Rohit Chopra, the former FTC Commissioner and recently confirmed director of the Consumer Financial Protection Bureau (CFPB), faced Congress for the first time in his new position this week, and in his testimony, he outlined his top priorities for the Bureau. He noted that his overall goal is to promote an equitable and inclusive economic recovery, and to that end, his top priority would be “stimulating more competition in consumer financial markets.” Moreover, he noted in response to questioning during the hearing, that “people need to control their personal data.” These are welcome remarks from the new director and a sign that CFPB might be ready to finally pursue rules on data portability for the financial sector.
Data portability refers to the ability of users to obtain and transfer a copy of their data from one data controller to another. Section 1033 of the Dodd-Frank Act authorized the CFPB to enact rules that would require a financial institution to provide consumers access to their financial records in its possession. The CFPB has long wrestled with how to implement these rules, including by issuing an Advance Notice of Proposed Rulemaking last year, but has yet to enact new requirements. Pressure has been mounting for the CFPB to act, including with an executive order this summer from President Biden calling for the CFPB director to consider “commencing or continuing a rulemaking…to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.”
Data portability offers a number of benefits for consumers in the financial sector. First, by giving consumers access to their financial data, consumers can better compare competing products and services among different financial institutions, and if they find a better opportunity, more easily switch to the new provider. Better transparency and lower switching costs create more competition among financial institutions and stronger incentives to retain customers by offering better services. Second, data portability opens up opportunities for consumers to unlock more data from their financial data. For example, consumers can use online budgeting apps to better manage their household finances or share information about their cash flow on a prepaid debit card, opening up new opportunities for giving consumers without much of a credit history access to credit. Third, data portability creates more opportunities for innovation in the financial sector as financial institutions and fintech companies alike create new products and services that leverage consumer data.
Many U.S. consumers already benefit from a degree of data portability in the financial sector today, but most of this data exchange has arisen from voluntary agreements between various financial institutions and technology providers. While these parties often work together to benefit consumers, their interests do not always align, especially when incumbent financial institutions face competition from new entrants. In the absence of regulations outlining when financial institutions have an obligation to provide consumers access to their data, financial institutions may restrict access to this data to prevent competition.
Moreover, CFPB should move forward on data portability rules to bolster consumer privacy and security. For many consumers, their financial data is some of the most sensitive personal information about them, and it is important to make sure that all parties properly safeguard this data. CFPB should not only clarify the data protection obligations for entities that transfer and receive consumer financial data, but also detail the measures they should have in place to verify the identity of their users, identify fraud, and report data breaches. These are important questions to address not only at a technical level but also in terms of legal and financial liability for when security incidents occur.
Finally, CFPB should carefully calibrate its role in data portability. At the directive of regulators, the UK’s financial sector embraced data portability, and by most accounts, it has been a success with millions of consumers using open-banking enabled services. While the UK and U.S. consumer banking sectors look quite different (the UK is much more concentrated), one important lesson the UK offers is the value of industry-led data standards to ensure that the development of data portability does not get bogged down in the snail-paced regulatory process that has delayed the entry of data portability rules so far. The CFPB should focus on developing clear expectations for principles on issues such as functionality, privacy, and security while allowing stakeholders in the industry ecosystem to work out many of the technical details of data exchange. In addition, the CFPB can build off of the example set by the Department of Health and Human Services, which investigates and takes action against health providers and technology companies that restrict health data sharing, by prioritizing its role as an enforcement agency to ensure that financial institutions do not shirk their data portability responsibilities.
While Chopra has expressed some skepticism about the use of technology and data analytics in the past, if he is committed to pursuing every opportunity available to CFPB to protect and empower consumers, expediting rulemaking for data portability should be at the top of his list.
Image credit: Pexels