On Oct. 25, 2022, the Director of the Consumer Financial Protection Bureau (CFPB), Rohit Chopra, announced at a fintech conference that the CFPB “will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act . . . [to] provide for personal financial data rights for Americans . . .”
As background, § 1033 of the Consumer Financial Protection Act, a/k/a, the Dodd-Frank Act, generally allows a consumer access to transactional information that a business holds related to products or services that were provided to the consumer.
Specifically, § 1033(a) provides:
Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.
Of course, the rulemaking process under § 1033 was actually “launched” six years ago when the CFPB issued a Request for Information, which was followed by an Advance Notice of Proposed Rulemaking in 2020 that received 100 comments.
Director Chopra’s announcement was aligned with the Spring 2022 Unified Agenda that indicated the CFPB would issue a Small Business Regulatory Enforcement Fairness Act Outline (“Outline”) in November 2022. In fact, the CFPB ended up slightly ahead of schedule, issuing the Outline on Oct. 27.
The purpose of the Outline is “to assess the impact on small entities that would be directly affected by the proposals under consideration prior to issuing a proposed rule regarding section 1033.” The CFPB will convene a Small Business Review Panel to request and receive feedback from small entity representatives, and others may submit comments by Jan. 25, 2023.
The Outline consists of 149 questions on these topics:
- Coverage of data providers subject to the proposals under consideration
- Recipients of information
- The types of information a covered data provider would be required to make available
- How and when information would need to be made available
- Third party obligations
- Record retention obligations
- Implementation period
- Potential impacts on small entities
COVERAGE OF DATA PROVIDERS
The CFPB is proposing rules that would require a defined subset of covered persons that are data providers to make consumer financial information available to a consumer or an authorized third party.,,,
The CFPB is beginning with these covered persons, in part, “because they both implicate payments and transaction data,” noting, however, that it “intends to evaluate how to proceed with regard to other data providers in the future.”
Initially, as proposed, the rules would apply to this subset of covered persons:
- Financial institutions with consumer “accounts” as defined in Regulation E, such as banks, credit unions and other entities holding consumer asset accounts; and
Regarding entities that meet the Regulation E definition, the CFPB identifies:
- Banks and credit unions that directly or indirectly hold a consumer asset account (including a prepaid account);
- Other persons that directly or indirectly hold an asset account belonging to a consumer (including a prepaid account); and
- Persons that issue an access device and agree with a consumer to provide electronic fund transfer (EFT) services (including mobile wallets and other electronic payment products).
Regarding entities that meet the Regulation Z definition, the CFPB identifies:
- Issuers of a credit card account under an open-end (not home-secured) consumer credit plan (as defined in Regulation Z § 1026.2(a)(15)(ii)), i.e., a credit card account under an open-end (not home-secured) consumer credit plan is any open-end credit account that is accessed by a credit card; and
- Issuers that do not hold consumer credit card accounts, but that issue credit cards, such as by issuing digital credential storage wallets, notwithstanding that those transactions rely on consumer credit card accounts held at another entity.
The CFPB is also considering exempting some data providers from a requirement to make data available via data portals based on thresholds, such as asset size of activity level.
RECIPIENTS OF INFORMATION
The CFPB is proposing that “a covered data provider would satisfy its obligation to make information available directly to a consumer by making the information available to the consumer who requested the information or all the consumers on a jointly held account.” This section includes a discussion of third-party authorization requirements.
TYPES OF INFORMATION MADE AVAILABLE
The CFPB proposes covered data providers would make available the following types of information:
- Periodic statement information for settled transactions and deposits, such as generally appear for asset and credit card accounts;
- Information regarding prior transactions and deposits that have not yet settled, such as transaction histories commonly made available through online management portals;
- Other information about prior transactions not typically shown on periodic statements or portals, such as data from payment networks;
- Online banking transactions that the consumer has set up but that have not yet occurred, such as with bill pay services;
- Account identity information, but balancing it with concerns about fraud, privacy, and security; and
- Other information, such as:
- Consumer reports from consumer reporting agencies, such as credit bureaus, obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer;
- Fees that the covered data provider assesses in connection with its covered accounts;
- Bonuses, rewards, discounts, or other incentives that the covered data provider issues to consumers; and
- Information about security breaches that exposed a consumer’s identity or financial information.
HOW AND WHEN INFORMATION WOULD BE MADE AVAILABLE
Regarding direct access to information by consumers, the CFPB proposes that “a covered data provider would be required to make available information if it has enough information to reasonably authenticate the consumer’s identity and reasonably identify the information requested.” Also, with proper authentication, that “covered data providers would be required to allow consumers to export the information covered by the proposals under consideration in both human and machine-readable formats.”
The CFPB seeks input regarding consumer identity authentication, fees, included data elements, and data formats.
Related proposals regarding third-party access include:
- Third-party portals that do not require an authorized third party to possess or retain consumer credentials;
- Requirements to promote the availability, security, and accuracy of information made available to authorized third parties, including establishment of a general framework under which industry-set standards and guidelines can further develop;
- Third-party portal requirements related to factors affecting the quality, timeliness, and usability of the information;
- Required policies and procedures or performance standards to ensure that the transmission of information through the covered data provider’s third-party access portal does not introduce inaccuracies;
- Requirements to make information available to a third party only upon receipt of a third party’s authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party’s identity; and
- Requirements and restrictions regarding the provision of information to third parties that is known to be inaccurate.
THIRD PARTY OBLIGATIONS
Here, the CFPB’s proposals relate to the obligations of third parties, including:
- Prohibiting the collection, use, or retention of consumer information beyond what is reasonably necessary to provide the product or service the consumer has requested;
- Limitations on duration and frequency of information access;
- Limitations on third parties’ secondary use of consumer-authorized information;
- Deletion of consumer information that is no longer reasonably necessary to provide the consumer’s requested product or service, or upon the consumer’s revocation of the third-party’s authorization;
- Compliance with the Safeguards Rule or Safeguards Guidelines, or development and implementation of security programs based on the third party’s size and complexity and the nature of the data;
- Requiring policies and procedures to ensure the accuracy of information collected and used;
- Requiring periodic reminders to consumers on how to revoke authorization; and
- Requiring a mechanism to request information about the extent and purposes of the authorized third party’s access.
RECORD RETENTION OBLIGATIONS
The CFPB is seeking feedback on its proposal for “record retention requirements for covered data providers and authorized third parties to demonstrate compliance with certain requirements of the rule.”
The CFPB is seeking “input on an appropriate implementation period for complying with a final rule,” and how the timeframe may need to take into consideration smaller entities’ ability to operationalize the requirements.
POTENTIAL IMPACTS ON SMALL ENTITIES
A major part of this section is devoted to quantifying the number of small entities that may be affected by the proposals. The CFPB provides estimates for the following:
- Small Depository Firms
- Commercial Banking and Savings Institutions
- Credit Unions
- Small Nondepository Firms
- Software Publishers
- Data Processing, Hosting, and Related Services
- Sales Financing
- Consumer Lending
- Real Estate Credit
- Financial Transactions Processing, Reserve, and Clearinghouse Activities
- Other Activities Related to Credit Intermediation
- Investment Banking and Securities Dealing
- Securities Brokerage
- Commodities Contracts Brokerage
- Payroll Services
- Custom Computer Programming Services
- Credit Bureaus
The concepts and proposals in the Outline are similar to the consumer rights contained in the data privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut, with one major difference: there is no exemption for data or entities subject to the Gramm-Leach-Bliley Act. Thus, businesses that fit the definition of a covered data provider and have previously relied in whole or in part on those GLBA exemptions should monitor this rulemaking closely and consider the new compliance challenges it will pose.