When you link your bank account to a budgeting app, you type in your username and password without a second thought. Behind that frictionless login is one of the least examined arrangements in modern finance, financial data aggregators using consumer credentials to access account data and sometimes retaining access long after the customer has moved on, and occasionally sharing those credentials with third parties the consumer has never heard of.
The GUARD Financial Data Act, introduced last week, takes a direct aim at this practice.
Under Section 104, a financial data aggregator may not use a consumer’s login credentials to access their bank account unless two conditions are satisfied. The first is a clear and conspicuous disclosure before any credentials are collected explaining how they’ll be used, whether they’ll be shared with any third party, and what privacy and security risks are involved. Second, the consumer must be given a genuine opportunity to opt out, both at the time of collection and at any point forward.
The bill also introduced the first federal statutory definition of a “financial data aggregator” which is any commercial enterprise whose primary business is accessing, aggregating, or selling nonpublic financial information. That definition matters, because it brings up a previously unregulated category under a clear legal framework for the first time.
Beyond credentials, the bill modernizes the Gramm-Leach-Bliley Act more broadly. Former customers gain the right to request access to their data and have it deleted, with institutions required to respond within 45 days. Sensitive financial data requires affirmative opt-in consent before it can be collected or shared at all.
Credential-based account scraping faces its first real federal constraints. Aggregators and the fintechs that rely on them have one year from enactment to build compliant disclosures and consent flows, or risk overhauling their data access model entirely.
;
