Section 1033 of Dodd-Frank requires lenders to “make available to a consumer, upon request, information in the control or possession of the [lender] concerning the consumer financial product of service that the consumer obtained from such [lender] … in an electronic form usable by consumers.”
The CFPB held a symposium about six months ago to solicit input from industry participants about how best to implement the Dodd-Frank requirement while also addressing potential issues with data security, privacy and unauthorized access to consumer data. For example, symposium participants were generally in favor of allowing consumers to give third parties permission to access the consumer’s information held by lenders, although there were concerns that lenders would be forced to share proprietary lender information with third-party competitors. A current practice of ‘credential-based access,’ in which a third-party uses the consumer’s credentials to access the consumer’s account information directly from the lender, often resulting in a ‘screen-scrape’ of the consumer’s data directly into the third-party’s system, could lead to unauthorized disclosure. Participants generally agreed that a move towards third-party access through an ‘application programming interface,’ or API, would benefit both consumers and lenders.
The ANPR should address these concerns with detailed disclosure requirements and technical standards, as well as potentially adding a consumer disclosure requirement. As symposium participants noted, other issues will likely arise in the implementation of these rules, such as liability of lenders and third-parties for unauthorized disclosure and use of consumer data, and whether a lender can refuse to disclose consumer data if it determines that the third-party request is not authorized, or that the third-party does not maintain sufficient security for the information it collects.