More regulatory clarity on the horizon for FinTechs | Sheppard Mullin Richter & Hampton LLP
On September 21, 2021, the FinTech Working Group of the United States House Committee on Financial Services held a hearing on consumer privacy. The hearing was webcast live and the archived webcast is available on the Committee’s website.
The hearing was called to address what Task Force Chairman Stephen Lynch called “serious flaws” in the current regulatory regime, for example the Gramm-Leach-Bliley Act (GLBA), the Dodd-Frank Act and the Fair Credit Reporting Act (FCRA), due to rapid developments in FinTech. The following highlights the main issues discussed.
Changes in the financial services industry
The audience recognized technological change, as institutions try to keep up with consumers’ preferences and desire for convenience when accessing financial services. The industry has grown to now include various FinTechs, such as payment processors, neobanks that offer fully online and mobile banking, financial management applications, and online investment services.
One of the concerns discussed during the hearing is the rise of data aggregators that use APIs to facilitate data sharing between financial institutions. It is still unclear how current laws and regulations apply to the use of APIs for data sharing. The audience also highlighted the issue of meaningful consent to data sharing when consumers use an API and whether consumers have sufficient control over their data.
The heart of the hearing was the regulation proposed by the CFPB under section 1033 of the Dodd-Frank Act on “consumer access to financial records”. The proposed regulations aim to clarify the standards regarding authorized consumer access to financial information. The CFPB published an advance notice of proposed regulations on November 16, 2020, in order to solicit comments in order to contribute to the development of any new regulations. The comment period ended on February 4, 2021. While witnesses all appeared to favor additional regulatory clarity in the space, several speakers cautioned against regulations of a technical nature.
Put it into practice
It is clear that data privacy is a priority for consumers, regulators and legislatures. Pending CFPB regulatory guidance, FinTech companies should pay attention to their consumer data collection and sharing practices. Here are some steps businesses can consider taking as they meet their existing compliance obligations:
- Data mapping. A company-wide data inventory and mapping exercise could help identify the types of personal information the company collects about consumers, the reasons for the collection, and information sharing practices. of the entity.
- Supplier / service provider review. Robust supplier management compliance programs are essential to ensure that consumers’ personal information is shared and appropriately restricted.
- Operational implementation. Businesses may want to consider how to operationalize some proposed regulations under consideration, particularly with regard to data aggregators.