Tag Archives: CFPB

Who Owns Your Financial Data Anyway?

Consumers have been wrestling for years now about access to their personal data.  There are many non-bank financial products such as Mint and WalletGyde that help consumers manage their money, but it has always been a fight between the banks and these companies (of which there are at least hundreds, maybe more).  As a group, these companies are called FinTechs.

In Europe, the government said that consumers owned their data and even forced a standard on banks for sharing data with FinTechs that consumers wanted to share with.

In the U.S. there is no standard and up until now no requirement that banks allow you to be able to grant access to your own data.  This has led to FinTech companies having to ask you to trust them with your banking userid and password and those same companies having to scrape your data right off the screen.  About a year ago I got a message from Chase warning me that if I shared my password with a FinTech company (or anyone else), the bank was disavowing any responsibility for what happened.

This week that all changed.

The Consumer Financial Protection Bureau issued a long waited-for ruling on the subject.  Their answer.


This is a win for consumers who now will be able to have a more timely and secure method of sharing their data with third parties and it is a win for the FinTechs who have been fighting for this.  For the banks, it is not good news, but probably expected.  Banks are fighting for their survival.  Until say ten years ago, they were the king of the financial hill.  Now, they are just one player of many and when it comes to data aggregation, the banks aren’t really much of a player at all.  This is one more nail in that coffin.

Up until now the data sharing between banks and FinTechs have been one off agreements between two parties such as:

  • Chase and Intuit have created a data interchange agreement
  • Wells and Xero have an agreement
  • Capital One and Xero have an agreement
  • And likely others that we have not heard about

The principles that the CFPB created include –

  1. Access – users can obtain information from a service provider and grant access to a third party
  2. Data Scope and Usability – The available data should include transaction and fee information and any other aspect of a consumer’s usage.
  3. Control and informed consent – Consumers can control their data sharing and revoke it whenever they want to
  4. Authorizing payments – Accessing data is different from authorizing payments to be made, but consumers may grant third parties both of these permissions.
  5. Security – The data has to be secure.  This seems to give the CFPB a camel’s nose under the tent to make sure that the FinTechs protect consumer’s data.
  6. Access Transparency –  Consumers need to be able to easily understand what permissions they have granted to whom with relevant parameters (like how often the third party can access their data).
  7. Accuracy –  Consumers can expect the shared data to be accurate and have reasonable means to dispute and resolve inaccuracies.
  8. Ability to dispute and resolve unauthorized access – Consumers have reasonable and practical ways to dispute and resolve issues related to unauthorized access and payments.
  9. Efficient and accurate accountability mechanisms –  Commercial participants (i.e. the FinTechs) are accountable for the risks, harms and costs they introduce to consumers.

So this swings both ways and the CFPB has already whacked FinTechs from time to time (Search for CFPB Dwolla consent decree, for example).  All in all, though, I would say that this is great news for consumers, good news for FinTechs and not so good news for banks.

Now it is up to the banks and the FinTechs to work out the details.  It is likely to get a bit messy before it gets cleaned up.  MAYBE, the banks will agree to a data interchange standard, which would be great, but I haven’t seen anything public on that subject.

Information for this post came from American Banker, here, here and here and the CFPB.

The Regulators Are Coming! The Regulators Are Coming!

Everyone knows that the regulators have been going after businesses that don’t protect consumer information.  Some people say they are to overreaching.  Others say that they are not doing enough.  Either way, the reality is that you have to deal with them.  So who are they and who do they go after?  Read on.

The FTC.  The FTC has gone after businesses using section 5 of the FTC act – basically saying that the actions of a business represent unfair or deceptive practices.  Recently, after the FTC went after Wyndham Hotels after a series of breaches, Wyndham went to court in an effort to get the courts to agree that the FTC had no jurisdiction over cyber security.  Unfortunately, the courts did not agree and Wyndham settled (see article).  Suffice it to say, the FTC’s jurisdiction covers anyone who is in business and they have levied multi-million dollar fines and consent decrees that allow them to watch over that business for 20 years.

The FCC. The FCC is  a new player in the privacy regulation business.  Their jurisdiction is limited to communications and broadcasters.  Recently, they have gone after a number of businesses blocking WiFi signals in an effort to force you to buy their WiFi services at a hefty price.  Marriott, Hilton, the Baltimore Convention Center and others have felt the wrath of the FCC (see article).  This is a low risk regulator to most businesses.

The CFPB.  The CFPB is a new regulator which came out of the Dodd-Frank Act and was created in 2010.  Recently, they went after a small Fin-Tech company, Dwolla (see blog post) saying that they were lying about the cyber security measures they were providing to their customers.  CFPB oversees financial institutions such as banks, insurance companies, fin-tech companies such as Dwolla, brokers, etc.  In Dwolla’s case the fine was relatively small ($100k) and the duration of the consent order was short (5 years) compared to FTC actions.  The CFPB’s reach covers anyone in the financial industry or supporting that industry and they are just beginning to figure out their role.

HHS Office Of Civil Rights (OCR).  Health and Human Services enforces HIPAA and HiTech, specifically in the area of protecting your medical information.  They have done some some enforcement actions in the past, but they have been a somewhat weak regulator in the area of privacy.  Recently, they got beat up by their Inspector General’s office saying that they were being namby-pamby (see blog post), so it appears that they are stepping up enforcement.  Their area of jurisdiction is health information, so if you are a medical or dental practice, insurance provider or a vendor to one of these businesses, you could come in their cross hairs.  Still, they seem to be behind the power curve.  Recently, they finally created a full time office to handle enforcement.

Earlier this month they fined North Memorial Health Care of Minnesota $1.55 million because they did not have policies in place to cover what their Business Associates (essentially, vendors and subcontractors) did with your data.  This stemmed from a vendor of theirs had a laptop – UNENCRYPTED – with the medical records of 10,000 patients on it, stolen out of their car.

Also this month, HHS OCR fined the Feinstein Institute $3.9 million.  This fine also was the result of an unencrypted laptop being stolen out of an employee’s car.  This time it had 13,000 patient records on it.  They were fined for not having encryption AND, not having a documented explanation why encrypting patient data wasn’t needed.  HIPAA and HiTech don’t require encryption, but they do require a documented explanation of how you manage risk if you don’t implement reasonable controls.

They two cases date back to 2012.  I assume this means that HHS OCR is still playing catch up and we don’t really know what this new office is going to do.

These are just a small sample of regulators that could come after a business that does not protect non public personal information of different varieties, depending what industry you are in.

I am sure that there are many more to consider, but suffice it to say, that almost every business could come into the cross hairs of at least one of these regulators.

Of course, this does not include state regulators, such as the New York Department of Financial Services or the California Attorney General, both of whom have been very active in the privacy arena.

So, if you collect non-public personal information, protecting that information should be a high priority for your business if you want to keep the privacy regulators at bay.

Information for this post came from Health Data Management.

CFPB Settles With Dwolla and Indicates Expectations

Dwolla, a non-bank payment processor, settled charges with the CFPB this week.  The Consent Order provides some insight into the expectations that the CFPB has for protecting consumer information.

Kind of like getting Al Capone for tax evasion, the CFPB hit Dwolla for misrepresenting their security practices – what they call deceptive acts and practices.  They didn’t specifically say that any particular mechanism is bad, but rather that you are not doing what you told people you are doing.

Dwolla is a small player as financial institutions go, moving, according to the order, around $5,000,000 a day through pooled accounts that they control in a credit union and a bank.  That would indicate that the CFPB is not only going after big players.

Information that they collect, in addition to financial transaction information, includes name, address, social, date of birth, phone number, and bank account information.  They have around 600,000 members.

The CFPB says that between 2011 and 2014, Dwolla represented or caused to represented, expressly or by implication, that they used reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.

Let’s dissect that a bit – that means that if you dance around the protection word and imply but don’t say what you are doing, they are going to operate as if you expressly stated something.  That would include if your business partners say things on your behalf.

Dwolla said, according to the CFPB, that it’s network and transactions were safe and secure.  That’s a pretty vague claim.

On their web site, the order continues, it says that Dwolla’s claimed that it’s data security practices “exceed industry standards”, that they store information “in a bank-level hosting and security environment” and encrypts data “utilizing the same standards required by the federal government.”

While I might look at that and say that it is marketing garbage, the CFPB takes that literally.

Dwolla also said, apparently, that they encrypt all sensitive data in transit and at rest and that they were PCI compliant.

The CFPB, on the other hand, said Dwolla failed to employ reasonable and appropriate measures to protect data and their data security practices did not surpass or exceed industry standards.  The CFPB also said that they did not encrypt all sensitive data.

Note that the CFPB did not say that Dwolla had to employ reasonable and appropriate measures, had to exceed industry standards or had to encrypt all data.  They just said that Dwolla should not lie about what they were doing.

The CFPB said that, for different time periods, Dwolla:

  • Did not adopt reasonable and appropriate data security policies and procedures
  • Did not have a written data security plan covering the data that they collected and stored
  • Did not conduct adequate and reqular risk assessments.
  • Did not give their employees reasonable data security training
  • Did not hold mandatory employee data security training
  • Did not conduct third party penetration tests.  During their first test, they sent out a phishing email test and nearly half of the employees opened the email, 62% who opened the email clicked on the link and 25% of those who clicked on the link registered at the site with a username and password.
  • Dwolla failed to address the results of this test
  • Transmitted sensitive information unencrypted (while it doesn’t give specifics, using normal email would fail this test).
  •  Encouraged customers to submit sensitive information via email
  • Operated a development environment with no data security training
  • Failed to test the security of apps protecting consumer information

It is reasonable to infer that the CFPB would consider the opposite of each of these actions to be “the right answer”.

In the consent order, Dwolla must:

  1. Establish, implement and maintain a comprehensive data security plan
  2. Adopt and implement reasonable and appropriate data security policies and procedures
  3. Designate a qualified person to be accountable for the data security program
  4. Conduct data security risk assessments twice a year
  5. Evaluate and adjust the data security program in light of the results
  6. Conduct regular, mandatory employee security training
  7. Develop, update and implement security patches
  8. Develop, implement and maintain an appropriate method of customer identity authentication at registration time.
  9. Develop, implement and maintain reasonable procedure for third party risk (service providers).
  10. Obtain an annual data security audit from an independent, qualified, third party, using generally accepted professional procedures and standards.

My interpretation of the consent order, and I don’t even play a lawyer in the blogosphere, is that these 10 items are on the “You should do” list.

In addition, there is a laundry list of other things that they have to do like conduct a third part audit within 30 days and within 180 days, have the auditor report to the board on the results of the audit.

Finally, the were ordered to pay a $100,000 fine, which seems like a bargain.

For those organizations that are under the auspices of the CFPB, I would suggest looking at the bulletted list of DON’T do’s and the numbered list of TO DOs and seeing which ones on each list that you are on the right side of.

Not a regulation, but it could help keep you out of the dog house.

Information from this post came from the CFPB Consent Decree here.