Response to the CFPB ANPR paper on consumer access to financial records in the US

February 2021: In response to the CFPB ANPR paper on consumer access to financial records in the US, Finder prepared the following submission. Visit our government submissions hub for more Finder submissions to government consultations and inquiries.

Finder welcomes this review on consumer access to financial records in the US and we are grateful for this opportunity to provide input into the consultation.

Finder.com​ ​("Finder", "we") is Australia's most visited comparison website and helps customers all around the world make better decisions in relation to a range of complex products and services. Currently, Finder compares over 1,800 brands across more than 100 product categories, including credit cards, home loans, deposit accounts, insurance products, pension products, telecommunications, energy and shopping deals. From our roots in Australia, Finder has grown to offer comparison services in over 80 countries and is proud to now have over 400 employees globally with offices in Sydney, Adelaide, London, New York, Manila, Toronto and Wrocław.

The main value that Finder can add to this consultation is from our viewpoint as a fintech business involved in the introduction of regulatory arrangements for consumer access to financial records in both Australia and the United Kingdom. In Australia, Finder also has first-hand experience of enabling access to financial information through consumer consent before the introduction of any specific regulatory arrangement. From this experience, we strongly believe that consumer-permissioned access to financial records helps to empower consumers all around the world to take control of their personal data and use this information to make better financial decisions.

Our experience of data sharing arrangements in both Australia and the United Kingdom is also complemented by a number of years of providing comparison services to the US market.

This submission is split up into three sections:

• Section 1: The case for enabling consumer access to financial records in the US

• Section 2: An overview of the regulatory arrangements for access to financial records in Australia

• Section 3: Key lessons that US policymakers can learn from the Australian experience

Section 1: The case for enabling consumer access to financial records in the US

The theoretical benefit to consumers of improved access to financial records is clear. Better access to financial information helps consumers to better understand their financial situation. This improved understanding leads to better financial decisions, which subsequently leads to more consumers switching to better deals in the market.

As we start to see the introduction of regulation around the world that improves consumer access to financial records, we see many of the theoretical consumer benefits becoming a reality. The rollout in Australia is yet to reach its full potential due to a number of delays, but in the UK, we see a market that has a relatively mature market for consumer financial data sharing. The use cases for the financial data that we see being accessed in the UK can help to make this theoretical conversation a real one.

Below we have run through some of the main ways that consumer access to financial records could be used to benefit consumers:

• Tools to help people budget better

• • This has proven to be very popular in the UK. Apps like Money Dashboard, Yolt and Cleo are allowing people to connect data from their bank accounts, savings accounts, credit cards and loans in one place. This makes it easier for consumers to keep track of their finances. Most of these apps are free to use and often categorize the consumer's spending into groups such as groceries, dining out and bills to make budgeting easier.

• Simpler and faster ways to apply for products

• • The application process for financial products is often long and frustrating. Consumers will likely have to gather and share documents that prove things like who they are, where they live and when they were born. This process can get even more complicated with lending products where consumers may also need to demonstrate their earnings and expenditure. Open banking changes this picture as many of these things can be quickly shared through a consumer's financial records. In the UK, this is making it easier to switch between products and find better deals. And according to Equifax¹, using open banking in this way can reduce the average time spent by a consumer on affordability assessment tests from 30 minutes to less than 10 minutes.

• Personalized recommendations and products

• • Tools like Snoop in the UK and our Finder app in Australia give consumers personalized suggestions as to when to consider switching to a different product or service. An individual's financial records shines a light on all of their recurring bills, including everything from Internet plans to insurance payments to mobile phone bills. When a comparison service like Finder gets access to this information, we are not only able to help consumers find better financial products, but we can also help them find better deals across the board. For many consumers, this could result in thousands of dollars a year in ongoing savings.

Consumer access to financial records in the US today:

One of the defining features of the market for financial services in the US is the sheer quantity and variety of financial service providers available to consumers. There are currently more than 5,000 banks and savings institutions in America², none of which control more than 12% of the retail banking market³. In contrast, the four largest banks in Australia control more than 75% of market for many retail banking categories⁴. The regulatory landscape for financial services in the US is also more complex than Australia, with multiple overlapping federal and state-level regulatory agencies involved.

In spite of this complexity, the market for consumer access to financial records in the US is already well advanced. This has been achieved through a market-led approach to data access, with a thriving ecosystem of data aggregators commercializing consumer access to financial records. In many instances, this is delivered through "screen-scraping" technology, but more recently, these data aggregators have started to enter bilateral agreements with larger banks to get direct access to these data feeds.

At the same time, the Financial Data Exchange (FDX) has been set up as a not-for-profit to "unify the financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data." From what we have seen, the FDX is doing a good job of building momentum around a single standard. But to an outsider, the governance structure for the FDX is unclear. At the time of writing, we could not find a public list of the board of directors of the organization online, although it seems to be comprised of a mixture of banking, fintech and aggregator executives.

Given the success with this approach to date, we have seen some proponents of the continuation of market-based solutions to consumer access to financial records in the US. However, we would argue that government-mandated standards for access to financial records will drastically expedite the adoption of data sharing by consumers. We also believe it will ensure that open banking services are accessible to all consumers in a market with a long tail of data holders that could be slow to participate otherwise.

As a result, we commend the Consumer Financial Protection Bureau (CFPB) for undertaking this consultation and we encourage it to build on the important work being done by the FDX and other organizations by introducing legally-binding standards for data-sharing in the financial services industry in the US.

Section 2: An overview of the regulatory arrangements for consumer access to financial records in Australia

Finder has been an active participant and contributor during the introduction of the Consumer Data Right (CDR) regulation and related data standards in Australia. The CDR is the regulatory framework that has given consumers in Australia the right to access the data that providers in a number of industries hold about them. The data made available through the CDR can be accessed directly by the consumer (although this is yet to be introduced in any industry) or shared with other organizations that will access the data on the consumer's behalf (for example, data users or data aggregators).

The CDR was first introduced in the market for banking, but the intention is for it to become an economy-wide data-sharing framework. The Australian Government and its agencies have started working to introduce the data-sharing regime to the market for energy products, with the markets for telecommunications and insurance next on the CDR roadmap.

The rule-making for the CDR regime has been undertaken by a combination of government departments and agencies. The initial work was completed by the Treasury before the Australian Competition and Consumer Commission (ACCC) finalized the Consumer Data Right rules. As part of the introduction of the CDR, the Australian Government also created the Data Standards Body to lead the development of the technical standards by which the data sharing would occur. Initially, the Data Standards Body work was undertaken by the data arm (Data61) of the Commonwealth Scientific and Industrial Research Organisation (CSIRO), which is the federal agency responsible for scientific research. At the time of writing, Data61 employees are still doing most of the work on the standards development. The rule-making functions of the ACCC have also recently transitioned to the Treasury, with the ACCC now primarily focused on accrediting participants for the CDR and taking enforcement actions when standards are not met.

There are currently two primary roles for participating organizations within the CDR framework. Data holders (DH) are the organizations that hold the data on the consumers. These data holders are required by law to share the consumer data in the format designated by the CDR standards if requested to do so by one of their customers. The deadlines for when this data sharing is made legally enforceable are determined on a sector-by-sector basis by the designation instrument that is created for each industry. The second role for participating organizations is that of an "Accredited Data Recipient" (ADR). These ADRs are able to access the data shared by a data holder on behalf of the customer when the customer gives them permission. The ACCC has set a high bar for accreditation for these ADRs, and any company that wants to be an ADR will have to demonstrate that they can meet the required standards on matters such as information security, insurance and consent management.

The first implementation of the CDR has been in the market for banking which will enable consumer access to financial records. The implementation timeline was undertaken in a phased manner where the four largest banks were required to share data first, with the remaining banks in Australia given an extra 12 months to prepare for the new rules. The products that the banks were required to share data on were also rolled out in a phased manner rather than all released at once. These phases were as follows:

• Phase 1: Savings accounts, call accounts, term deposits, transaction accounts, current accounts, cheque accounts, debit cards and credit cards.
• Phase 2: Home loans, personal loans and mortgage offset accounts.
• Phase 3: Business finance, lines of credit, overdrafts, asset finance, investment loans, cash management accounts, pensioner deeming accounts, trust accounts, foreign currency accounts and consumer leases.

There are four types of information that are being made available through the banking implementation of the CDR in Australia: product reference data, customer data, account data and transaction data. This data will only be made available on request and data linked to a customer will require permission from that customer for the request to be accepted. A top-level breakdown of what is made available in each dataset can be found below:

• Product reference data: This is generic information about rates, fees and features for each bank's products. This will be available to anyone who knows how to extract data using APIs.
• Customer data: This is information that identifies you as the customer, such as your phone number, email address and home address.
• Account data: This is account level information, including things such as balances, direct debits and regular payments.
• Transaction data: This is information about each transaction on your account, which will outline where and when you have been spending your money.

The generic product reference data is the least sensitive of these datasets from a security perspective, as it is not linked to an individual and so any privacy concerns are reduced significantly. For this reason, product reference data was the first dataset to be released in the banking CDR implementation. It is expected that this approach of releasing product reference data first will be replicated for other sectors.

Section 3: Key lessons that US policymakers can learn from the Australian experience

In this section, we go beyond the factual recount of the introduction of the CDR in Australia and seek to use our first-hand perspective to provide some views on the key lessons that US policymakers could learn from the Australian experience.

Lesson 1: Start as early as possible and anticipate a long implementation phase

This might be an obvious lesson, but it's an important one. The Australian implementation of the CDR shows that even with adequate government funding and the public support of most participants, introducing financial data sharing agreements takes longer than anticipated.

Currently, the implementation of CDR in Australia is at least 12 months behind the original timeline. The first delay was announced in December 2018, when the Treasurer announced a revised timeline that pushed the initial July 1, 2019 launch date for consumer banking data access back to a date no later than February 1, 2020⁵. This was pushed back further in December 2019 with an announcement that the go-live date would be no later than July 1, 2020⁶. This has had a knock-on effect for the rest of the CDR timeline.

The government first started work on the policy implementation for CDR in early 2018, but consumer banking data for customers of all banks in Australia will not be made available until July 2021. The global COVID-19 pandemic has certainly impacted the pace of implementation in Australia but we would still strongly encourage the Consumer Financial Protection Bureau (CFPB) and other relevant federal agencies to expedite and prioritize this work in anticipation of the extended implementation that will be required.

Lesson 2: Product reference data is a quick win that offers major value

One of the major arguments for introducing open banking is to improve competition in the financial services sector where customer inertia is high. As a company that has worked in the comparison space for over a decade, we know that the availability of accurate product reference data allows us to drastically improve the comparison service that we can offer to consumers. In turn, better comparison services can help to stimulate competition. As discussed, under the CDR in Australia, all banks and financial service providers that offer the designated products are also required to share product reference data feeds, and this is already improving the comparison experience for consumers in Australia.

It is also worth noting that because this product reference data is generally publicly available on a provider's website in some form already, it is significantly less sensitive than any customer data associated with an individual. This means that legislation in relation to this dataset can be passed more quickly and access to the associated product data feeds can be handed out more freely. In the Australian experience, product reference data from major banks was made available 12 months before any consumer data.

In our view, this product reference data could be a quick win in this space in the US, and there would be a significant benefit to including this dataset in any financial data sharing regulation introduced in the US.

Lesson 3: Involve fintechs early, as the available data is only as valuable as the tools they build

Very few consumers have a strong desire to access their financial records directly on a regular basis. Indeed, many banks already let customers export their banking transactions as a spreadsheet from their online banking, but very few do so. In reality, consumers are far more interested in the apps and tools that do the hard work for them. They want apps that can connect to their bank that will help them budget or save more or find better products. These services are made available when financial records are shared between data holders, data aggregators and data users. In many instances, consumers will not be aware of the rules and regulations that make these services possible, but if they are using these services to make better financial decisions, then this is still a good outcome.

Many of the innovative consumer-facing solutions that are built in this space will be created by lesser known fintechs. In the early stages of consultation on a possible regulatory framework to enable consumer access to financial records in the US, these fintech firms should be welcomed into the conversation. It is unlikely that many of these companies will have employees working directly on public policy issues, so additional effort may be required to support their inclusion by finding less formal ways to garner input and feedback. In Australia, the ACCC and the Data Standards Body have done a particularly good job of this by running regular open workshops for these organizations to attend. In more recent times, these workshops have run virtually with hundreds of participants present and providing live feedback. This helps to ensure that the companies that will turn the standards into useful products and services for consumers are at the table when the standards are being created.

These fintechs can be supported in a number of other ways too. Firstly, prioritizing technical standards on how data will be shared as early as possible will allow these fintechs to build for the future. They can invest in the solution they are building knowing that the data that makes the tool work is on the roadmap. Secondly, ensuring that data made available under any government-mandated data-sharing arrangement is done so on a zero cost basis will reduce running costs for these fintechs. In turn, this allows these businesses to use more of their resources on improving their offering to consumers. It also makes it more likely that these innovative businesses can build viable business models.

Currently, the most viable businesses operating in this space are data aggregators. Undoubtedly, these aggregation businesses will still have a role going forward, but policymakers also have a role to play in empowering the businesses that will deliver the solutions providing value to everyday consumers.

Lesson 4: Placing a high value on consumer protection will also pay dividends

As discussed in the prior section, there is value in supporting innovative organizations that will use financial records to help consumers. However, the challenge is ensuring that this innovation is not supported at the expense of consumer protections. This is at the core of the challenge for regulators in this space. We have seen how readily consumers are willing to accept terms and conditions on digital products without really knowing what they are committing to and the same risk is present with data sharing arrangements.

There are a number of ways to reduce the potential risk to consumers of sharing data in this way. Firstly, ensuring that the consumer knows exactly what they are signing up for by creating clear consumer experience requirements for data access. This is particularly important for consent requests. In Australia, the Data Standards Body has done this well by developing explicit Consumer Experience (CX) Guidelines that all participants must adhere to based on extensive consumer research to test the best language and formats to ensure consumer comprehension.

Consumer risk can also be reduced by ensuring that any customer data that is shared through the framework is not an easy target for fraudulent activity. This is supported by setting clear requirements for information security controls for any company handling this data. In Australia, the standards on information security were set by the ACCC and have proven to be a major and expensive hurdle for participants to adhere to. For many participants, this cost would be lowered if the information security requirements were aligned to other information security standards such as SOC-2 or ISO27001. This has definitely limited the immediate interest in the number of companies looking to get accredited for the CDR regime, but it has also ensured that Australian consumer data is only shared in a secure way.

Finding the right balance on these issues will be one of the core challenges in enabling consumer access to financial records. The barriers to accessing financial records need to be high enough to protect consumers but not so high that it deters innovation. We would argue that the Australian CDR rules and standards have come very close to achieving this, while others would argue that the accreditation requirements for potential data recipients are too costly to ensure widespread adoption. We do believe that adopting global standards in areas such as information security will help to make things easier for global organizations.

¹ Equifax UK affordability assessment brochure (Accessed Feb 2020): Link
² FDIC - Stats at a glance (September 2020): Link
³ S&P Market Intelligence (September 2020): Link
⁴ Australian Government Productivity Commission (June 2018): Link
⁵ Press release from The Hon Josh Frydenberg MP (Dec 2018): Link
⁶ Press release from the ACCC (Dec 2019): Link