• The CFPB rulemaking intends to provide consumers greater control over personal data to help accelerate the shift toward open banking and more decentralized markets.
• The proposed rule would move U.S. privacy regulations closer to Europe’s stricter General Data Protection Rule, enabling the portability of data between firms and provide consumers with more control over how their data is used.
• This and all CFPB rulemakings may face legal challenges following the 5th Circuit’s recent decision in Community Financial Services Association of America v. CFPB unless and until the Supreme Court takes up the issue.

Introduction: Rule to Answer Who Owns Consumer Data, Who Can Access It, and How Must It Be Safeguarded?

On October 27, the Consumer Financial Protection Bureau (CFPB) began the process for proposing a rule on consumer-permissioned data access by releasing an “Outline of Proposals and Alternatives Under Consideration” under the consultation process required by the Small Business Regulatory Enforcement Fairness Act (“SBREFA”). The CFPB’s 1033 rule, when finalized, would set standards for the use of consumer financial data and answer key questions such as who owns the data, who can access the data, and how data must be safeguarded.

Supporters of the proposed rule assert that answers to these questions will protect consumers as the market for products that capitalize on consumer financial data expands. Banks, data aggregators, and the financial technology (fintech) companies who use the data face potential significant impacts and are well advised to review the proposal and consider making their views known to the CFPB throughout the rulemaking process.

The Dodd-Frank Act authorized a rule on personal financial data rights in Section 1033, which provided that financial institutions must make certain financial record information available to consumers upon request. The CFPB has interpreted the scope of its rulemaking authority to include data requests by third parties authorized by the consumer. The Bureau previously issued a Request for Information in November 2016, a report on stakeholder insights and Consumer Protection Principles in October 2017,  and an advance notice of proposed rulemaking in October 2020. A number of groups in the banking industry have requested that the CFPB promulgate a rule to subject data aggregators and data users to CFPB supervisory authority.[1] Members of Congress also recently weighed in on financial data privacy issues, with Rep. Patrick McHenry, the current Ranking Member of the House Committee on Financial Services, circulating a discussion draft in June on financial data privacy that seeks to regulate data aggregators in addition to financial institutions.

Summary of the Bureau’s Outline of Proposals  

New Requirements for Data Providers (Banks)

Providers of consumer financial data subject to the proposed rule include financial institutions[2] and card issuers,[3] including institutions providing electronic fund transfer services such as mobile wallets and electronic payment products. In the Outline of Proposals, the CFPB intends to limit the scope of the rule to entities the Bureau believes pose the most significant consumer risk, but would consider expanding the scope to other data providers in the future. The outline also states the Bureau is considering exemptions for data providers based on size or activity levels.

Data providers would be required to make available information concerning financial products or services provided to consumers and authorized third parties, subject to exceptions outlined in the statute.[4] The outline identifies six categories of information:

• Periodic statement information for settled transactions and deposits.
• Information regarding prior transactions and deposits that have not yet settled.
• Other information about prior transactions not typically shown on periodic statements or portals.
• Online banking transactions that the consumer has set up but that have not yet occurred.
• Account identity information.
• Other information, to potentially include reports from consumer reporting agencies, fees, incentives, and information about security breaches.

The CFPB is considering requiring data to be provided to consumers through an online financial account management portal in a format readily available for export. For third parties, the CFPB is considering mandating the use of a third-party portal subject to: standards governing the quality, timeliness, and usability of the information; safeguards to ensure the accuracy of information on the portal; and data security standards. Under the proposal, data providers would have to make information available to an authorized third party once they receive evidence of authority to access the information, the scope of the information requested, and information sufficient to authenticate the third party’s identity. Finally, the CFPB is considering requiring data providers to disclose to consumers and authorized third parties the reason any requested information is not available, for example, if it falls under a statutory exception or the data provider lacks access to the information.

New Requirements for Third Parties (Data Aggregators and Fintech Companies)

Under the proposal, to qualify as a third party authorized to receive consumer financial information, the third party would need to:

• Provide the consumer with an authorization disclosure detailing the scope of the data to be accessed and the use and purpose for accessing the information.
• Obtain the consumer’s informed consent to the authorization disclosure.
• Certify to the consumer that it will comply with the third-party obligations imposed by the CFPB’s rule.

The CFPB also contemplates a variety of obligations regarding the handling of consumer financial data. The outline describes a limitation under which third parties would not be permitted to collect, use, or retain consumer information beyond what is reasonably necessary to provide the product or service that the consumer requested. This limitation would apply in the form of duration and frequency limits, after which the third party would need to seek reauthorization for continued access. The CFPB seeks comment on different approaches to limiting secondary use (such as sharing data with other entities) including prohibiting all or only certain secondary uses and allowing a consumer to opt in or out of different uses.

Other requirements under consideration to promote consumer privacy and data access rights include:

• Third parties must provide consumers with a method to revoke their authorization at any point.
• Any consumer information that is no longer reasonably necessary for the product or service or with respect to which the consumer revoked access must be deleted.
• Third parties must comply with data security standards and have policies and procedures to address accuracy of data and to address disputes submitted by customers.
• Third parties must implement consumer disclosures to periodically remind consumers how to revoke authorization and provide consumers with a mechanism to request information about the third-party’s access.

Key Themes and Takeaways of the Bureau’s Proposal

A Step Toward Open Banking, Decentralization, and Greater Competition

CFPB Director Rohit Chopra has characterized the proposals as supporting the Bureau’s goal to create catalysts for more competition. The argument is that if consumers own and control their transactional and other data associated with their use of financial products and services obtained from incumbent providers, they should be able to directly or indirectly export that data for use by other providers. In theory, greater data mobility yields more consumer choice. Director Chopra sees this change as “accelerat[ing] America’s shift towards open banking and a more decentralized market structure.”

Under his logic, the proposals would also incentivize innovation because companies would need to improve their products and services to attract and retain customers since they would no longer be able to rely on access to consumer data as a method of obtaining customers. Particularly given the potential greater ability of a consumer to port their data from one business to another, the proposal requires fintech companies to continue to prove their value to consumers. Furthermore, fintechs could use the consumer data that they obtain from data providers to improve products and services, adding to the benefits to innovation.

More Data Security and Less Data Abuse?

Following the 2017 Equifax breach, the CFPB expressed heightened concern regarding the security of consumer financial data. By regulating how consumer data must be provided to third parties, the CFPB presumably seeks to limit fraud and other risks to consumer privacy and protection. One way the CFPB seeks to do this is by potentially requiring consumer financial data to be shared through application programming interfaces (APIs) rather than obtaining data using consumer-provided account credentials, a process known as “screen scraping.” Screen scraping carries a number of risks that may compromise user data or result in inaccuracies. The CFPB also seeks to enhance data security standards considering subjecting authorized third parties to data security standards similar to those already applicable to financial institutions under the Gramm-Leach-Bliley Act.

In addition, the CFPB aims to prevent abuse of consumer financial data by requiring consumers to provide informed consent rather than the current “notice and opt-out” practice. While the CFPB’s approach to limiting secondary use is still under consideration, it is possible that the rule would prohibit all sharing of data with other entities, which could have a significant impact on revenue and operations of fintech companies.

Overall, the rule would move U.S. financial data regulations closer to the stricter regime in Europe under the General Data Protection Rule (GDPR). Like the GDPR, the rule would emphasize consumer rights by enabling the portability of data between firms and provide consumers with more control over how their data is used.

Possible Legal Challenges Facing CFPB Rules

This and other rules promulgated by the Bureau face potential challenge as the result of the 5th Circuit’s decision in Community Financial Services Association of America v. CFPB. In that decision, the 5th Circuit ruled that the CFPB’s funding violated the separation of powers required by the Constitution. While that decision overturned the CFPB’s payday lending rule, all rulemakings from the agency are vulnerable to the argument. On November 14, the CFPB and the Department of Justice filed a petition for certiorari with the Supreme Court asking it to review the case. Until the Supreme Court issues a ruling, opponents of CFPB rules and authority will continue to use the 5th Circuit decision to challenge the validity of the CFPB’s rules and other actions.

What’s Next in the Rulemaking Process? Put Patomak’s Expertise to Work

The CFPB plans to publish a SBREFA report based on input it receives in the first quarter of 2023, issue a proposed rule later in the year, and finalize the rule in 2024. Interested parties can submit feedback no later than January 25, 2023, by sending comments to Financial_Data_Rights_SBREFA@cfpb.gov.

The financial data rights rulemaking seeks to shape the future of a growing industry that provides consumer financial services that depend on consumer data. The rule could have implications beyond consumer financial services as data privacy considerations are weighed by Congress and regulators in other areas such as social media, healthcare, homeland security, and more. Companies and market participants have an important role and opportunity to voice their concerns with the potential rule to ensure the market functions safely and soundly for all participants and consumers.

As companies prepare for the upcoming rulemaking process, Patomak can serve as a resource in helping companies shape and understand the rules. Patomak stands ready to assist banks, data aggregators, and fintech companies build out new compliance programs to comply with the new requirements. Contact us to learn how Patomak can help you navigate these challenges and meet your business goals.

[1] Separately, the American Bankers Association published a statement in October 2022 in response to the CFPB’s Outline of Proposals for Section 1033 rulemaking. See Statement on CFPB’s Outline of Proposals Section 1033 Rulemaking, American Bankers Association (October 27, 2022).

[2] 12 C.F.R. § 1005.2(i). “Financial institution” means a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services, other than a person excluded from coverage of this part by section 1029 of the Consumer Financial Protection Act of 2010, title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

[3] 12 C.F.R. § 1026.2(a)(7). “Card issuer” means a person that issues a credit card or that person’s agent with respect to the card.

[4] Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111–203, Section 1033(b). The exceptions include: (i) any confidential commercial information; (ii) any information collected by the data provider for purposes of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct; (iii) any information required to be kept confidential by any other provision of law; and (iv) any information that the data provider cannot retrieve in the ordinary course of its business. The CFPB is seeking comment on various approaches to interpreting the statutory exceptions.