regulatory tailwinds
Matthew Gomes

Matt Gomes


Ride Regulatory Tailwinds With Consumer-Permissioned Data

Attitudes toward the collection and monetization of consumers’ financial data are undergoing a major sea change. Is your business keeping up?

Recently, we’ve seen a flurry of regulatory activity around how consumers’ financial data is collected and shared. From the Consumer Financial Protection Bureau (CFPB) chastising consumer reporting agencies (CRAs) like Equifax for how they handle consumer complaints, to the Federal Housing Finance Agency (FHFA) announcing the creation of a new Office of Financial Technology to ensure the responsible risk management of innovation in the mortgage industry, there is no shortage of scrutiny.

Why is all of this happening now? In a nutshell, consumer sentiment around data sharing practices is shifting—and regulatory bodies are taking note.

For one thing, consumers are becoming more wary of their private information being gathered and used without their informed consent. At the same time, technology is increasingly empowering consumers to actively participate in the data-sharing process. This includes direct-source data solutions—like Argyle and Plaid—that allow consumers to connect third-party service providers directly to their employer, payroll, and/or bank accounts, so said third-parties can stream their financial data straight from the source.

So, how is this affecting data regulation? Recent activity from regulatory bodies generally falls into four categories: transparency, competition, accuracy, and security. Below, we share recent trends in each and explain how embracing direct-source, consumer-permissioned data now can help you stay one step ahead of the compliance curve—and win points with your customers.


In late 2022, the CFPB made it clear that it will move to accelerate the shift toward open banking and open finance, including increasing consumers’ access to and control over their own financial data.

Much of this comes down to informed consent. Speaking on behalf of the agency, CFPB director Rohit Chopra said, “When a consumer permits their private data to be used by a company for a specific purpose, it is not a free pass for a firm to exploit the data for other uses, no matter what the legal mouse-print may say.”

His words appear to condemn the legacy CRA model, in which income, employment, and transaction data is bought and sold largely unbeknownst to consumers. With newer, direct-source models like Argyle, a consumer actively authorizes access to their data by logging into their employer or payroll account—and they can revoke their permission at any time.

To support the move toward giving consumers “meaningful control over how their data is being used,” the CFPB has indicated that it will seek to create and enforce a number of rules around consumer data, including purpose limitations and data deletion requirements, among many others.

As consumer-permissioned data models continue to take on legal and ethical importance, service providers that import consumer data from outside sources will be smart to adopt said models that already accommodate many of the CFPB’s proposed rules.


At the heart of the CFPB’s embrace of consumer-permissioned data sharing is the agency’s concern over competition (or lack thereof) in the consumer finance industry. Historically, and in many cases still, data’s long-standing immobility has made switching financial service providers prohibitively difficult, locking consumers into relationships that may not be serving their needs and centralizing market share in the hands of a few institutions.

The CFPB sees increasing personal financial data rights—and, by extension, giving consumers more power to move their data among financial service providers—as the best pathway to a more competitive marketplace.

Take, for example, direct deposit switching. In order for a consumer to establish a new primary bank, it’s generally necessary to deposit at least a portion of their regular paycheck into that account. But financial service providers following traditional processes don’t make it easy. There are too many hoops to jump through, too much red tape to navigate, and too many parties involved.

But when data is portable and sharing is authorized, the barriers vanish. With direct-source solutions like Argyle, direct deposit switching can be automated and made available on-demand, allowing consumers to more easily enter into relationships with other banks. This compels financial service providers to innovate and better cater to the needs of their customers in order to retain them, and gives emerging financial service providers a real shot at gaining market share.

In the eyes of the CFPB, this more competitive landscape is the ideal. To get there, they envision requiring financial service providers offering products like deposit accounts, credit cards, digital wallets, and prepaid cards to offer their customers secure data-sharing solutions. For service providers that do offer these products, making the transition to secure data-sharing now will put them at the vanguard rather than scrambling to comply when regulations are officially passed.


In its January 2023 annual report, the CFPB focused on the ongoing problem of inaccuracies in CRA-generated consumer data reports. Between September 2021 and October 2022, the agency received more than 1 million credit or consumer reporting complaints, mostly involving accusations of incorrect report information.

And while the CRAs seem to have improved their response to such errors compared to 2022’s report, the CFPB maintains that consumers continue to face inaccuracies and frustrating dispute resolution processes that compromise their financial health.

The CFPB further made clear its frustrations with CRAs when it filed amicus briefs commanding CRAs to follow “reasonable procedures to assure maximum possible accuracy.” These developments suggest that the CFPB may have plans to further regulate the way inaccuracies are dealt with when it comes to consumer data used in credit origination processes.

Of course, these regulations would largely impact CRAs, but service providers that rely on CRA-supplied consumer data to make credit decisions should also be vigilant. The FCRA states that any person or entity that willfully fails to comply with any accuracy requirement is liable for the damages incurred by each consumer, plus fines, punitive damages, and attorney fees, as applicable.

In other words, service providers working with a CRA that can’t meet its responsibilities under the FCRA face significant compliance risks. Fortunately, the risks can be avoided when you retain data through a more accurate, direct-source (non-CRA) provider.


Meanwhile, the Securities and Exchange Commission (SEC) has been cracking down on cybersecurity in the financial sector. Among other measures, the SEC proposed regulations that will make it mandatory for companies to report cybersecurity incidents within 72 hours, make periodic disclosures about their policies and procedures to identify and manage cybersecurity risks, and provide updates about previously reported cybersecurity incidents.

This comes after several inquiries in the wake of the 2017 Equifax data breach, which impacted hundreds of millions of U.S. consumers and brought critical attention to the issue of cybersecurity and financial data sharing.

In light of these developments, it is even more important for public companies that handle consumer financial data to choose data providers they can trust to keep their (and their customers’) data safe.

Working with reputable data providers is also an important step for earning and retaining customers’ trust. A recent survey shows that over 80% of consumers believe data security is “very” or “extremely” important when sharing personal information online.

The bottom line

Service providers that rely on purchased consumer data to run their business—including mortgage and personal loan lenders, background check providers, banks, BaaS platforms, and more—will need to incorporate direct-source, consumer-permissioned data-sharing models. It’s just a matter of when. The prudent among them will begin exploring how to make the shift now, not just to keep pace but to begin reaping the benefits sooner.

The advantages are clear. Direct-source consumer data providers like Argyle are intrinsically more accurate than Equifax and offshoots like The Work Number because they instantly deliver pre-verified, real-time data pulled straight from the system of record. This helps service providers make faster, more accurate decisions and complete workflows more efficiently. At the same time, they build trust with consumers and comply with new industry standards by empowering them to be in control of their data.

Want to learn more about direct-source, consumer-permissioned data solutions?

Reach out to our team to discuss how Argyle can help you get in front of upcoming regulatory and compliance requirements.