The Consumer Financial Protection Bureau (CFPB), the federal agency established in the wake of the financial crisis by Dodd-Frank that has jurisdiction over a variety of financial services providers, made news this week with a major update to its outlook on fintech innovation and consumer data access that could affect the entire financial services marketplace.
On Sunday, in a keynote address at the Money20/20 fintech conference in Las Vegas, CFPB Director Richard Cordray announced that consumers own the right to control access to their personal financial data, including granting such access to third-party applications. A day later, the CFPB released an official update on Project Catalyst, its ongoing effort to proactively engage financial services innovators. Together, these actions represent the busiest week in recent memory for the CFPB on fintech.
Here’s everything you need to know about the recent developments.
What exactly did Cordray say?
Cordray made several points, including:
- The CFPB aims to be on the side of innovators and in many ways, shares their ethos. As a relatively new agency, the CFPB itself aims to be tech-forward, such as by opening its tagged database of over a million customer complaints through an API.
- Fintech firms must adhere to the same standards as “traditional” financial institutions. Recent enforcement actions against fintech providers should not be misconstrued as explicitly targeting fintech, but as applying the same scrutiny to newer digital providers of valuable consumer financial services as the CFPB applies to banks. Deceptive conduct by either type of institution will not be tolerated.
- Innovation in fintech has substantial potential to benefit consumers—and in many cases, already is. Two areas explicitly called out were increasing credit access for un- and underbanked consumers and creating new tools to control spending.
But the headline-grabbing announcement came near the end of the director’s speech. Noting that many promising fintech services rely on consumers’ ability to permission access to personal financial data, Cordray said, “Let me state the matter as clearly as I can here: We believe consumers should be able to access this information and give their permission for third-party companies to access this information as well.”
Further, the director noted that the CFBP is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.”
What is Project Catalyst?
Project Catalyst is an undertaking announced by the CFPB in October 2012 that aims to promote consumer-friendly innovation. It is not limited to fintech firms, though in practice, digital-first companies have been a large focus.
Key components of Project Catalyst today are:
- Office hours: The CFPB regularly travels to engage fintech providers on their “home turf,” holding meetings in Silicon Valley and New York to understand the most recent ecosystem developments.
- No-action letter policy: For fintech providers considering a product or service that falls into a regulatory gray area, the CFPB can review the proposal and confirm the agency’s intent to take no regulatory action. (Many providers have been reluctant to actually embrace this tool; CFPB no-action letters are not guaranteed, nor do they necessarily preclude state or other regulators from taking enforcement measures.)
- Trial disclosure waiver program: Invoking subsection 1032(e) of the Dodd-Frank Act, the CFPB allows companies with its permission to test innovative presentations of federal disclosure documents that may have been designed for a non-digital world.
- Research collaborations: Working with private firms such as American Express and H&R Block, the CFPB has occasionally run pilot collaborations to test the efficacy of novel approaches to important consumer financial problems, such as how to use tax refunds to build savings.
This week’s report outlines the Project’s activities and progress to date, and paints a rosy picture of “innovation highlights” in eight specific areas of high potential for positive impact. Among these areas are improved credit assessment, student lending and refinancing, peer-to-peer payments – and yes, consumer financial data access.
Why does all of this matter?
Cordray’s statements on consumer data access are the clearest indication yet that this is an area of regulatory interest for the CFPB – critical to protecting innovation and competition that benefit consumers. Section 1033 of the Dodd-Frank Act grants consumers a right to access personal financial data “in an electronic form usable by consumers” – but the CFPB has yet not yet regulated on this section.
The comments further confirm that public conversation has shifted from whether consumers have a right to control personal financial data, to how to securely and efficiently permission this access. Recent whitepapers by the Center for Financial Services Innovation (CFSI) and Plaid are among the first and most authoritative attempts to answer the crucial question of how to best permission access.
More immediately, it’s clear that institutions that generate personal financial data will need to carefully consider how the director’s comments apply to their own approaches to data access. While more and more institutions have embraced thoughtful permissioning of data access as an opportunity to deepen their customer relationships, a small number of holdouts may begin to reconsider their framing and strategy.
Where does the CFPB go from here?
The CFPB isn’t expected to take immediate regulatory or enforcement action on data access – though the former could come in 2017. The United Kingdom’s Open Banking Standard and European Union’s Revised Payment Services Directive (PSD2) offer frameworks for top-down regulatory approaches in other advanced financial services markets that have been well-received.
In the United States, it can be advantageous for all parties if the ecosystem evolves organically – giving individual institutions greater flexibility around exactly how consumer data access is permissioned. But this market-based approach requires banks to be fully on board with enabling secure and efficient data access for their customers. The CFPB’s commentary this week, if nothing else, represents a clear step toward realizing this vision of an inclusive, innovative, and secure digital financial services ecosystem.