Credit Monitoring Aggregators: Regulatory Concerns and Barriers
Barriers that a company that is considering launching a credit monitoring aggregator include consumer access, data scope and usability, informed consent and control, security, access transparency, accuracy, and unauthorized access. These areas of regulation are essential to the success of the credit monitoring aggregator application. All of these regulations are set by the Dodd-Frank Act and the Executive Order 13772 on Core Principles for Regulating the United States Financial System and can have serious legal repercussions if not observed.
BARRIERS TO ENTRY
- Upon request, consumers can obtain information regarding their ownership and product or service use from a credit monitoring site and information must be available promptly. Authorizing a trusted third party to obtain data on their behalf will be beneficial to the consumer based on the services and products offered. Account terms and agreements protect authorized consumer access, promoting consumers’ interests, which allows consumers to grant access to their personal account information. This form of access does not require the consumer to provide their account credentials to third parties, which may not be trusted sites.
Data Scope and Usability
- Data that is subject to the consumer and consumer authorized access may include transactions or consumer usage of any kind. It could include the terms of an account like a fee schedule or any form of interest paid, consumer benefits such as earned interest, or account-based rewards. This information is made available in forms consumers or authorized parties can readily use. Third parties that obtain authorization can only access data that is necessary to provide their services, and the information is available to them only for as long as it is needed to perform such a service.
Informed Consent and Control
- The terms of authorization and use must be explicitly outlined to the consumer regarding data access and scope, data storage, data use, and data disposal. The words can not be overly broad and must be disclosed and understood by the consumer. The terms of the agreement allows the consumer to take control of who has access to their data. Consumers must not be coerced into providing access to third parties that are employing fear mongering or fear of loss tactics, and they need to understand that the access can be revoked at any time. Data sharing revocations are implemented by the provider and done promptly at the discretion of the consumer.
- Consumer data must be protected from security breaches, and data must be formatted in such a way to prevent harm to the consumer. Data must be stored appropriately and used in a secure manner. All parties that store, transmit, access, or dispose of consumer data must use strong security measures to mitigate risks of breaches, errors, unauthorized access, and fraud, only sending data to third parties with such protections in place. These security measures must continue to update, as new threats may arise.
- Consumers must be able to verify which third parties have been authorized by them to access or use information regarding their data. This availability must remain throughout the third party’s access to the consumer’s data. The frequency in which the consumer’s data is accessed must also be available to the consumer for the duration of the period in which the third party has access to information that is used or stored.
- Consumers should be able to expect a specific level of accuracy, and regarding the data they access or authorize third parties to have access to, the data must be up-to-date. The consumer should also have the ability to dispute any inaccuracies at any time.
- Consumers must have access to practical means in disputing or resolving instances of illegal data sharing, access, or unauthorized payments made as a result of unauthorized shared data. Failing to comply with this obligation could result in a loss of consumers. Identifying the party that gained unauthorized access is not required for remediation to occur. The unauthorized parties are held accountable for this access and will face serious consequences.
We visited the U.S. Department of Treasury to research information on regulations that are set by the proper authorities, and we found information regarding these regulations in a document titled 'Executive Order 13772 on Core Principles for Regulating the United States Financial System'. This document delved into the requirements for non-bank financial institutions, fintech and data aggregator applications, and other possible innovations in this field. We found that the Dodd-Frank Act of 2010 protects consumers' credit in the event of a recession, and the Gramm-Leach-Bliley Act enforces the requirements for consumer privacy and consent, which plays a major role in collecting consumer data to create a credit monitoring aggregator. Based on the given facts, we then made an informed decision on the requirements set for the launching of a credit monitoring aggregator.