On September 21, 2021, the FinTech task force of the U.S. House Committee on Financial Services held a hearing on consumer privacy. The hearing was live-streamed and the archived webcast is available on the Committee website.

The hearing was called to address what Task Force Chairman Stephen Lynch called “serious gaps” in the current regulatory scheme, e.g. the Gramm-Leach-Bliley Act (GLBA), Dodd-Frank Act, and Fair Credit Reporting Act (FCRA), due to rapid developments in FinTech. The following highlights key issues discussed.

Changes to the Financial Services Industry

The hearing acknowledged the change in technology, as institutions try to keep up with consumer preferences and desire for convenience when accessing financial services. The industry has grown to now include various FinTechs, such as payment processors, neobanks who offer entirely online and mobile banking, financial management apps, and online investment services.

Data Aggregators

One concern discussed in the hearing is the rise of data aggregators who use APIs to facilitate data sharing between financial institutions. It remains unclear how current laws and regulations apply to the use of APIs for data sharing. The hearing also pointed to the issue of meaningful consent to data sharing when consumers engage an API and whether consumers have sufficient control over their data.

Proposed Rulemaking

The heart of the hearing was the proposed rulemaking by the CFPB under Section 1033 of the Dodd-Frank Act on “Consumer Access to Financial Records.” The proposed rulemaking intends to clarify standards around consumer-authorized access to financial information. The CFPB issued an Advance Notice of Proposed Rulemaking on November 16, 2020,  to solicit comments to assist in developing any new regulation. The period for comment submission closed on February 4, 2021. While the witnesses all appeared to be in favor of additional regulatory clarity in the space, several speakers cautioned against regulations that are technical in nature.

Putting it into Practice

It is clear that data privacy is top of mind for consumers, regulators, and legislatures alike. As we await regulatory guidance from the CFPB, FinTech businesses should pay attention to their consumer data collection and sharing practices. The following are some steps companies may wish to consider taking as they work through their existing compliance obligations:

  • Data mapping. An enterprise-wide data inventory and mapping exercise could help identify the types of personal information the business collects about consumers, the reasons for collection, and the entity’s information-sharing practices.
  • Vendor/service provider review. Robust vendor management compliance programs are essential to ensure that personal information of consumers is appropriately shared and restricted.
  • Privacy policy and disclosures. Privacy policies and disclosures mandated by various state and federal laws should be reviewed periodically.
  • Operational implementation. Companies may wish to consider how to operationalize certain proposed regulations being considered, particularly with respect to data aggregators.