On Oct. 19, 2023, the Consumer Financial Protection Bureau (CFPB) released a Notice of Proposed Rulemaking (NPRM) on Personal Financial Data Rights, which would change the way financial institutions hold and distribute customer-generated data. The long-awaited proposal began under a November 2020 Advanced Notice of Public Rulemaking (ANPRM), and more recently, the CFPB convened a Small Business Review Panel (SBREFA) for this rulemaking on Feb. 1, 2023. Banking trades have remained involved throughout the process, submitting a petition in 2022 for the rulemaking, along with individual and joint input during the SBREFA process. At a high level, the proposed rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including privacy requirements; and provide standards for data access. The proposal will have broad impacts on financial institutions and third parties if enacted, as detailed in this client alert.
Section 1033 Authority
The proposed rule derives its statutory authority from Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which provides that subject to a CFPB rulemaking, “a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.” The provision also outlines that information must be made available to consumers in an electronic form and that the provision does not impose a duty on covered entities to “maintain or keep any information about a consumer.”
Exceptions from the rule include:
- “any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors;
- any information collected by the covered person for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct;
- any information required to be kept confidential by any other provision of law; or
- any information that the covered person cannot retrieve in the ordinary course of its business with respect to that information.”
Section 1033 also outlines that the CFPB’s proposal must create standards for covered entities through machine-readable files. The CFPB is required to consult with federal banking regulators and the Federal Trade Commission (FTC).
Scope of the Proposal
Subpart A of the proposed rule outlines the coverage of data providers as entities providing accounts subject to the Electronic Fund Transfer Act (EFTA) and Regulation E, credit cards subject to the Truth in Lending Act (TILA) and Regulation Z, and related payment facilitation products and services. The proposal excludes depository institution data providers that do not have a consumer interface.
Key definitions in the proposal include:
Authorized Third Party (§1033.401): “The third party must seek access to covered data from a data provider on behalf of a consumer to provide a product or service the consumer requested, and:
- Provide the consumer with an authorization disclosure as described in § 1033.411;
- Provide a statement to the consumer in the authorization disclosure, as provided in § 1033.411(b)(5), certifying that the third party agrees to the obligations described in § 1033.421; and
- Obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
Covered Data (§1033.211): “Transaction information, including historical transaction information in the control or possession of the data provider.”
Data Aggregator: “An entity that is retained by and provides services to the authorized third party to enable access to covered data.”
Developer Interface: “An interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by authorized third parties in response to the requests.”
Third Party: “Any person or entity that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.”
Obligation to Make Covered Data Available
Within Section 1033.201 of the proposal, data providers must provide consumers and authorized third parties with “covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.” Data providers must provide covered data “in an electronic form usable by consumers and authorized third parties” as provided by Section 1033 of the Dodd-Frank Act.
Under Section 1033.311, data providers are prohibited from imposing any fees or charges on a customer or third party when receiving requests for data and/or maintaining required interfaces. Section 1033.331 also allows data providers to provide consumers with “a reasonable method to revoke any third party’s authorization to access all of the consumer’s covered data.” For a method to be considered “reasonable,” it must “be unlikely to interfere with, prevent, or materially discourage consumers’ access to or use of the data, including access to and use of the data by an authorized third party.”
Section 1033.321 allows for reasonable denials of consumer or third-party access to an interface due to risk management concerns. The bar for a “reasonable denial… is…directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security, and must be applied in a consistent and non-discriminatory manner.” Covered data providers are also required to maintain separate consumer and developer interfaces.
When receiving requests from consumers, data providers must provide covered data when they receive information that can authenticate the consumer’s identity and identify the scope of the requested data. For third-party requests, data providers must:
(i) “Authenticate the consumer’s identity;
(ii) Authenticate the third party’s identity;
(iii) Confirm the third party has followed the authorization procedures in § 1033.401; and
(iv) Identify the scope of the data requested.”
The data provider is permitted to confirm the scope of a third party’s authorization to access the consumer’s data by asking the consumer to verify:
(i) The account(s) to which the third party is seeking access; and
(ii) The categories of covered data the third party is requesting to access, as disclosed by the third party pursuant to § 1033.411(b)(4).”
Section 1033.421 specifies that third parties are limited in their collection, use and retention of relevant data to what is “reasonably necessary” to provide a product or service to a customer. The proposal outlines that the following activities are not reasonably necessary.
(i) Targeted advertising;
(ii) Cross-selling of other products or services; or
(iii) The sale of covered data.
This provision would impact direct marketing to consumers. Third parties would also be limited to a one-year authorization, as third parties will be required to provide annual authorizations for consumers to allow data access. If a consumer does not provide a new authorization, the third party will:
(i) No longer collect covered data pursuant to the most recent authorization; and
(ii) No longer use or retain covered data that was previously collected pursuant to the most recent authorization unless use or retention of that covered data remains reasonably necessary to provide the consumer’s requested product or service.
Impact on SMALL FINANCIAL INSTITUTIONS
As noted in the NPRM, most banks and credit unions with $10 billion or less in total assets would be required to “maintain a consumer interface and establish and maintain a developer interface through which they receive requests for covered data” to provide usable electronic data for consumers and third parties. The rule argues that smaller institutions are “less likely to have a consumer interface and thus more likely to be exempt from the proposed rule, relative to larger data providers.” However, the NPRM outlines that financial institutions with “Online Banking” or a “Mobile Application” or services to offer “Download Account History” or “E-Statements” electronically, will be impacted.
The NPRM also acknowledges, “the CFPB expects that most depositories of this size will contract with a vendor for their interfaces with consumers and third parties.” The proposal included CFPB estimates, stating that 53% of credit unions already use a vendor offering interface for third parties and that other vendors would likely begin to offer interfaces for third parties if the rule is finalized. While the proposal attempts to argue that there is less of an impact on smaller financial institutions and makes assumptions about vendors, trade groups have pushed back on this concept arguing that the proposal could stymie innovation and put a substantial burden on small entities. Many smaller financial institutions trade groups have specifically asked for exemptions to coverage as data providers. Notably, they could be both receiving and providing data.
In response to the increased costs that most credit unions would face under the rule, Credit Union National Association (CUNA) President/CEO Jim Nussle stated, “We are concerned with this proposal, particularly that it would require credit unions to create, maintain, and service interfaces for third parties to access member data, but prohibit charging a fee for services provided.” National Association of Federally-Insured Credit Unions (NAFCU) Vice President of Regulatory Affairs Ann Petros noted that the rule “could also pose more systemic risks to the banking sector.” Additionally, Independent Community Bankers of America (ICBA), in a comment letter earlier this year responding to a previous CFPB outline of proposals, said the bureau’s rulemaking should resist requiring banks to provide information outside the scope of Section 1033, limit data requirements that might harm consumers and banks, and create exceptions and safe harbor protections tailored to community banks.
Ongoing fcra sbrefa panel overlap
In addition to the Section 1033 NPRM, the CFPB recently issued sweeping proposals for a SBREFA panel related to the Fair Credit Reporting Act (FCRA), which would impact data brokers and aggregators and credit header data. These include proposals to provide that: consumer information provided to a user who uses it for a permissible purpose is a “consumer report” regardless of whether the data broker knew or should have known the user would use it for that purpose, or intended the user to use it for that purpose; data brokers that sell certain types of consumer data (e.g., data typically used for credit and employment eligibility determinations) are selling consumer reports; a data broker that collects consumer information for permissible purposes may not sell it for non-permissible purposes; and a data broker may not obtain consumer report information from a consumer reporting agency without a permissible purpose or sell such information to a user unless the user has a permissible purpose.
The proposals under consideration would also mean that the sale of data addressed in the proposals by data brokers that qualify as consumer reporting agencies under the proposals would be prohibited without the written instructions of the consumer or another permissible purpose.
The CFPB is considering a proposal to provide a more bright-line definition for when such entities’ activities fall within the meaning of the terms “assembling” and “evaluating” in the definition of “consumer reporting agency.” The CFPB’s proposal under consideration would address when such companies’ activities constitute “assembling or evaluating” and would provide that, if such companies are “assembling or evaluating” and otherwise meet the definition of “consumer reporting agency,” they would be consumer reporting agencies under FCRA Section 603(f).
Industry stakeholders have raised significant concerns about adding these extensive new compliance burdens and requirements to data brokers and aggregators, and have argued that such a change could have a massive impact on their ability to operate.
The comment period for the proposed rule is currently open, and the CFPB is accepting comments until Dec. 29, 2023. Trade associations and industry groups are expected to weigh in with a variety of comments and concerns about the CFPB’s actions. Please contact the Brownstein Financial Services team for help drafting comments on or tracking this rule.
THIS DOCUMENT IS INTENDED TO PROVIDE YOU WITH GENERAL INFORMATION REGARDING data sharing regulations. THE CONTENTS OF THIS DOCUMENT ARE NOT INTENDED TO PROVIDE SPECIFIC LEGAL ADVICE. IF YOU HAVE ANY QUESTIONS ABOUT THE CONTENTS OF THIS DOCUMENT OR IF YOU NEED LEGAL ADVICE AS TO AN ISSUE, PLEASE CONTACT THE ATTORNEYS LISTED OR YOUR REGULAR BROWNSTEIN HYATT FARBER SCHRECK, LLP ATTORNEY. THIS COMMUNICATION MAY BE CONSIDERED ADVERTISING IN SOME JURISDICTIONS.