New Federal Regulation of Financial Data: CFPB Issues Long-Awaited Notice of Proposed Rulemaking
It would also extend beyond banking and encompass technology companies. What does this mean, why now, and what are the ensuing opportunities? Below, we address each of these questions.
Legal Authority for the New Rule: Section 1033
Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) of 2010 authorized the Bureau to write a new regulation fleshing out the precise statutory obligations of businesses with respect to consumer data access and financial data protection. But there was no official rulemaking on this for ten years. On October 22, 2020, the Bureau issued an “advance notice of proposed rulemaking” (ANPR) soliciting comments on how to best implement Section 1033.
Subject to certain exceptions, Section 1033 provides, in part:
A covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges, and usage data.
This statutory language is incredibly (and intentionally) non-specific. Typically, Bureau or other agency rules in the consumer finance sector are tailored to one product, e.g., debt-collection services, payday loans, electronic bank transfers, etc. By contrast, on its face, Section 1033’s obligation is not limited to a single industry, but instead regulates every conceivable consumer financial product or service. At a minimum, this will include all types of consumer loans, loan servicing, brokers, personal or real property leases, deposit-taking activities, stored value instruments, check cashing, payments, financial advisory services, consumer reporting (credit scores), debt-collection, and FinTech.
As a result, the obligation applies not only to data companies, but also to banks, non-bank financial services companies, merchants, mortgage, payments, auto finance, technology companies, retailers, data aggregators, prepaid card providers, student lending, and others.
Why is the proposed rulemaking significant for the FinTech and banking industries?
The proposed rulemaking is the first of its kind, and seeks to fill a hole in the patchwork quilt of federal and state privacy regulations created by, among other things, tech innovation.
With the proliferation of consumer-permissioned access by third-parties in the FinTech sector, new business models present the need for regulators to address consumer protection concerns arising out of, among other things, FinTech Application Programming Interfaces (API), which enable customers to do more with their money without needing to visit a local bank branch or brokerage. Why? Some policy concerns are exemplified in the following hypothetical.
A consumer wishes to manage her family’s household spending using a mobile app for personal budgeting. An API permits the app to communicate directly with the server of the consumer’s bank. By clicking yes on the app to give it (i.e., the app, which is a third-party to the consumer-bank relationship) permission to access her bank transactions, the consumer can enjoy the convenience of sending her spending records digitally to the mobile app (and do so instantaneously without waiting to verify minute deposits over multiple days). From a business perspective, significant friction is removed by consumer-permissioned access. Some of the policy concerns, however, for regulators triggered by this model include: to what extent should consumers be able to access their data, how do we safeguard the bank data transfer, how should the financial records be collected and stored by the app, what should the app be allowed to do with the data, what level of information should the consumer be entitled to see, and who is liable in the event of breach?
You may be wondering, why wouldn’t these questions be addressed by existing federal law? Existing privacy and consumer protection regulation, such as the Gramm-Leach Bliley Act (GLBA), the Electronic Fund Transfer Act (EFTA), and the Fair Credit Reporting Act (FCRA) do regulate financial data privacy, but are considered insufficient in some respects because they do not directly and expressly apply to each of the specific activities needed to consummate the transaction in the above model.
This is due in part to the fact that GLBA, EFTA, and FCRA were drafted decades before API technology came to exist.
The CFPB’s Section 1033 ANPR represents the first major step in regulating data privacy and financial records transfers, period, including transfers utilizing API’s. The key policy objective behind the ANPR is the notion that consumers ought to be able to control their own data. In fact, the Bureau’s Director, Kathleen Kraninger, spoke publicly during a February 2020 CFPB symposium, and emphasized how regulation ought to be promulgated, in the face of myriad albeit consumer-benefitting innovations, to ensure that consumers can control their own data while using new technologies. As a result, the ANPR has the potential to affect a multitude of products and services, including payments, lead generators, peer-to-peer lending, online trading, crypto trading, credit score improvement, financial management, and other types of financial records transfers. To add to the existing complexity, the CFPB is also able to hold technology companies liable (as service providers to financial services businesses) for violations of consumer privacy rules like those contemplated by the ANPR.
Why is this rulemaking being proposed now? Does it signify a new policy direction at the CFPB post-election?
There are two reasons the issues are ripened now to warrant the CFPB’s public notice-and-comment process that is triggered by a formal rulemaking. First, the CFPB has been picking up momentum in its focus on technology and data companies, both in terms of direct enforcement scrutiny and indirect probes through supervisory processes. Second, it just takes time for rulemaking processes to mature at a young agency. In the early years after the CFPB’s founding in 2010 (and independence in 2011), the CFPB was busy meeting statutorily mandated deadlines on other rulemakings (e.g., mortgage) that took precedence over other priorities within the CFPB’s other 18 enumerated statutes or Dodd-Frank Act authorities. It naturally took several years for the Bureau to get to Section 1033, and the Bureau has taken advantage of the last decade to gather relevant information to sharpen the agency’s policy preferences as to data protection. For instance, the Bureau first issued a Request for Information in 2016. In 2017, the Bureau issued a Statement of Principles (Principles) for the data aggregation market.
The lack of specificity in the CFPB’s Principles led to uncertainty in the market, as players throughout the data ecosystem sought to assign privately determined liability regimes in bilateral agreements. By February 2020, the Bureau hosted the symposium to commence formal implementation of Section 1033.
Rather than a sudden policy shift following the general election, last month’s rulemaking on the Section 1033 effort represents the natural maturation of a regulatory initiative many years in the making. Fortunately, the ANPR as issued is written broadly enough to leave room for businesses to provide feedback regarding the scope of the regulation and the measures for compliance.
What opportunities are presented to businesses by the Section 1033 ANPR?
The ANPR solicits public comment on 45 separate questions, with the ultimate goal of assisting the Bureau in developing proposed regulations under Section 1033. This process entails an opportunity to bring to the Bureau’s attention the information necessary to level-set the Bureau’s own compliance expectations. The ANPR also presents a neutral and non-adversarial forum for businesses to contribute to efforts in drafting national standards for consumer data access and privacy. Without industry involvement, it may be more difficult to ensure that the emerging rules are pragmatic. In order to participate in the comment process, it is not necessary to have a response to all 45 questions.
For convenience, we have condensed the 45 questions into the following eight key categories of topics:
- The harms and benefits arising out of consumer-permissioned data access by third parties.
- The extent to which competition in the marketplace (between small or large data holders, data users, and data aggregators) ought to influence the types of restrictions on authorized data access.
- Whether the government should impose requirements that standard-setting work be undertaken by companies in the authorized data access ecosystem and if so, how?
- Who should be covered by the regulation? What exclusions should apply?
- How does direct access to consumer data cause privacy concerns that the Bureau should act to protect? To what extent should the government take into account consumers’ understanding and expectations based on disclosures?
- What other laws or rules (federal, state, or foreign) if any are in tension with the proposed obligation to make consumer data accessible under Section 1033? How should the agency address this tension?
- Are market actors adequately incentivized to ensure that consumer data is secure, or should the agency take specific steps to improve existing rules governing data security?
- What risks of data inaccuracy exist in the data access ecosystem and what should the Bureau do about them?
While not stated explicitly, we expect the Bureau could use the research to help determine what is not an Unfair, Deceptive, or Abusive Practice (Sections 1031 and 1036 of the Dodd-Frank Act) in regards to consumer data access. The questions in the ANPR set forth a practical blueprint to do so.
Comments are due February 4, 2020.
 12 U.S.C. § 5531. As set forth in the Dodd-Frank Act, a “covered person” includes any individual, company, corporation, or other entity that engages in “offering or providing a consumer financial product or service” and any affiliate of such individual or entity to the extent that the affiliate acts as a service provider. 12 U.S.C. § 5481(6).