Position
- ICBA supports responsible financial services innovation and urges policymakers to carefully consider the privacy, regulatory compliance burden, data security, and legal implications presented by permissioned third-party access to consumer bank accounts.
- ICBA encourages adoption of the CFPB’s common principles and industry standardization efforts by data access ecosystem participants in the sharing and use of permissioned customer financial account information in a secure, transparent manner that allows consumers to control their information. ICBA is firmly against mandating standards that threaten to leave community banks at a disadvantage from any asymmetry of capabilities and resources.
- ICBA encourages development of data-sharing technologies and adoption of standards that offer secure access to data and enhanced privacy. Core processors and technology providers should enable accelerated adoption of these capabilities to ensure that community banks are well-positioned to compete in an evolving market without sacrificing data privacy and security.
- ICBA strongly supports limiting the use, sharing, and storage of data to that which is authorized by the consumer. ICBA urges the CFPB to prohibit the sale of customer-permissioned data to unpermissioned third parties.
- Data aggregators should be brought under the supervision of the CFPB which would result in consumer protection compliance obligations and subject these entities to annual examinations. Furthermore, ICBA firmly asserts that liability should follow the custody of the data and that all costs associated with a breach or system intrusion should be borne by the entity that incurs the breach.
- Data access disclosures should clearly indicate the entity that is obtaining permission from the customer and provide the customer with clearly stated instructions for revoking their permission. Banks should not be required to provide disclosures on behalf of permissioned third parties
- Regulators should not interpret customer-permissioned aggregator access to a bank’s data as a direct vendor relationship of the bank.
Background
Section 1033 of the Dodd-Frank Act gives consumers the right to access their financial records in electronic form. Section 1033 enabled an explosion of non-bank entities seeking the permission of consumers to access their digital financial records, giving rise to a number of concerns pertaining to data security, privacy, and unauthorized access. In 2021 the CFPB issued NPR to solicit stakeholder input for the implementation of Section 1033.
ICBA has profound concerns that non-bank entities, which access customer information and store bank login credentials, do not take the same care in protecting consumer privacy and data that community banks do. The integrity of consumers’ data and privacy is only as strong as the weakest link protecting that information, and as more non-regulated entities handle a consumer’s data, the risk of breach and/or loss only increases.
Furthermore, non-bank entities accessing customer account data must be held responsible for ensuring the security of the consumer information they are accessing and must be held liable for any data breaches and consumer harm as a result of accessing consumer data.
