Comment to the CFPB on consumer access to financial records

I would like to thank the Consumer Financial Protection Bureau (CFPB) for giving us the opportunity to comment on their Advance Notice of Proposed Rulemaking regarding Consumer Access to Financial Records. Akoya was founded to address the issues caused by credential-based data aggregation, a.k.a. screen scraping, and ensure consumers can use financial applications and services with safe, secure and transparent access to their financial data.

Our comment to the CFPB, which can be found here on the Federal Registrar, outlines why we must ensure that a consumer can control access to their financial data and that their accounts are protected. Specifically, we believe removing login credentials, typically usernames and passwords, from data aggregation is critical in making the financial industry safer and more secure.

We recommend that if the CFPB decides to move forward with a rulemaking under Section 1033 of the Dodd-Frank Act, the following principles should guide the CFPB’s actions:

• Consumers must be able to instruct and give direct authorization to their financial institutions to permit access to their data. Moreover, a financial institution should be able to direct how a fintech or aggregator can access authorized consumer data.
• Financial institutions should display to consumers what type of data is being accessed and by whom. Financial institutions should also provide a mechanism for the consumer to easily monitor and revoke the access on an ongoing basis.
• Fintechs and data aggregators should obtain explicit and informed consent from consumers in order to access their data, and that consent should clearly define what data are allowed to be further shared and for what purpose. They should also be required to provide consumers a means to revoke their consent at any time.
• All parties accessing and holding financial data must be held to the same strict security and privacy standards.
• Any regulation should include standards governing liability. This should be based on the principle that whichever entity causes the harm (such as through data loss, compromise, misuse, or other security-related incident) should bear the liability and be held responsible for the risks their activities introduce into the system. This should include liability for unauthorized transactions.

While it is inspiring to see the amount of innovation within financial services that has occurred these past few years, the time has come for both government and the marketplace to ensure there are protections in place for both data security and privacy. We look forward to working with all parties across the data-access ecosystem to make data aggregation as safe and smooth as possible.

Read our comment