Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Fair Digital Finance Evaluation Framework

Principle 3: Transparency

Digital finance companies communicate with users in a complete and meaningful way.

 

  • People do not need to give up legal rights in order to use the service.
    • The legally binding documentation does not require an end user to commit to resolve disputes via binding arbitration.
    • The legally binding documentation does not require an end user to commit to give up their right to be part of a class action against the company.
  • Company clearly discloses legally binding documentation.
    • All legally binding documentation can be accessed from a single location accessible to users before creating an account or purchasing access to the service.
    • Legally binding documentation is linked in site navigation on the company home page and the product overview page.
    • User data rights are clearly disclosed before a person creates an account on the service.
    • Company shares all applicable user data rights in short form disclosure that is accessible before a person creates an account on the service.
    • Company discloses the use of data collection and/or data use that can be incorporated into a profile that supports secondary uses such as targeted advertising.
    • Company discloses what user information is incorporated into data profiles that can support secondary uses.
    • The company provides a clear explanation of how users can control whether their information is incorporated into a data profile.
    • Company does not engage in network growth hacking (sharing contacts to the app) unless doing so is a feature of the app (e.g., for P2P payment services)
    • Data sales or transfers are opt in by default, with clearly defined processes in legally binding documentation to give and withdraw consent.
  • Users understand product’s business model.
    • Company transparently shares business model.
    • Company shares how it earns revenue.
    • Users understand how the company earns its revenue.
    • Company transparently shares staff incentives.
  • Fees are transparently shared with consumers in a meaningful way.
    • Users receive in-app notifications of fees at appropriate times when interacting with the service.
  • User data rights are transparently shared with consumers in a meaningful way.
    • Users receive in-app notifications of data rights at appropriate times when interacting with the service.
    • Users are provided with clear notification of the data collected and its intended use.
    • Implementation is responsible about third-party software integrations that may not have the same amount of transparency.
    • Data end points are disclosed.
  • The company evaluates their security practices, and is transparent about their security practices.
    • The company publicly shares their comprehensive information security program in a prominent location that is linked from their home page and product page.
    • The company shares results of periodic risk assessments that identify internal and external risks to the security, confidentiality, and integrity of customer information.
  • The company notifies appropriate authorities and those affected when a cybersecurity incident occurs.
    • The company commits in legally binding documentation to notify the relevant authorities within 36 hours, or as required by statute, when a cybersecurity incident occurs.
    • The company clearly discloses its process and timeline for notifying users who might experience a disruption in service, monetary loss, or identity theft due to a cybersecurity incident.
    • The company clearly discloses what steps it will take to address the impact of a cybersecurity incident on its users.
    • The company maintains a service status dashboard so people can see if and when the service is impacted by outages in real time.
  • The product or service is marketed fairly and accurately.
    • Marketing materials help potential users clearly understand both risks and benefits.
    • Marketing materials make all disclaimers required by law.
  • Company explains the service to users in a meaningful way.
    • Services are explained in a legal document.
    • Services are clearly explained in a meaningful way throughout the user experience.
    • Transaction speed (time it takes to complete a typical transaction as defined by the product: loan approval for credit, claims processing for insurance, deposit for savings, payment completion for payments) is disclosed in a legally binding document.
    • The company commits to notify users about changes to the service.
    • The company discloses how and when users will be directly notified of changes to the service(s).
  • Use of ML/AI is clearly explainable and equitable.
    • Company clearly discloses how and when ML/AI is used.
    • Company discloses what factors are considered in ML/AI.
    • The right for users to challenge automated decisions is defined in a legally binding document.
    • Procedure to challenge automated decisions is clearly documented and accessible.
    • Company takes efforts to ensure ML/AI is being trained/retrained to root out/un-learn bias/to not replicate inherent systemic barriers/discrimination.
    • The company commissions and releases the results of third-party equity audits on its use of ML/AI.