Brown Presses FSOC to Protect Consumer Data

Today, Sen. Sherrod Brown (D-OH), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to Treasury Secretary Janet Yellen to request a review by the Financial Stability Oversight Council (FSOC) of financial institutions’ consumer data activities and their potential threat to U.S. financial stability and security. In the letter, Brown highlighted the risks that data sharing poses when bad actors have access to sensitive consumer data.

“I have long expressed serious concerns about the potential risks associated with the sale of consumer financial data to Americans’ security and civil rights,” said Brown. “The breadth of personal consumer data that financial institutions have access to and can legally sell or otherwise disclose to commercial entities and to data brokers creates a concerning entry point for bad actors to obtain and use that information for their own purposes.”

Brown has long supported measures to prevent abusive data practices by corporations and financial institutions. Brown’s proposed privacy bill, the Data Accountability and Transparency Act of 2020,  would create a new framework giving Americans the power to hold corporations, big tech, and the government responsible for how they collect and protect personal data. Last year, Brown sent a letter to the Consumer Financial Protection Bureau (CFPB) urging it to address Chime’s data breaches and privacy concerns. Brown also led the charge to hold Equifax accountable after their 2017 data breach. 

A copy of the letter is available here and below.

Dear Secretary Yellen:

In order to better understand the holistic effect of the collection and sale of consumer financial data practices on the U.S. financial system, I respectfully ask that the Financial Stability Oversight Council (“FSOC”) assess whether and to what extent the collection and sale of consumer data by financial institutions pose a systemic threat to U.S. financial stability and security.  The breadth of personal consumer data that financial institutions have access to and can legally sell or otherwise disclose to commercial entities and to data brokers creates a concerning entry point for bad actors to obtain and use that information for their own purposes. 

I have long expressed serious concerns about the potential risks associated with the sale of consumer financial data to Americans’ security and civil rights.  Stories of apps and websites used by children for school during the pandemic selling information to data brokers and marketers, opioid treatment recovery apps sharing sensitive data with third parties, and mental health apps tracking and sharing data with third parties highlight a troubling trend.  Those stories show that the scope and scale of data shared with third parties creates privacy and security issues, allowing bad actors to specifically target at-risk people and further endanger already vulnerable communities.  Financial institutions have access to raw and sensitive data, including data pertaining to the products and services consumers purchase, the precise location and time of such purchases, and the amount spent.  They may sell this information to third-party purchasers or data brokers who compile it with personal data collected from other sources.

The compilation and sale of data to third parties, data brokers, and commercial entities is often associated with advertising, but it is also exploited for other uses.  For example, we have seen popular retail stock trading platforms sell user data so that big Wall Street investors can profit off of ordinary retail investors.  The collection and sale of consumer financial data also opens the door to other nefarious uses, including the use of data to glean consumers’ tolerance for price hikes, or using certain people’s spending patterns to target them for blackmail or ransomware.

Under the Gramm-Leach-Bliley Act and related regulations, financial institutions must disclose their information-sharing practices to their customers in a comprehensible way, safeguard sensitive data, and allow customers to opt-out of having nonpublic personal information shared with nonaffiliated third parties.  It is unclear, however, if consumers are aware of those rights and how often those rights are exercised.  Additionally, because financial institutions do not share which third parties they sell data to, it is difficult to assess how data is used or if it is protected at all.  Finally, given the increased targeting of specific populations through the compilation of data purchases, a clearer understanding of the risks data sharing poses to consumers is needed.

The Dodd-Frank Wall Street Reform and Consumer Protection Act established FSOC to identify risks to the financial stability of the United States.  As Chair of FSOC, you have identified risks to our financial system posed by cybersecurity incidents, including ransomware attacks and data breaches.  In a similar vein, I encourage FSOC to assess whether and to what extent the collection and sale of consumer data by financial institutions pose a systemic threat to the country’s financial stability. 

Thank you for your prompt attention to this matter, and I look forward to working with you to protect U.S. financial stability.

###

• Print
• Email
• Tweet