination Handbook. The Bulletin provides guidance on risks in the following categories: strategic, reputational, credit, operational, compliance, and liquidity. The Bulletin also outlines the main components of an effective risk management system, such as the need for:
- “adequate due diligence and approvals before introducing a new activity”;
- “policies and procedures to properly identify, measure, monitor, report, and control risks”;
- “effective change management for new activities or affected processes and technologies”; and
- “ongoing performance monitoring and review systems.”
According to the OCC, the sophistication of a bank’s risk management system should be commensurate with the bank’s size, complexity, and risk profile. Further, “bank management and boards of directors should understand the impact of new activities on banks’ financial performance, strategic planning process, risk profiles, traditional banking models, and ability to remain competitive.”
CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation
On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.
The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.
Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”
CFPB Takes Action Against North Dakota Payment Processor for Alleged Unauthorized Withdrawal Practices
On June 6, the CFPB filed a complaint against a North Dakota-based third-party payment processor and two of its senior executives for alleged violations of the Dodd-Frank Act’s prohibition against unfair acts and practices. Acting on behalf of its clients, the payment processor transferred funds electronically through a network called the Automated Clearing House, and in the process, according to the CFPB, the payment processor “ignored numerous red flags about the transactions they were processing, including repeated consumer complaints, warnings about potential fraud or illegality raised by banks involved in the transactions, unusually high return rates, and state and federal law enforcement actions against their clients.” The CFPB contends that the defendants failed to: (i) heed warnings, including federal and state enforcement actions taken against the defendants’ clients, from banks and consumers regarding potential fraud or unauthorized debits; (ii) adequately monitor and respond to “enormously” high return rates; and (iii) investigate “red flags” throughout its clients’ application processes that “should have caused it to… perform enhanced due diligence prior to accepting a client for processing.” Regarding the individuals’ involvement in the allegedly unlawful activity, the CFPB’s complaint alleges that both engaged in unfair acts and practices by “actively ignoring” a number of red flags associated with the payment processor’s business activities. The CFPB’s complaint seeks monetary relief, injunctive relief, and penalties.