KT Fintech Blog

The KT Fintech Blog provides insights into how the emergence of fintech is fundamentally changing virtually every aspect of the financial services landscape and how traditional businesses navigate this rapidly evolving industry.

Category: Cybersecurity

Posted on Thursday, October 19 2017 at 9:00 am by
CFPB Outlines Principles for Consumer-Authorized Financial Data Sharing and Aggregation

Written By Eamonn Moran

The Consumer Financial Protection Bureau (CFPB or Bureau) recently released a set of consumer protection principles for protecting consumers when they authorize third party companies to access their financial data to provide certain financial products and services. The Bureau states that these principles, which all stakeholders that provide, use, or aggregate consumer-authorized financial data should consider, “are intended to help foster the development of innovative financial products and services, increase competition in financial markets, and empower consumers to take greater control of their financial lives.”

Many companies, including fintech firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide a variety of products and services. Consumer-authorized access to consumer financial account data in electronic form may enable consumer-friendly innovation in financial services. Companies that consumers authorize to access their digital financial records can aggregate and use those records to offer new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives. Examples of such “data-aggregation” products and services include fraud screening and identity verification, personal financial management, and bill payment. At the same time, this kind of expanded access to consumer financial records raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access. The Bureau “advocates strongly for consumer control of the consumer’s data and transparency,” while emphasizing the importance of data security and privacy.

The principles articulate the Bureau’s “vision for realizing a robust, safe, and workable data aggregation market that gives consumers protection, usefulness, and value.” The principles, which are intended to be read together, relate to:

  • data access;
  • data scope and usability;
  • control of the data and informed consent;
  • payment authorizations;
  • data security;
  • transparency on data access rights;
  • data accuracy;
  • accountability for access and use; and
  • disputes and resolutions for unauthorized access.

These principles build upon the CFPB’s 2016 Request for Information (RFI) to gather feedback from a wide range of stakeholders concerning consumer-authorized data access. Based on the RFI, as well as other stakeholder outreach, the Bureau “understands that some key industry stakeholders are working on improvements to consumer-authorized data access. These improvements relate to the agreements, systems, and standards involved in consumer-authorized data access.”

The Bureau states that it “will continue to closely monitor developments in this market and will also continue to assess how these principles may best be realized.” The Bureau notes that these principles “do not establish binding requirements or obligations relevant to [the agency’s] exercise of its rulemaking, supervisory, or enforcement authority. In addition, they are not intended to alter, interpret, or otherwise provide guidance on existing statutes and regulations that apply in this market.” Lastly, the Bureau states that these principles “are not intended as a statement of [the agency’s] future enforcement or supervisory priorities.”

We will provide additional updates on this topic and related privacy and data governance issues as further developments occur.

Posted on Tuesday, October 3 2017 at 9:00 am by
Cyber Winter is Here, and Coming to Regulation: New York Cybersecurity Rule Ice Dragon Heading for the Wall

Written by Jon Neiditz and Julie Grundman

The State of New York’s response to two large cybersecurity breaches may fuel the transformation of the state regulation of corporate cybersecurity in the U.S. Unlike typical state data breach statutes which focus on notification to individuals about breaches of some types of personal information, New York’s new cybersecurity rules impose minimum standards for protecting both critical business and individual nonpublic information, highlighting New York’s concern with both consumer protection and the health of the financial sector. In response to the highly-publicized Equifax breach, on September 18, 2017, New York’s Governor Andrew Cuomo directed New York’s Department of Financial Services (NYDFS) to issue a proposed new regulation1 requiring credit reporting agencies to comply with New York’s high-bar Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Rules”).2 Governor Cuomo’s action signals New York’s willingness to expand its new model of cybersecurity regulation, mandating company’s protect the confidentiality, integrity, and accessibility of not just individuals’ personal information, but also material business information, which we call a company’s “knowledge assets” or “crown jewels.” On September 25, 2017, the Guardian reported that Deloitte Touche Tohmatsu Limited, the Big Four professional services firm with its operational headquarters in New York City, experienced a cybersecurity breach that affected its email system and client records, among the most critical nonpublic business information of a professional services firm.3 What, aside from lobbying efforts, is to stop Governor Cuomo from proposing that the New York Cybersecurity Rules cover accounting firms as well? Read the rest of this entry »