Regulating Consumer Permissioned Access to Financial Data

Product Description

Students play the role of junior attorneys on the Biden for President Policy Team who must prepare a briefing on how the Consumer Financial Protection Bureau ("CFPB") should regulate access to consumer financial data. Students must take into consideration the views of both Fintech startups and privacy advocates as they sort through this issue. 

The case contains a memo from CFPB to help students answer these specific questions win their briefing:

Section 1033 of the DFA

1. Does Section 1033 of the DFA include a right to consumer-permissioned access to data?
2. Assuming a consumer’s consent is informed, should their ability to grant permissioned access to their data be unlimited?
3. Should financial service providers be able to decline transfers to certain parties despite customer consent (e.g. if they find that a company has insufficient security protocols in place to protect the transferred data)? If so, who should determine the criteria for disqualification?
4. Does the text of DFA 1033 specify whether consumers may access observed and/or inferred data under their financial service provider’s control? If the text is ambiguous, what stance should the CFPB take?
5. Should the CFPB take any steps to encourage API adoption and discourage the use of screen-scraping?

FAIR CREDIT REPORTING ACT (“FCRA”)

1. Are data aggregators consumer reporting agencies under FCRA?
2. Is a financial institution a data furnisher if it provides an API through which aggregators access data?

ELECTRONIC FUNDS TRANSFER ACT (“EFTA”)

8. As a legal matter, do banks remain liable under Reg E for unauthorized charges made in their systems that result from a consumer data breach at a Fintech company?
9. As a policy matter, how should liability be apportioned between Fintechs and traditional financial institutions in such cases?

Note: Students are not expected to address the broader question of whether the administration should adopt a general privacy regulation (in the same vein as GDPR or CCPA).