Consumer Privacy Should Be Top-of-Mind for FinTech Firms to Avoid Scrutiny

Elizabeth McGinn Antonio Reynolds Jessica Shannon

By Elizabeth McGinn, Antonio Reynolds and Jessica Shannon

Elizabeth McGinn is a partner in the Washington, D.C., and New York offices of Buckley Sandler LLP, Antonio Reynolds is a counsel in the Washington, D.C. office of the firm, and Jessica Shannon is an associate in the Washington, D.C. office. They advise clients on consumer financial services, privacy, and data security issues.

With many people underserved by traditional lending institutions, including the close to 45 million adults in the U.S. who the Consumer Financial Protection Bureau estimates are “credit invisible” or have had past credit challenges, emerging FinTech lenders and online lending platforms (FinTech firms) have established themselves as valuable lending resources for both investors and consumers. FinTech firms generally use non-traditional lending and underwriting models to assess the creditworthiness of loan applicants, including, in some instances, online data that cannot be gleaned from a consumer’s credit report or employment history.

Undoubtedly, the digital footprints (both active and passive) left by consumers online offer valuable insights about those consumers’ preferences and behaviors, which can be useful to FinTech firms in assessing whether to extend credit. But the use of the Internet, which provides unprecedented access to an extraordinary amount of consumer information (some of which might be obtained without a consumer’s consent or knowledge), has raised significant privacy questions that FinTech firms might have to confront in order to overcome inevitable regulatory scrutiny.

On February 16, 2017, the Consumer Financial Protection Bureau (CFPB) held a field hearing in Charleston, West Virginia, to examine how “alternative data,” can be used to “paint a broader and more accurate picture of [a consumer’s] creditworthiness.” As CFPB Director Richard Cordray noted in his opening remarks at the field hearing:

For [consumers with little or no credit history, or who lack a credit score], the use of unconventional sources of information, called “alternative data,” may allow them to build a credit history and gain access to credit. Alternative data may draw from sources such as rent or utility payments. These obligations may not qualify under more traditional definitions of “credit” and as a result would not be factored into the credit decisioning process. Alternative data may also draw from electronic transactions such as deposits, withdrawals, or transfers from a checking account. And it can encompass the kinds of information that relationship lenders typically know as a matter of course, such as the consumer’s occupation, educational attainment, and various other personal accomplishments. New forms of alternative data may come from sources that never existed before, such as the way we use our mobile phones or the Internet. By filling in more details of a consumer’s financial life, this information may paint a broader and more accurate picture of their creditworthiness. Adding this kind of alternative data into the mix thus holds out the promise of opening up credit for millions of additional consumers.

Additionally, as noted last year by the U.S. Department of the Treasury (Treasury), the value of lending facilitated by or through FinTech firms can be found in the ability to provide consumers with lower credit costs, easier access to products, and faster decision-making. In the context of marketplace lending, for example, which can include peer-to-peer lending as well as funding through institutional investors, hedge funds, and other financial institutions, market analysts estimate significant growth in loan origination volumes as well as an expansion in the types of products being offered. The California Department of Business Oversight conducted a survey of marketplace lenders and found that marketplace lenders provided over $13 billion in financing to consumers in 2014, having only provided less than $2 billion in 2010. This form of lending allows investors and consumers to connect outside the traditional lending and underwriting models. On its face, it appears to be a win-win for all involved.

But even with these significant expressions of optimism about the opportunities that may be available through the use of alternative data, such as Director Cordray’s remarks that alternative data “are most closely correlated with future performance,” FinTech firms should be aware of potential risks about the types of alternative data they collect and the means through which they obtain that data. As the National Consumer Law Center has warned, “the devil is in the details” as the use of alternative data can potentially raise a number of significant legal issues, most notably fair lending and privacy concerns.

From a privacy standpoint (as we save fair lending considerations for other articles), the sharing and use of alternative data in assessing a consumer’s credit risk can be wrought with pitfalls. Gathering information from social networking systems, in particular, can provide significant information about a consumer’s interests and preferences, as well as the consumer’s location and travel history. While Internet users can furnish actively some of this information through entry of data into a system, a significant amount of information also can be gathered passively through cookies and the tracking of user IP addresses. The sources and means through which FinTech firms (and their vendors) gather information matter in examining whether those lenders have complied with current federal and state privacy laws.

Both Congress and various federal agencies have publicly expressed uncertainty about how best to regulate the use of alternative data by FinTech firms.

  •   Treasury noted its concerns with marketplace lenders’ underwriting technology and business models, emphasizing the need for greater transparency for consumers and investors.
  •   The Federal Trade Commission (FTC) held a FinTech Forum last summer, and then-Chairwoman Edith Ramirez stated that the Commission must “ensur[e] that the same protections consumers have in traditional lending contexts also apply to marketplace lending.”
  •   The Office of the Comptroller of the Currency (OCC) has similarly expressed the need for increased regulation of FinTech firms and recently announced its consideration for permitting FinTech firms to complete applications for special purpose national charters, providing companies a choice in seeking a charter to become a special purpose national bank.
  •  The CFPB issued a request for information (RFI) that solicits information about the use of alternative data and modeling techniques in the credit process. The Bureau noted that the use of alternative data poses potential privacy risks regarding how data may be collected and shared, and requested information about the impact on consumer privacy. In particular, the Bureau stated, “Some types of alternative data could raise privacy concerns because the data are of a sensitive nature and consumers may not know the data were collected and shared nor expect or be aware it will be used in decisions in the credit process.” In addition, the Bureau, among other things, asked commenters to describe:
  •  the source of the data, being as specific as possible, including if the data are provided by the consumer or obtained from or through a third party. If obtained from a third party, please indicate if that third party considers itself to be a consumer reporting agency subject to the FCRA;
  •  the quality of the data, in terms of apparent errors, missing information, and consistency over time; and
  •  the original purpose for which the data were initially generated, assembled, or collected, and the standard for coverage, quality, completeness, consistency, accuracy, and reliability that the original data provider applied.
  •  Rep. Patrick McHenry (R-N.C.) sponsored the Financial Services Innovation Act of 2016, intended to improve and promote financial innovation, which included creating Financial Services Innovation offices within various government agencies to support financial innovation.
  •  In an interview at the Brookings Institute, Sen. Mark Warner (D-Va.) expressed his concern that FinTech firms, in what he described as a “wild west space,” could “wreak great havoc very quickly if we’re not careful.”

With the regulatory uncertainty surrounding the use of alternative data (caveating that regulatory priorities may shift under the current administration of President Trump), FinTech firms should consider carefully assessing what data they are collecting and maintaining to ensure that they are complying with current consumer privacy regulations. As demonstrated by the questions posed in the CFPB’s RFI, there is a desire by regulators to obtain information and understand the potential privacy risks of collecting and using alternative data. As FinTech firms begin grappling with these questions, below are a few questions to consider.

If the FinTech firm obtained the data from the consumer:

  •  Did the consumer actively provide the data to the FinTech firm or authorize the FinTech firm to obtain the data through review of consumer reports or other reports?
  •  For data that the FinTech firm obtained passively (either through cookies or other tracking of online activity), did the FinTech firm provide legally sufficient notice to the consumer relating to the terms of use of the website and the specific information that the FinTech firm would be collecting, as applicable?

If the FinTech firm obtained the data from a credit reporting agency:

  •  Did the FinTech firm obtain the consumer’s consent or obtain the consumer report without the consumer’s consent in conformity with the requirements under the Fair Credit Reporting Act?

If the FinTech firm obtained the data from any other third-party (besides a credit reporting agency):

  •  Did the consumer actively provide the data to the third-party?
  •   For data that the third-party obtained passively (either through cookies or other tracking of online activity), did the third-party provide legally sufficient notice to the consumer relating to the terms of the use of the website and/or information that the third-party would be collecting, as applicable?
  •   If notice and opt-outs are required under the Gramm-Leach-Bliley Act (or affirmative opt-in under some state privacy laws), did the third-party provide those notices before sharing the data with the FinTech firm? Under the Gramm-Leach-Bliley Act, information sharing is permissible and there are exceptions to the notice and opt-out requirements. However, these exceptions are limited to specific situations, including information sharing that is limited to certain service providers and marketing activities, or that is necessary for processing a financial transaction, preventing fraud, responding to judicial subpoenas, and complying with federal and state laws.

At bottom, FinTech firms can reduce their litigation and enforcement risks by establishing and maintaining policies and procedures to ensure that they (and their sources of information) are lawfully collecting and maintaining consumer information, advising consumers of the information that is being collected, and providing adequate privacy notices and opt-outs to consumers, as applicable. Since “alternative data” can include so many kinds of information, the specific legal requirements are contingent on the specific relevant facts and circumstances, all of which can be examined by experienced privacy counsel.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.