Payment Law Advisor Legal Commentary and Resources for the Payment Industry

Consumer Financial Data Aggregation & the Potential for Regulatory Intervention

Posted in Regulatory and Compliance

Security SystemI. Introduction

A confluence of regulatory activity and policy debates seem to be laying the groundwork for future regulation of consumer financial data aggregation activities. The outcome of these activities could significantly affect how financial data may be shared by financial institutions, controlled by third-party data aggregators, and used by financial technology companies (“fintechs”) in the future.

Last fall, the Bureau of Consumer Financial Protection (the “CFPB” or “Bureau”) brought this issue to the forefront in the United States when it issued a request for information (the “RFI”) on the varied ways that consumer financial data aggregators obtain, maintain, use and disclose consumers’ financial data.[1] The number of responsive comments filed by stakeholders, including financial institutions, data aggregators, fintechs, and consumer advocates highlight the diverse perspectives that exist regarding the adequacy and application of existing regulations to data aggregation activities. In addition to regulatory scrutiny from the Bureau, at least one member of the Federal Reserve Board (the “FRB”) has stated that the FRB ought to be concerned with data aggregation activities from a bank safety and soundness perspective. At the same time, regulations in the European Union and United Kingdom governing access to consumer financial data are being implemented, both of which provide an interesting juxtaposition for U.S. regulators and companies to consider.

This article provides background information on the growing number of participants involved in data aggregation activities, summarizes the RFI and commentators’ responses, and discusses select regulatory changes in the European Union and United Kingdom affecting the aggregation of consumer financial data. We then conclude with issues that the involved parties should consider in this uncertain regulatory environment.

II. The Consumer Finance Aggregator Ecosystem

For roughly two decades, “data aggregators” have sought to collect consumers’ financial account information from various financial institutions, including transaction, balance, and fee information relating to credit cards, auto loans, mortgages and securities. This data is typically obtained with the consumer’s permission by either screen scraping or application program interfaces (“APIs”). Screen scraping occurs when the data aggregator has automated systems to log in to a particular financial institution as a consumer using the consumer’s username and password, and the company takes (or “scrapes”) the account information that is made available online. On the other hand, APIs allow an aggregator to directly connect to a financial institution’s systems and obtain the desired information through an orderly exchange protocol. [2]

On a separate but related track, “product aggregators” primarily obtain consumer financial product information, as opposed to financial account information, to provide a platform that allows consumers to comparison shop for credit cards, auto loans, mortgages, personal loans, and other consumer financial products from multiple providers.[3] These product aggregators have recently evolved to also aggregate consumer financial data, typically by either obtaining a consumer’s express permission to access credit report information and/or by obtaining a consumer’s username and password to access the online banking portals of various financial institutions via screen scraping or APIs. With this access, the product aggregator can use consumers’ detailed personal financial data to make more targeted and tailored offers for financial products and services to the consumer.

Fintechs are increasingly purchasing and using consumer financial data made available through aggregators in creative ways, for example, to alleviate pain points in personal financial management by providing automatic savings programs, budgeting tools, and investment analysis. Aggregators have also created efficiencies for banks and other financial services providers by providing back-end services, including verification of account numbers, consumer information, and transaction histories.

III. Catalyst for Regulatory Intervention: Diverging Interests Between Banks, Aggregators, Fintechs and Regulators

In 2015, several large banks shut off aggregators’ access to consumers’ financial account information.[4] The banks pointed to a series of concerns raised by the aggregators’ business models, ranging from internal data security and the enhanced complexities that could arise in the event an aggregator suffers a data breach, to operational limitations on the ability of bank servers to respond to an overwhelming number of aggregator data requests. Following negative feedback from consumers, the banks reversed course days later and allowed aggregators to resume accessing consumers’ data.[5]

The CFPB initially showed interest in the sharing of consumer data with aggregators as part of its “Project Catalyst Initiative.” In a report titled “Promoting consumer-friendly innovation: Innovation Insights,”[6] the CFPB stated that consumer-permissioned access to financial data forms the “basis for personal financial management tools and mechanisms [that can] reduce the time to verify consumers’” accounts and provide other consumer benefits.[7] The report notes that the loss of access to consumer data by these third parties “could cripple or even entirely curtail the further development of such products and services.”[8] CFPB Director Richard Cordray reiterated in a speech that the CFPB is “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.”[9]

The CFPB subsequently issued the RFI in an effort to better understand the consumer benefits and risks associated with market developments that rely on access to consumer financial account information. The RFI states that its objectives are to: (1) help the industry develop best practices to deliver benefits to consumers and address potential consumer harms; and (2) evaluate whether any guidance or future rulemaking is needed. It remains to be seen whether the RFI will be the CFPB’s opening salvo into future public action, such as the issuance of guidance, regulations, or enforcement actions relating to the sharing, collection and use of consumer financial data among fintechs, aggregators and financial institutions.

IV. CFPB’s RFI on Consumer Financial Records

a.      Statutory Authority to Write Rules Affecting Consumer Access to Electronic Financial Records

The CFPB relies on two distinct provisions of the Consumer Financial Protection Act of 2010 (“CFPA”) for the potential regulation of consumer financial data aggregation activities and aggregators themselves.[10] Section 1033(a) of the CFPA gives a consumer the right to make a request to, and receive from, a covered person electronic records in the covered person’s possession related to a consumer financial product or service obtained from that covered person, including transaction, cost, and usage data.[11] The statute exempts certain records from being provided, including: confidential commercial information; information collected to prevent fraud or money laundering; information required to be kept confidential by law; and information that a consumer “cannot retrieve in the ordinary course….”[12] Section 1033(e) of the CFPA states that the CFPB must observe certain conditions, chiefly relating to consultation with the federal banking agencies and the Federal Trade Commission (FTC), when prescribing any rule under Section 1033.[13]

The CFPB’s authority over data security issues is also based on the prohibition of unfair, deceptive, or abusive acts or practices under sections 1031 and 1036 of the CFPA. The RFI cites to the CFPB’s recent data-security case against Dwolla[14] and the FTC’s past data security activities as relevant precedent to generally assert that “[a]n entity’s consumer data privacy or security practices can violate UDAAP standards.”[15]  While the CFPB has filed only one enforcement action involving a company’s own description of its data security practices, the FTC has similarly used its unfairness authority (under section 5 of the Federal Trade Commission Act) to regulate specific data security practices.[16]

b.      Concerns & Challenges Expressed in the CFPB’s RFI

In the RFI, the CFPB expressed concern that some financial institutions may restrict consumer-permissioned access to financial records in ways “that undermine consumer interests identified in section 1033 [of the Act].”[17] At the same time, the CFPB recognized that, despite the many consumer benefits of financial data sharing that it seeks to foster, legitimate risks need to be addressed, including data security and privacy.

The RFI’s reference to FTC precedent could indicate the CFPB’s willingness to rely on its UDAAP authority to address problematic data security practices involved in consumer financial data aggregation activities. If the CFPB were to go further and  propose rules in this area, that regulatory initiative would be the first use of section 1033 and the first use of sections 1031 and 1036 with respect to consumer financial data aggregation.

c.       Data Gathering: Questions in the CFPB’s RFI

The RFI asks twenty questions on how aggregators operate, including current market practices and how those practices will likely change over time. The following is a summary of the questions posed by the RFI.

  • Product Structures & Use: How many consumers are using these services and what are their characteristics? How is financial and non-financial information used to assess eligibility for products? How are offers based on this data being made and by whom?
  • Provision of Data: What incentives or disincentives exist for companies to provide consumer-permissioned data? Why might companies, consumers or aggregators not provide data, g., operational costs, risks, and actual or potential losses, and their specific causes?
  • Data Security: How long is data stored? What security and other risks are incurred by consumers? How are these risks communicated to consumers and mitigated by companies or aggregators?
  • Consumer Understanding: What consumer-facing disclosures are provided? Are consumers told what data are accessed, how often such data are accessed, how such information is used, whether access continues after a consumer stops using a given product, how sharing occurs and under what terms and conditions? Do consumers understand these practices and how does comprehension impact their willingness to consent?
  • Consumer Control: Can consumers control how aggregators use their data, and if so, how? May consumers ask for data about themselves to be deleted?
  • Vendor Management: Do financial institutions vet aggregators before granting access? If so, under what procedures?
  • Adequacy of Industry Standards: Do industry standards currently comply with section 1033? Are they actually adopted by the industry?
  • Expected and Desired Change: How are the current market practices expected to change? How should those practices change?

d.      Responses to the RFI

Responses to the RFI predominantly came from three populations: (1) financial institutions; (2) data aggregators and fintechs; and (3) consumer groups.

  1. Financial Institution Comments. Financial institutions generally argued that the CFPB should define data aggregators as “larger participants” and subject such larger participants to regular supervision. Several financial institutions noted that Regulation E limitations on consumer liability for “unauthorized transactions” should not apply with respect to a bank if improper transactions are initiated as a result of a data aggregator breach or other misconduct. For example, some commentators argued that a consumer who has given an aggregator their log-in credentials has “furnished [an] access device” to the aggregator and thereby assumed any risk from the aggregator exceeding the authority granted to it.[18] Commentators also argued that banks should not liable for unauthorized transactions initiated by or through data aggregators acting as an “electronic fund transfer service provider” under Regulation E.[19]

Additionally, several financial institutions raised questions regarding when a data aggregator might be considered a bank “service provider” subject to enhanced oversight requirements.[20] Financial institutions also indicated that the Gramm-Leach-Bliley Act (GLBA) should apply to aggregators and fintechs holding consumer data.[21] Noting that Section 1033 standards should cover data security, authentication, and access, financial institutions argued that access to consumer financial data should be limited to aggregators with whom they have contractual privity, and that the data retrieved by the aggregator must be identified and disclosed to the financial institution. Financial institutions also asked whether the financial institution or the aggregator ought to bear the costs associated with compliance, and indicated that while access to data should remain free to consumers, if aggregators are monetizing data provided by a financial institution, that some of those proceeds should be routed back to the financial institution.  Lastly, financial institutions urged the CFPB to consult with the FTC and prudential regulators before issuing any guidance or rulemaking.

2. Aggregator and Fintech Comments. While the responses from data aggregators, fintechs and their industry groups focused on different issues, one common theme included a plea that banks should not filter or monopolize access to consumer financial information. These companies stated that the liability for unauthorized transactions under Regulation E that might result from improper use of a consumer’s access credentials should not rest with aggregators or fintechs, but rather that liability should remain with banks. Moreover, if liability does shift from banks, that liability should rest with consumers who assumed the risk involved in using their services.  They also argued that both aggregators and fintechs obtaining data from banks are not, in the ordinary course, service providers to banks and are not subject to the regulatory burdens associated with bank vendor management programs.  When responding to concerns about data security, aggregators and fintechs argued that technology could solve many data security challenges, citing authentication and tokenization protocols as examples.

3. Consumer Group Comments. Comments from consumer groups identified safe and secure data sharing as a goal that should be shared by financial instructions, data aggregators and fintechs. Consumer groups argued that certain privacy principles should govern the sharing of all consumer data, including: 1) the disclosure of aggregators’ data use and sharing practices; 2) limited storing and use of the data to the specific purpose for which it was obtained; 3) allowing data sharing only where there is authenticated access; and 4) consumer control over data sharing and rights to revoke access.  They argued that consumers should not lose Regulation E liability protections for unauthorized transactions when sharing credentials with aggregators, since improper transactions would still be considered “unauthorized” under the regulation.  Finally, consumer groups stated that banks should not be permitted to prevent data access for purposes of stifling competition.

V. From All Sides: Oversight of Data Aggregator Activities as a Safety and Soundness Concern, and Analysis of Regulatory Approaches to Data Access in the EU & UK

In addition to potential oversight from the CFPB, FRB Governor Lael Brainard indicated in an April 2017 speech that the FRB has a stake in overseeing bank relationships with consumer financial data aggregators.[22] She described banks as one of a number of entities in “the fintech stack,” whereby fintechs are able to build upon the core deposit, lending, and payment activities of banks, much like app developers are able to build various applications that use iPhone or Android mobile platforms. Acknowledging current consumer financial data flows from a bank either to an aggregator via screen scraping or API and then to a fintech, or from a bank directly to a fintech via API, Governor Brainard indicated that the FRB has an interest in ensuring the viability and quality of aggregator arrangements from a safety and soundness perspective, presumably along with other prudential regulators.[23]  Governor Brainard noted that the importance of “getting these connectivity questions right, including the need to manage the consumer protection risks, is critically important. It could make the difference between a world in which the fintech wave helps community banks become the platforms of the future, on the one hand, or, on the other hand, a world in which fintech instead further widens the gulf between community banks and the largest banks.”[24]

The prudential banking regulators, and the CFPB, could also be influenced by trends in European banking regulation favoring greater access to and sharing of consumer financial data. Indeed, there is a statutory requirement that any rules issued by the CFPB must “take into account conditions under which covered persons do business both in the United States and in other countries.”[25] In her April 2017 speech, Governor Brainard noted the varied approaches to data access being taken by regulators around the world. For example, in the European Union, rules implementing the revised Payment Services Directive (“PSD2”) proposed by the European Banking Authority would require banks to permit licensed third parties to access consumer bank account information via API and ban screen scraping.[26] And the United Kingdom recently required the nine largest banks to share pricing, fees, and terms information via API this year, and will require open-access APIs for consumer transaction data and payment information in 2018.[27] However, Governor Brainard indicated that regulators in the United States may not be ready or able to implement regulations demanding a similar degree of openness, in part because of the way regulatory authorities are broadly distributed (e.g. between multiple federal agencies and states with jurisdictions over different sectors of the financial services industry and actors within the consumer financial data aggregator ecosystem) and certain statutory limitations that predate the current technology, fintech, and aggregator ecosystems.

VI. Operating in an Uncertain Regulatory Environment in the Near Term

The CFPB’s RFI suggests that only basic principles of contract and limited regulatory obligations currently apply to aggregators, and that individual transactional solutions could care for consumer protections and control identified risks, but might not do so in a sufficiently uniform manner.

While regulatory bright lines might be helpful, participants in the consumer data aggregation ecosystem should consider how regulation might help clarify the rights and responsibilities of the involved parties, and allow for greater access to financial data, address data security risk, but at the same time potentially limit or slow technological innovations.  Following are issues that financial institutions, aggregators, and fintechs currently engaged in data aggregation activities should consider in the near-term:

  • Trend Towards Bilateral Agreements Presents an Opportunity To Self-Regulate & Identify Applicable Consumer Protection Laws. A trend towards bilateral agreements between banks and aggregators or fintechs presents an opportunity for participants to demonstrate that regulatory intervention is not necessary and that the industry can self-regulate. Key components of an effective self-regulatory system would include, among other things, a degree of uniformity in bilateral agreement terms that accurately reflect the compliance obligations of the parties under applicable consumer protection laws, including GLBA[28] and the Fair Credit Reporting Act.[29] Notwithstanding any ambiguities regarding the application of those laws to aggregators and fintechs, consumers should be provided clear disclosures describing the ways in which their financial data will be collected, used, and shared by the parties, and be provided with a method to control and perhaps stop those activities.
  • Privacy & Data Security Protections are Paramount. With respect to privacy and data security, financial institutions should consider the scope of their duty to monitor and protect customer information, and identify responsibilities that should be placed upon aggregators so that their mutual customers’ data is protected, including limitations on the use, disclosure, and sale of such data. The technology used by aggregators for authentication and data protection should be thoroughly vetted, and the consequences of a data breach should be defined, including who is responsible for providing data breach notifications under various state laws and how liability stemming from a data breach might be distributed.
  • Product Recommendations Using Consumer Data Present UDAAP Risk. With respect to the use of aggregated consumer financial data by product aggregators, companies should consider whether the use of such data creates a perception that products recommended to a consumer by the aggregator have been selected based on the consumer’s individual circumstances. If a particular experience places a consumer in a position of “reasonable reliance” on a product aggregator to “act in the interests of the consumer,” then – to follow the terms of section 1031 of the CFPA – certain conduct by the aggregator, such as product recommendations that are not suitable for the consumer, might be considered “abusive.”
  • Limits on the Requirement to Make Electronic Data Available. The RFI appears to assume that section 1033 of the CFPA grants aggregators, as a consumer’s agent, largely unfettered access to the consumer’s financial data. But section 1033 only grants “a consumer” the right to request records. Recent case law from the Ninth Circuit indicates that a third party’s access to another company’s computer systems without proper authorization may be prohibited by the Computer Fraud and Abuse Act (CFAA),[30] which carries civil and criminal penalties.[31] In Facebook v. Vachani,[32] a social media aggregator attempted to use Facebook’s systems at the request of Facebook users. Facebook attempted to block the aggregator from accessing its site through an IP block and a cease and desist letter, but the aggregator continued to access the Facebook database despite this explicit restriction on access. The court found the aggregator’s conduct to be a violation of the CFAA. The court provided the following analogy involving a retail bank branch to demonstrate the difference between user and agent access under the CFAA:

Suppose that a person wants to borrow a friend’s jewelry that is held in a safe deposit box at a bank. The friend gives permission for the person to access the safe deposit box and lends him a key. Upon receiving the key, though, the person decides to visit the bank while carrying a shotgun. The bank ejects the person from its premises and bans his reentry. The gun-toting jewelry borrower could not then reenter the bank, claiming that access to the safe deposit box gave him authority to stride about the bank’s property while armed. In other words, to access the safe deposit box, the person needs permission both from his friend (who controls access to the safe) and from the bank (which controls access to its premises). Similarly, for [the aggregator] to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient [under the CFAA] to constitute authorization after Facebook issued the cease and desist letter.[33]

The defendants in this case have filed a petition for certiorari with the U.S. Supreme Court to appeal the decision.[34]

VII. Conclusion

As consumer financial data and product aggregation services become more complex and the attendant data security and other risks become correspondingly higher, financial institutions should consider whether enhanced contractual protections and more rigorous oversight of aggregators are necessary. At the same time, aggregators and fintechs might consider supporting this additional level of scrutiny to the extent it is necessary to mitigate identified risks, ensure compliance with applicable laws, and demonstrate that regulatory intervention is not necessary. While there seems to be momentum for new regulations affecting consumer financial data and product aggregation activities, policymakers could permit the currently-developing self-regulatory system to develop and monitor the market for weaknesses before intervening. At the same time, the regulatory approaches being developed in the EU and UK can be viewed as test cases for potential consumer financial data policy in the US.

 

 

[1]  Request for Information Regarding Consumer Access to Financial Records, 81 Fed. Reg. 83606 (Nov. 22, 2016).

[2] Direct access to a bank’s APIs typically involves a negotiated, bilateral agreement between the financial institution and the aggregator obtaining the consumer financial records, by which the bank will define the data fields to be shared, identify the technology used to share the data, and obtain rights to exercise appropriate oversight to ensure the aggregator does not pose any undue risk to the bank. This is in contrast to open-access APIs, whereby third-parties are generally able to use a widely available API to access financial data held by a financial institution after consenting to a set of standard terms imposed by the bank.

[3] The CFPB sought information on product aggregators (referred to as “third-party comparison sites”) in its 2017 Request for Information Regarding Consumer Credit Card Market. See 82 Fed. Reg. 13313, 13314 (March 10, 2017) (The CFPB asked the following questions related to product aggregators: “To what degree do consumers understand the benefits and risks of using third party comparison sites? To what degree do existing standards, practices, and disclosures protect consumers from unfair, deceptive, and abusive acts and practices? Where, if anywhere, do opportunities for improvement exist, and how would any such improvements most appropriately be realized?”).

[4] See Robin Sidel, Big Banks Lock Horns With Personal-Finance Web Portals, Wall Street Journal (November 4, 2015), available at https://www.wsj.com/articles/big-banks-lock-horns-with-personal-finance-web-portals-1446683450 (last accessed May 24, 2017).

[5] See Patrick Dehan, Banking, Consumer Groups Battle Over Mint.com, Associations Now (Nov. 16, 2015), available at http://associationsnow.com/2015/11/banking-consumer-groups-battle-mint-com (last accessed May 24, 2017).

[6] Consumer Financial Protection Bureau, Project Catalyst Report: Promoting consumer friendly innovation (Oct. 2016), available at http://s3.amazonaws.com/files.consumerfinance.gov/f/documents/102016_cfpb_Project_Catalyst_Report.pdf (last accessed May 24, 2017).

[7] Id. at 22.

[8] Id. at 22-23.

[9] Prepared Remarks of CFPB Director Richard Cordray at Money 20/20, October 23, 2016, available at https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-cfpb-director-richard-cordray-money-2020/ (last accessed May 24, 2017).

[10] The CFPA was enacted as Title X (§§ 1001-1100H) of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010) (codified at 12 U.S.C. § 5301 et seq.)

[11] Id. § 1033(a) (codified at 12 U.S.C. § 5533(a)) (“Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”).

[12] Id. § 1033(b)(1)-(4) (codified at 12 U.S.C. § 5533(b)(1)-(4)).

[13] While section 1033(a) of the CFPA indicates that a consumer’s right to obtain the class of electronic financial records described in that section springs into effect only “[s]ubject to rules prescribed by the Bureau,” it could be argued that the statute is self-effectuating and could currently apply to covered persons.  When effective, the consumer’s right to obtain the covered electronic financial records is enforceable by the CFPB, state attorneys general, and state regulators. See id. §§ 1042(a)(1) (codified at 12 U.S.C. § 5552(a)(1)), 1053(a)(1) (codified at 12 U.S.C. § 5563(a)(1)), and 1054(a) (codified at 12 U.S.C. § 5564(a)).

[14] In the Matter of Dwolla, Inc., File No. 2016-CFPB-0007, Consent Order (Mar. 2, 2016), noted in Adam D. Maarec & John C. Morton, 2016 Survey of Activities Identified as Unfair, Deceptive or Abusive under the Dodd-Frank Act, Part One, 70 Consumer Fin. L. Q. Rep. 44, 46 (2016).

[15] See RFI at 83807.

[16] See e.g., Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015).

[17] See RFI at 83809.

[18] See generally 12 C.F.R. § 1005.2(m)(1) (excluding from the definition of an “unauthorized electronic fund transfer” any “electronic fund transfer initiated… [by] a person who was furnished the access device to the consumer’s account by the consumer….”). Comment 2(m)-2 of Regulation E clarifies that if “a consumer furnishes an access device and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given, the consumer is fully liable for the transfers unless the consumer has notified the financial institution that transfers by that person are no longer authorized.”

[19] See 12 C.F.R. § 1005.14(a)(1) (“A person that provides an electronic fund transfer service to a consumer but that does not hold the consumer’s account is subject to all requirements of this part if the person: (1) Issues a debit card (or other access device) that the consumer can use to access the consumer’s account held by a financial institution; and (2) Has no agreement with the account-holding institution regarding such access.”). But see OCC Bulletin 2001-12, Bank-Provided Account Aggregation Services. (Feb. 28, 2001) (noting that, if a bank is accessing and aggregating consumer financial data using a consumer’s login credentials, “it is unclear under the current regulation which party would bear responsibility for  an unauthorized transfer” and that in “the absence of guidance, bank management should be conservative when interpreting possible Regulation E compliance obligations in connection with aggregation services”).

[20] See, e.g., OCC Bulletin 2013-29, Risk Management Guidance (Oct. 30, 2013) and OCC Bulletin 2017-7, Supplemental Examination Procedures (Jan. 24, 2017).

[21]  GLBA is applicable to “financial activities” identified in Section 4(k) of the Bank Holding Company Act. A list of permissible banking activities under the FRB’s Regulation Y generally includes processing, storing and transmitting financial, banking or economic data. 12 CFR 225.28(b)(14). The FTC has previously opined that aggregators fall within this definition, stating that this section of the regulation “brings into the definition of financial institution an Internet company that compiles, or aggregates, an individual’s on-line accounts (such as credit cards, mortgages, and loans) at that company’s web site as a service to the individual, who may then access all of its account information through that Internet site.” 65 Fed. Reg. 33646, 33655 (May 24, 2000).

[22] See Lael Brainard, Where Do Banks Fit in the Fintech Stack?, (April 28, 2017), available at https://www.federalreserve.gov/newsevents/speech/brainard20170428a.htm (last accessed May 24, 2017).

[23] Id. (“[I]f agreements between data aggregators and banks are structured as data aggregators performing outsourced services to banks, the bank should be able to conduct the appropriate due diligence of its vendors, whose services to those banks may be subject to examination by safety and soundness regulators.”).

[24] Id.

[25] CFPA § 1033(e)(2) (codified at 12 U.S.C. § 5533(e)(1)) (emphasis added).

[26] European Banking Authority, Draft Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2) (Feb. 23, 2017). The ban on screen scraping appears to be supported by banks but opposed by fintechs. See European Banking Federation, EBF asks Commission to support ban on screen scraping (May 16, 2017), available at http://www.ebf.eu/ebf-asks-commission-to-support-ban-on-screen-scraping/ (last accessed May 24, 2017) (banking trade association supports the European Banking Authority’s proposed ban on screen scraping, equating aggregator logins using consumer user names and passwords to “impersonating” consumers); and  Huw Jones, EU executive asks bank watchdog to rethink ‘screen scraping’ ban, Euronews (May 19, 2017), available at http://www.euronews.com/2017/05/19/eu-executive-asks-bank-watchdog-to-rethink-screen-scraping-ban (last accessed May 24, 2017) (citing the European Commission Vice President Valdis Dombrovskis indication that the European Commission, which must approve the proposed technical standards, will “ask the European Banking Authority to have another look at the draft standards for data interfaces, and at proposals to allow fintechs access to the customer facing interface, whenever the dedicated interface breaks down or is not performing properly…”).

[27] Competition and Markets Authority, Making Banks Work Harder for You, United Kingdom (Aug. 9, 2016).

[28] Under Regulation P,  if a financial institution does not keep track of whether a consumer opts out of disclosures of nonpublic personal information (“NPPI”) under the institution’s privacy policy (or otherwise does not make disclosures that are subject to the opt-out right), then the institution generally is restricted from disclosing NPPI about the consumer to any nonaffiliated third party.  12 C.F.R. part 1016.  Exceptions from the notice- and opt-out requirements allow a financial institution to disclose NPPI to a nonaffiliated third party without regard to the consumer’s opt-out election, (see 12 C.F.R. §§ 1016.14 – 1016.15), and certain exceptions may be relevant to facilitating disclosures of NPPI under bilateral agreements between a bank and an aggregator.  For example, a financial institution may disclose NPPI about a consumer with the consumer’s consent and subject to the consumer’s right to revoke that consent (see § 1016.15(a)(1)) or as necessary to effect a transaction requested by the consumer (see § 1016.14(a)).  Under those circumstances, the person receiving the NPPI generally is permitted to reuse or redisclose the NPPI “in the ordinary course [of the person’s] business to carry out the activity covered by the exception under which [the person] receive[s] the information.”  See § 1016.11(a)(1)(iii).

[29] The communication by a financial institution of information that solely consists of the institution’s own account information to an aggregator is not a “consumer report” under the federal Fair Credit Reporting Act because that information qualifies for the exception afforded to information about the “transactions or experiences” between the institution and the consumer.  15 U.S.C. § 1681a(d)(2)(A)(i).  However, if the financial institution were to communicate its own account information to a person that is a consumer reporting agency, then the institution would be subject to certain requirements that apply to a furnisher, such as requirements relating to the accuracy of the information.   See, e.g., 15 U.S.C. § 1681s-2(a)(1)(A)  (“A person shall not furnish any information relating to a consumer to any consumer reporting agency if the person knows or has reasonable cause to believe that the information is inaccurate.”).

[30] 18 U.S.C. § 1030(a)(2)(C).

[31] Id. § 1030(c)(2).

[32] 844 F.3d 1058 (9th Cir. 2016).

[33] Id. at 1068 (emphasis added).

[34] See Power Ventures Inc. et al. v. Facebook Inc., case number 16-1105, in the Supreme Court of the United States. Status derived from the Supreme Court’s website, available at https://www.supremecourt.gov/search.aspx?filename=/docketfiles/16-1105.htm (last accessed May 24, 2017).