data aggregator FCRA CRA

Consumers can leverage their financial data to improve their financial health, gain access to financial services, and enhance control over their finances. In order to benefit from these financial outcomes, consumers provide access to their financial data to end users through data access providers. If data access providers truly want to empower consumers, they must protect that data and ensure that control of the data remains firmly in the hands of the consumer. And a commitment to protect data in word only isn’t enough. 

Data access providers that share financial data they have assembled for the purpose of lending, insurance, and employment, must adhere to the Fair Credit Reporting Act (FCRA). Operating as a Consumer Reporting Agency (CRA) is the best way to ensure a consumer-first lending approach that both protects and empowers borrowers. Anything less is just words.

Let’s look at this in greater detail. 

The FCRA and Financial Data Sharing

The Fair Credit Reporting Act protects consumers by establishing and protecting the right for individuals to dispute inaccurate data in consumer reports and get those errors fixed. In order to maintain transparency and ensure accuracy, the Act also requires that consumers have access at any time to any personal financial data provided for credit or insurance eligibility decisioning. 

While FCRA has historically applied to credit bureaus and certain specialty CRAs, like tenant screening and medical information companies, the Act has a broad scope of coverage and is not limited to traditional credit reporting or a narrow set of CRAs. Third-party data access providers that power financial data permissioning between lenders and consumers use a different type of data sharing model for which FCRA compliance provides an equally critical component of protecting consumers when they access credit and other financial services.

As it stands, the FCRA applies to consumer reports that CRAs provide to third parties for certain permissible purposes described in the FCRA, such as determining a consumer’s eligibility for credit or insurance. Consumer reports can only be provided and used for these permissible purposes. If data access providers, also known as data aggregators or data agents, are assembling a consumer’s financial data and sharing it for the purpose of credit or insurance decisioning, shouldn’t those providers be considered CRAs, and shouldn’t the FCRA apply to their data sharing?

In order to protect and empower consumers, we think so.

Empowering Consumers with Compliant Data Sharing

FCRA compliance is the only sure way to guarantee fairness, accuracy, and transparency when data access providers assemble consumer financial data and provide it to lenders or insurers to make credit or insurance decisions. 

A current regulatory interpretation of the FCRA suggests that an organization does not become a CRA when it forwards financial data to a third party at a consumer’s request because they are simply engaging in “permission-based sharing” on behalf of the consumer. Finicity believes this interpretation of the FCRA was meant to address different circumstances, such as where a mortgage broker forwards a consumer’s application and credit report to prospective mortgage lenders at the consumer’s request. This and other “conduit”-like functions fall outside the FCRA. 

We do not believe, however, that this interpretation was intended to cover situations where a data access provider or other party “assembles” consumer data to provide to financial data users. Such a broad reading of the “permission-based sharing” interpretation would run counter to the purpose of the Act and undermine the protections the FCRA was created to uphold. 

Why can’t data access providers simply promise protections to consumers? Such assurances are of course important, but can vary from provider to provider. Consumers are best served when all data access providers are held to a common standard of consumer protection. Operating as a CRA requires that data access providers adhere to the FCRA and provide specific dispute and disclosure processes that enable consumers to access and view their data, dispute any errors, and understand how their data is being used. 

If a data access provider is delivering consumer data it has assembled to creditors for use in credit decisioning, and is not functioning as a CRA, it is not adhering to the FCRA and not protecting consumers as well as it could.

With open banking and digital financial services continuing to pick up speed, it’s more crucial than ever that the industry demonstrate that the consumer-permissioned data sharing process is conducted fairly, accurately, and with transparency for the consumer. Those positive outcomes follow when a data access provider, in appropriate circumstances, is functioning as a CRA and is legally required to adhere to the FCRA. 

Only when such protections are in place can consumers reliably enjoy the empowerment and improved financial outcomes they deserve. And the financial services industry can similarly benefit from the growth and innovation that comes from the increased acceptance of leveraging consumer-permissioned financial data for the benefit of consumers. To learn more about the benefits of FCRA compliance for data access providers, check out our whitepaper.