Yesterday the Consumer Financial Protection Bureau (CFPB) announced principles for protecting financial data that consumers choose to share with third party companies that provide services like personal financial management tools, bill payment, budgeting or fraud prevention.

The principles cover data access, data scope and usability, control of the data and informed consent, payment authorizations, data security, transparency on data access rights, data accuracy, accountability for access and use, and disputes and resolutions for unauthorized access.

Of particular interest to the debt collection industry may be the guidelines covering control and informed consent (especially as it relates to revocation), access transparency and accuracy. Excerpted from the CFPB’s document:

Control and Informed Consent

Authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer. Terms of data access include access frequency, data scope, and retention period. Consumers are not coerced into granting third-party access. Consumers understand data sharing revocation terms and can readily and simply revoke authorizations to access, use, or store data. Revocations are implemented by providers in a timely and effective manner, and at the discretion of the consumer, provide for third parties to delete personally identifiable information. (emphasis added)

I suspect that “Understood by the consumer” will be the subject of debate. Will the standard be the least sophisticated consumer? The collection industry has been battling this in the courts for years with Fair Debt Collection Practices Act claims.

Access Transparency

Consumers are informed of, or can readily ascertain, which third parties that they have authorized are accessing or using information regarding the consumers’ accounts or other consumer use of financial services. The identity and security of each such party, the data they access, their use of such data, and the frequency at which they access the data is reasonably ascertainable to the consumer throughout the period that the data are accessed, used, or stored.

As a consumer, I love this. For banks, this could have a real cost – they are likely not the ones who will receive revenue from the new services. There remains a question of where the consumer goes to see the dashboard of who they've permissioned data to. Housing this at the banks means that the consumer must go to multiple different wbsites to see the totality of their permissioning. But, who would own such a central access point? Who would pay for the cost to maintain it? It will be interesting to see how the business model evolves to reconcile this.


Consumers can expect the data they access or authorize others to access or use to be accurate and current. Consumers have reasonable means to dispute and resolve data inaccuracies, regardless of how or where inaccuracies arise.

How many times have consumers said to collectors, “I recognize the account, but I don’t owe that,” or “I don’t owe that much,” or “What’s that charge for?” and the collector doesn’t have access to the detail to answer the question? If consumers could also give access to collection agencies they trust, this could be a game changer.

insideARM wrote about this back in February 2017 when the CFPB issued its Request for Information. We highlighted the comments of the Consumer Financial Data Rights group (CFDR), an industry consortium supporting the consumer's right to unfettered access to their financial data. The group was formed by financial service providers who stand to benefit from this type of data sharing, including Affirm, Betterment, Digit, Envestnet | Yodlee, Kabbage, Personal Capital, Varo Money, Capsilon, Earnup, Petal, Sipree, and SoFi.

The CFDR Group released this statement today,

“The CFDR group and its 35 member companies applaud the Consumer Financial Protection Bureau’s (CFPB) publication of thoughtful principles regarding a consumer’s ability to share their financial data through third-party tools that can help improve their financial lives. As a group, we have sought to bring the voice of the consumer into this debate. We are pleased that the CFPB’s principles align with the CFDR’s view: consumers – not their bank – should control their own financial data.”  

Steve Boms, VP of Government Affairs for Envestnet | Yodlee and CFDR Member said this,

“The principles published today by the Consumer Financial Protection Bureau (CFPB) enshrine core tenets that all responsible players in the financial services ecosystem should adopt: consumers should have full control of their financial data and should expect transparency and security from the entities to which they permission it. The Bureau’s release of data-sharing principles represents a huge win for consumer financial wellness.”  

The consumer protection principles are available here. 

A summary of stakeholder insights that informed the principles are available here

It should be noted that these principles are not binding. The Bureau’s announcement states,

“The principles do not establish binding requirements or obligations relevant to the Consumer Bureau’s exercise of its rulemaking, supervisory, or enforcement authority. In addition, they are not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply in this market. Lastly, although the Consumer Bureau stands ready to facilitate constructive efforts or to take other appropriate action to protect consumers, the principles are not intended as a statement of the Consumer Bureau’s future enforcement or supervisory priorities.”

I personally use many of the services that require this type of data sharing and I will say that I appreciate the efficiency and portability they provide. So it’s nice to see things moving forward, especially in the area of transparency.

From my experience around the collection industry, however, I have observed the brick wall that people hit when it comes to information about accounts that are charged off. This data seems to be on some other server and is inaccessible other than by pony express or two cans with a string.

CFPB Director Cordray remarked,

“Today, the Bureau released its consumer protection principles for the consumer-authorized data-sharing market. These principles express our vision for realizing an innovative market that gives consumers protection and value.”

In response to consumer demand, innovation like this is making its way to nearly every industry. But not debt collection.

Currently, in most cases, once an account is charged off, limited data about the account moves onto a different system, and pre-charge off data is no longer accessible to the consumer -- or to the debt collector. This causes significant confusion (exactly what do I owe, and what is it for?), frustration (what do you mean you can't tell me... and now I have to wait with this issue hanging over my head?), and often a very awkward interaction between the consumer and collector. The lack of transparency hurts all parties. 

The good news here is that these principles begin to set expectations for institutions to honor their customers’ preference to access their financial data in ways they view as beneficial.

If this activity helps to establish precedent for things like informed consent, perhaps it will lead to the ability to allow information about past due debts to be shared in ways that are similar to those used for active accounts.

Next Article: Webinar: Developing an Effective Compliance Program