Fintech and financial privacy: regulatory developments on the use of financial data | Wilson Sonsini Goodrich & Rosati


So you are a fintech start-up, you buy a fintech company or you develop the technical capacities of your financial company. Or you’re a tech company getting into the payments space. Where do you start when determining which consumer protection laws apply to you? You should know that for several years the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have been actively enforcing consumer protection laws in the fintech space. For example, the FTC recently filed a lawsuit involving a online lender who allegedly charged an undisclosed fee, a mobile banking app which falsely promised high interest rates and 24/7 access to funds, promoters cryptocurrency money creation schemes, and technology platforms offering in-app purchases. The CFPB has recently firm an online lender backed by VC for false advertising related to interest rates and loan amounts. At the beginning of last year, the CFPB had got refunds and a civil penalty against a fintech for allowing merchants to obtain loans for consumers without their authorization.

One of the biggest concerns of regulators at fintech companies lately is how these companies will use and protect consumer data. Here are some regulatory developments that fintech companies should watch out for:

  • Increased regulatory control of privacy practices: Keep an eye out for the FTC’s upcoming privacy rulemaking procedure, which could apply to a range of economic sectors, including fintech. The CFPB has also launched fintech privacy investigations:
    • Technical platforms: In October, the CFPB order six major technology companies – Google, Apple, Facebook, Amazon, Square and PayPal – to transmit information about their P2P payment and mobile wallet applications such as Venmo, Cash App, Apple Pay, Amazon Pay and Google Pay. The CFPB too announcement that it will study the practices of Chinese tech giants that offer payment services, such as WeChat Pay and Alipay. The CFPB is requesting information on whether these companies will combine the data they collect about consumers with their geolocation and browsing data to target advertisements to consumers.
    • Buy Now, Pay Later (BNPL) companies: The CFPB too orders sent to Affirm, Afterpay, Klarna, PayPal, and Zip, companies that offer “buy now, pay later” credit, a type of deferred payment option. Among other things, the CFPB is concerned about “data harvesting” by BNPL lenders who have access to their clients’ payment histories, and seeks to better understand practices around data collection, behavioral targeting, the monetization of data, and the risks that these practices can create. for consumers.
  • Updates to the GLBA Safeguards Rule governing the security practices of financial institutions: The FTC amended its Safeguard Rule in October 2021, which requires non-bank financial institutions to implement information security safeguards. The changes create prescriptive rules on issues such as encryption and multi-factor authentication. With fintech companies being an attractive target for cybercriminals, having a compliance program in place under the GLBA is a must. See our alert here for more information on the main provisions of the updated rule. Fintech companies are also subject to the GLBA Privacy Rule, which requires disclosure of privacy practices.
  • Upcoming rules on access to financial data: In his Fall 2021 Regulatory Schedule, the CFPB has put forward as one of its main activities a rule relating to consumer access to data in their own electronic financial accounts. This regulation is particularly timely given the explosion of data aggregators who access consumer data from their financial accounts with their permission and share it with other entities (for example, compiling consumer financial information to mortgage application). In a previous proposed regulation on this issue, the CFPB has sought information on the potential risks associated with such access, including risks related to security, consumer control of privacy and liability for data errors and unauthorized access . These issues were also discussed at a recent House Financial Services Committee. audience.
  • Potential application of the Fair Credit Reporting Act: Fintech companies should familiarize themselves with the Fair Credit Reporting Act (FCRA), which applies not only to credit bureaus and background check companies, but also to anyone who: 1) collects or assesses consumer data and shares it for purposes of determining credit eligibility, insurance, employment, housing, or other eligibility purposes; 2) purchases credit reports, including credit scores; or 3) provides consumer information to credit bureaus. Here are some examples of fintech companies that should consider applying the FCRA:
    • Lead generators: In his recent case against financial lead generator IT Media, the FTC alleged that the company obtained consumer credit scores from credit bureaus and used them for marketing purposes in violation of the FCRA. The FTC further alleged that IT Media was a “reseller” of consumer reports and, as such, violated its obligations to ensure that any end user of such reports had a legitimate purpose for obtaining them.
    • Data aggregators: If you collect authorized consumer financial data and share it for eligibility purposes (eg, credit, insurance), the FCRA likely applies to you.
    • Companies that buy or use algorithms: Certain sharing or use of algorithms to deny credit, housing, employment, or other consumer benefits may involve the FCRA.
    • Collection agents: Of course, fintech startups in debt collection must comply with the Fair Debt Collection Practices Act and the new CFPB rules that has become effective under this law as of November 30, 2021. But many debt collectors also provide information to credit bureaus and are therefore subject to FCRA obligations to maintain the accuracy of this information and allow consumers to dispute inaccuracies. Indeed, just last week, the CFPB issued a newsletter warning businesses that if they provide information to credit bureaus about medical debt resulting from charges that exceed the amount allowed by federal law, the CFPB will take action.
  • Special attention to algorithms: In addition to raising compliance issues with the FCRA, the FTC has warned that the use of algorithms that discriminate against protected classes may be considered an unfair practice and may also result in liability under laws such as the Equal Credit Opportunity Act. The CFPB has also taken action: it has just overhauled its whistleblower page and shared a Publish of its chief technology officer encouraging whistleblowers with knowledge of “potential discrimination or other misconduct within the authority of the CFPB to report it to us.” Companies should test their algorithms before launching them and proceed with caution where their practices may result in disparate treatment or have a demonstrable disparate impact based on protected characteristics.
  • Interest in protecting small businesses: Think you’re off the hook if you don’t market your products to consumers? Think again. The FTC and CFPB think deeply about consumer protection and privacy, with a keen interest in protecting not only consumers of products and services, but also workers and small businesses. For example, while the FCRA only applies to consumer credit, the FTC announcement a settlement challenging Dun & Bradstreet’s business credit reports under the FTC law, alleging that they were inaccurate and did not give businesses a reasonable process to challenge those inaccuracies. The result ? Consumer protection and privacy laws may apply even if you sell products and services to small businesses.

The bottom line for fintech companies: Consider why you collect personal data, how you collect, use and store it, and if and how you share or access it. Do you use this data to facilitate consumer decision-making? If so, consider applying for the FCRA. In general, the less data you collect and share, the less regulatory exposure you have.


Comments are closed.