The Bureau of Consumer Financial Protection (CFPB or Bureau) has formally commenced its long-awaited rulemaking process to implement section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). Section 1033 requires covered financial services providers to make available to a consumer, upon request, information in the financial services provider's control concerning the consumer financial product or service obtained by the consumer. In issuing its advance notice of proposed rulemaking (ANPR), the CFPB is seeking input on how to develop regulations that could have far-reaching implications for consumers, banks and other traditional providers of financial services and non-bank fintechs.
Section 1033 of the Dodd-Frank Act provides that, subject to rules prescribed by the Bureau, entities engaged in offering or providing consumer financial products or services must make available to a consumer in a usable electronic form, upon request, information in their control or possession concerning the consumer financial product or service obtained by the consumer. This includes any information relating to any transaction, series of transactions or the consumer's account, including costs, charges and usage data. Section 1033 also carves out certain types of information from the consumer access right, including confidential commercial information (e.g., an algorithm used to derive credit scores or other risk scores or predictors) and information that the data holder cannot retrieve in the ordinary course of its business. Other carve-outs include any information required to be kept confidential by any other provision of law and information collected for purposes of preventing fraud or money laundering or detecting or reporting on unlawful conduct.
Consumers can exercise the section 1033 consumer access right by interacting directly with their consumer financial service providers through the providers' online servicing portals or mobile applications ("direct access"). In addition, many companies—the ANPR cites both traditional financial institutions and non-bank fintechs—access consumer data after receiving consumers' authorization, and then provide services to consumers using data from the consumers' various financial accounts with third parties ("authorized data access"). Authorized data access typically occurs by means of: (1) credential-based access (i.e., using the consumer's credentials to log into the data holder's online financial account management portal) and screen scraping (i.e., using proprietary software to convert consumer data presented in the provider's online financial account management portal into standardized machine-readable data); or (2) tokenized access, commonly through application programming interfaces (APIs), often pursuant to an agreement between a data aggregator and the data holder. The number and usage of products and services that rely on authorized data access have grown substantially and today include: personal financial management; financial advisory services; assistance in procuring new consumer financial products and services; making and receiving payments; assisting consumers with improving savings outcomes; identity verification and account ownership validation; credit profile improvement; and underwriting. In many cases, "data user" firms that obtain consumer data from a "data holder" by means of authorized data access point to section 1033 as the legal basis for their data requests.
To date, the CFPB has not promulgated regulations to implement section 1033 and has instead taken less formal actions to identify and promote consumer interests in access, control, security and privacy while allowing the market to develop without direct regulatory intervention. Of note, in 2017, the Bureau issued principles for Consumer-Authorized Financial Data Sharing and Aggregation covering access; data scope and usability; control and informed consent; authorizing payments; security; access transparency; accuracy; ability to dispute and resolve unauthorized access; and efficient and effective accountability mechanisms.
Prior to issuing the ANPR, the CFPB solicited initial public input through a 2016 request for information and a 2020 public symposium. In the ANPR, the Bureau notes that, in response to these initiatives, stakeholders raised the following concerns:
- Not all consumers are able to authorize access to consumer data in a manner commensurate with the access rights described in section 1033 (e.g., when data holders withhold certain information that could arguably constitute "costs, charges and usage data" information covered by section 1033);
- Issues relating to access rights may not be fully resolvable without resolution by regulators of a series of interconnected issues, such as security concerns related to authorized data access or how consumers should most appropriately exercise control over authorized data access; and
- The application of other consumer financial laws and regulations to consumer-authorized data access is not always clear (e.g., which parties are liable for unauthorized data access under the Electronic Fund Transfer Act and Regulation E; if and how the Fair Credit and Reporting Act applies to consumer data in the context of authorized data access; and the manner in which the Gramm-Leach-Bliley Act and its implementing regulations regarding privacy and security apply to data aggregators).
The Bureau's rulemaking is likely to address these concerns, as well as other topics on which the Bureau currently seeks public comment within 90 days after publication of the ANPR in the Federal Register. As the CFPB has opted to commence the rulemaking process with an ANPR, stakeholders should have ample opportunity to weigh in now, and again when a proposed rule is released, prior to a final rule taking effect.
|Overview of key issues on which the CFPB is seeking public comment
|Benefits and costs of consumer data access
||What are the costs and benefits of (1) authorized data access and (2) direct access, including from the perspective of consumer costs and benefits; competition and innovation; and data holder costs and benefits?
|Competitive incentives and authorized data use
||What competitive incentives currently exist in the market, and how should the Bureau's rulemaking account for existing market dynamics while promoting further competition? Does the overlap among data holders, data aggregators and data users affect competition and innovation, and do access-related agreements among market participations promote or impede competition and innovation?
||Should the CFPB expect broad-based standard-setting work by the industry to enable and facilitate authorized data access and encourage, rather than impede, competition and innovation? Should the Bureau let the standard-setting play out before deciding whether to prescribe specific standards?
What is the appropriate scope of the consumer access right? For example:
- Who should be "an agent, trustee, or representative" that can exercise access rights on behalf of a consumer, and should different processes apply when third parties access data on behalf of consumers?
- Should certain categories of data holders or additional categories of information be exempt from consumer access rights?
- How can the Bureau craft technology agnostic regulations?
|Consumer control and privacy
Should the CFPB limit authorized data access to the minimum amount of consumer data necessary to effect the purpose of authorizing access as is reasonably understood by the authorizing consumer? To that end:
- Do consumers understand the actual movement, use and storage of their data?
- Are providers' terms and conditions effective in informing consumers' understanding and expectations?
- Should secondary uses of consumer data (i.e., all uses other than the primary purpose for which a consumer, acting pursuant to reasonable expectations, would choose to authorize access to its data) be limited?
|Other legal requirements
||How should the rulemaking address regulatory uncertainty arising from legal requirements that are in tension with the section 1033 consumer access rights?
||Do existing legal requirements or market incentives effectively mitigate data security risks, or should the rulemaking do so?
||Do existing legal requirements or market incentives effectively mitigate the risk of consumers being provided inaccurate data pursuant to the exercise of consumer access rights, or should the rulemaking do so?
Although a final rule may be some time away, the ANPR and ensuing rulemaking steps have implications for the consumer financial services ecosystem as a whole, as well as for the dynamics between the banks and fintechs that compete, and cooperate, to offer consumer financial products and services.
- Bilateral access agreements. The ANPR notes that the authorized data access ecosystem has seen the emergence of formal, bilateral access agreements between large aggregators and large data holders. These agreements are beginning to move the ecosystem towards tokenized access through APIs and away from access by means of digital banking credentials shared by the consumer. As tokenized access is generally considered a more secure access method, a continuation of this trend could address in part the security concerns under consideration by the CFPB. At the same time, the ANPR makes clear that the Bureau expects industry participants to offer assurances that bilateral agreements will not adversely affect competition, innovation or consumers' interests.
- Industry standards. The ANPR also recognizes that a broad range of ecosystem participants are collaborating to develop standards for data sharing through APIs. At the same time, networks or consortia of data holders have begun to acquire or partner with data aggregators to offer access solutions to data holders as well as to their traditional data user clients. The CFPB recognizes that these developments may represent a broader move towards multilateral standards for data access, much as network standards function in two-sided payment card markets. The continuation of these trends could result in a lighter regulatory approach, particularly if the CFPB is satisfied that industry standards adequately address its consumer protection, data security and competition and innovation concerns. It remains to be seen, however, whether the launch of the formal rulemaking process will be an incentive or a disincentive for cooperation among ecosystem participants.
- Consumer disclosures and terms. The Bureau is requesting comment on the extent to which consumers understand the actual use, storage and persistence of consumer data to which they grant access. The ANPR suggests that ecosystem participants should not only exercise diligence in developing clear disclosure and informative terms and conditions, but should also make efforts to inform themselves of reasonable consumer expectations and preferences and align their practices with those expectations and preferences. The ability of ecosystem participants to demonstrate good practices in this respect could affect how prescriptive an approach the CFPB takes in its rulemaking.
- Disputes among ecosystem participants. Several of the questions posed by the CFPB align with issues raised in ongoing disputes among regulators, data holders, data users and data aggregators. Should these disputes bring to light practices that the CFPB considers to be contrary to consumers' interests, the Bureau may use the rulemaking as an opportunity to address such practices.
- Battle over customers. Clearly the outcome of the rulemaking will have a more favorable impact on either incumbent financial services providers, such as banks, or those emerging companies that rely on such consumer data access, such as challenger banks, and affect the economics, stickiness and control over customers. These are significant issues, and undergird the battle over the manner and means of any friction created to consumer access to data, particularly through the use of third-party agents.