The U.S. Department of the Treasury’s recent report evaluating economic opportunities presented by nonbank financial institution and fintech company innovations includes a detailed account of current data aggregation activities in the financial services marketplace and provides policy recommendations that shed light on the federal government’s current views on data aggregation. (See our legal alert and blog posts (here and here) for a discussion of other portions of the Treasury’s report.)  In seeking to harness the potential benefits that can come from data aggregation, the Treasury report firmly supports the inclusion of these market participants.

Following are key takeaways from the Treasury’s report with respect to data aggregation practices and regulatory issues.

• BCFP and private sector should develop consumer disclosure best practices. The Treasury suggests that the Bureau of Consumer Financial Protection (BCFP) should develop, either with the private sector or pursuant to its rulemaking authority, consumer-facing disclosures that are “plain language, readily accessible, readable through the preferred device used by consumers to access services… so that consumers can give informed and affirmative consent regarding to whom they are granting access, what data is being accessed and shared, and for what purpose,” and to opt-out of such sharing.
• APIs provide advantages and should be supported. The report raises a number of issues with screen scraping while promoting the benefits of application programming interfaces (APIs) “that allow for the inclusion of robust security features, greater transparency and access controls for consumers, improved data accuracy, and more predictable and manageable information technology costs.”  Following is a graphic from the report identifying the similarities and differences between bilateral/partnered API and open API arrangements.  It highlights how APIs can remove the need for fintech apps (users of aggregated data) and data aggregators to access consumers’ bank account login credentials and, therefore, supports Treasury’s suggestion that the private sector and financial regulators should work to implement API solutions that “address data sharing, [data normalization,] security, and liability [and should support] efforts to mitigate implementation costs for community banks and smaller financial services companies with more limited resources to invest in technology.”

• Clarifying applicability of third-party oversight guidance to data aggregators. The report states that there is some ambiguity regarding when third-party oversight guidance issued by federal banking regulators applies to data aggregator relationships, noting that data aggregators entering into “an API agreement with a bank [] may become subject to third-party guidance because of the contractual relationship, which can increase compliance costs.”  The Treasury suggests that federal banking regulators take action to resolve this ambiguity.
• Third-party data aggregators should be treated as “consumers.”  Section 1033 of the Dodd-Frank Act provides “consumers” a right to access certain account information electronically upon request.  Treasury recommends that this section be interpreted so that “third parties properly authorized by consumers, including data aggregators and consumer fintech application providers, fall within the definition of ‘consumer’… for the purpose of obtaining access to financial account and transaction data.”
• Data security addressed by GLBA Safeguards Rule. The report assumes that “data aggregators and consumer fintech application providers are subject to the Gramm-Leach-Bliley Act (GLBA)” and that “the Safeguards Rule appropriately addresses” data security concerns with data aggregation activities.  To the extent additional regulatory or legislative measures are considered to address data aggregation data security issues, the Treasury suggests that such activities occur at the federal level rather than the state level to ensure uniformity.
• Other financial regulators should support data aggregation. The report suggests that regulators in addition to the BCFP should take steps to enhance data aggregation activities, including the Securities and Exchange Commission, the Financial Industry Regulatory Authority, Department of Labor, and state insurance regulators.