CFPB Provides an Update on its Long Awaited and Highly Anticipated Financial Data Rights Rule
Whether your company is a new fintech or a traditional financial institution with deep roots, you should be taking notice of the Consumer Financial Protection Bureau's (CFPB) October 27, 2022 announcement concerning Section 1033 of the Dodd-Frank Act. Among other things, Section 1033 mandates that financial services companies provide consumers with access to the data they generate, such as payment histories and transaction records, in a usable electronic format. It further provides that the right to access be "subject to rules prescribed by the Bureau."
While the CFPB has been slow to put pen to paper and promulgate those Section 1033 rules, in hindsight, that may have been a strategic decision on its part. After all, consumers only recently became aware of issues concerning data access, control, and privacy. In addition, the "delay" has allowed the market to develop with little to no regulatory intervention, thereby providing the CFPB with something akin to a control group.
Of note, and perhaps in an attempt to keep pace with and assess the consumer e-finance ecosystem, in 2016, the CFPB issued a request for information from the public regarding consumer access to financial records. Using the feedback it received in 2017, the CFPB issued outlined principles for consumer-authorized financial data and aggregation. Approximately three years later, the CFPB convened a symposium on the topic.
Thereafter, and signaling its desire to usher in an era of open banking, on July 14, 2021, the Biden Administration issued an Executive Order encouraging the CFPB to consider "commencing or continuing a rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovate financial products." In sum, by giving consumers a right to digitally share their own financial data, the Administration hopes to encourage competition and innovation, which in its view, will benefit both consumers and creditors.
To that end, on October 27, 2022, the CFPB published a seventy-one (71) page outline, which will be put before a required small business review panel for feedback prior to the issuance of a proposed rule. Notably, the introduction of the outline contains the same sentiments as those expressed in the Administration's Executive Order. The outline also indicates that the CFPB will first regulate financial institutions covered by Regulations E and Z, which include:
- Banks and credit unions that directly or indirectly hold a consumer asset account (including a prepaid account);
- Other persons that directly or indirectly hold an asset account belonging to a consumer (including a prepaid account);
- Persons that issue an access device and agree with the consumer to provide electronic fund transfer services (including mobile wallets and other electronic payment products); and
- Depository and nondepository institutions that provide credit cards or otherwise meet the Regulation Z definition of a card issuer and their agents.
The CFPB explains that it will focus on these "covered data providers" because the financial products they offer implicate payments and transaction data. The CFPB further notes in the outline that it will evaluate how to proceed with other data providers in the future.
Relatedly, the outline also asks whether it would be appropriate to exempt certain data providers from coverage based on a balancing of the benefits to the consumer and the burdens a Section 1033 rule could impose, particularly on smaller covered data providers. The CFPB proposes exemption criteria, including thresholds that take into account an institution's asset size, activity levels (e.g., the number of accounts at an institution), or a combination of both factors.
The information that covered data providers may eventually be required to provide to consumers upon request includes, but is not limited to:
- Periodic statement information for settled transactions and deposits;
- Information regarding prior transactions and deposits that have yet settled;
- Other information about prior transactions not typically shown on periodic statements or portals;
- Online banking transactions that the consumer has set up but that have not yet occurred; and
- Account identity information.
The above is a somewhat vague assortment of informational categories, although explained in greater detail by the CFPB in the outline. For example, with respect to the third category, the CFPB explains that:
[m]any of the data elements covered data providers receive from payment networks, but do not typically make available on periodic statements or online financial account management portals, may be helpful to consumers as they seek to exercise their rights with respect to payments, including fraudulent or otherwise erroneous payments, that may be charged to their accounts.
These data elements might indicate, for example, the bank into which a card, [automated clearing house], or check transaction as deposited by a merchant or payee, such as a fraudster. They might also indicate the name and account number at the bank of the merchant or other payee (such as a fraudster) that deposited the payment transaction. In addition, they might indicate which banks in between the merchant's bank and the consumer's bank handled the transaction.
The CFPB acknowledges that while access to these data points may be helpful to consumers, particularly in dispute situations, they may also increase privacy risks.
Unsurprisingly, the CFPB takes the position that consumer information should not be provided to a third-party financial services provider without authorization and consent. As such, the proposals under consideration require that, in order to access consumer information, a third-party must:
- Provide an "authorization disclosure" to inform that consumer of key terms of access;
- Obtain the consumer's informed, expressed consent to the key terms of access contained in the authorization disclosure; and
- Certify to the consumer that it will abide by certain obligations regarding collection, use, and retention of the consumer's information.
The CFPB is further proposing that the timing of the authorization disclosure be provided close in time to when the third party would need the consumer-authorized information to provide the product or service requested by the consumer.
In line with current trends, the outline also discusses security requirements, data accuracy, dispute resolution, data retention limits, and revocation of third party authorization. In sum, there is no doubt that the rule, when adopted, will have a major impact on consumers, fintechs, and banks in a myriad of ways. The CFPB plans on publishing a report about the input it receives from the small business review panel in the first quarter of 2023 and a proposed rule later that year. A final rule is not anticipated until 2024. Until then, stay tuned for relevant updates on this topic.