Section 1033 tasks the CFPB with implementing rules for consumer financial services providers to make available to consumers financial records through standardized formats, including through the use of machine readable files in electronic form. The CFPB’s ANPR solicits comments and information to assist the CFPB in developing the regulations. The deadline to submit comments is 90 days after the ANPR is published in the Federal Register.
The CFPB emphasizes in the ANPR that developing rules around consumer access to financial records has become an increasingly important consumer protection issue as third parties, including financial institutions and financial technology (fintech) companies, seek to access and aggregate financial data to provide new services aimed at making it easier, less costly, and otherwise more efficient for consumers to manage their financial lives. For example, the CFPB notes that in recent years the number and usage of products and services that utilize or rely upon consumers’ ability to authorize third-party access to their data has grown “substantially and rapidly,” and this has been accompanied by an expansion in the number of use cases for authorized data. Data aggregators that facilitate consumers being able to maintain all of their financial records in one location are increasingly popular. The CFPB recognizes that there are consumer benefits from these services and consumer-authorized data access, including enabling improvements to existing products, fostering competition for existing products, allowing new types of products and services to be offered, and increasing control by consumers over their data.
In many cases, these increasingly popular third-party services seek permission from consumers to access financial accounts on the consumers’ behalf. Some may then use the consumers’ credentials to log in and scrape account information. Some financial institutions have moved towards API-based data sharing, allowing these third parties to access and retrieve account information in a more secure manner. Regardless of how third parties retrieve financial account information, there are privacy and security risks, as financial institutions have limited control over how third parties use, disclose, and protect account information once the third parties receive it. In addition, the CFPB has expressed concern about how regulatory uncertainty may be impacting this market, including because of the interplay between section 1033 and other laws the CFPB has jurisdiction over such as the Fair Credit Reporting Act (FCRA) and Gramm Leach Bliley Act (GLBA). The CFPB is therefore seeking further information as it moves toward developing rules.
In the ANPR, the CFPB specifically seeks information from any interested parties in nine areas:
- Benefits and costs of consumer data access
- Competitive incentives and authorized data access
- Access scope
- Consumer control and privacy
- Legal requirements other than section 1033
- Data security
- Data accuracy
- Other information
The CFPB’s progress toward section 1033 rules has been a long time in the making. The CFPB initiated the rulemaking process in 2016 with a Request for Information (RFI) Regarding Consumer Access to Financial Information to develop a better understanding of the current ecosystem of authorized data access and the risks and issues related to that ecosystem. In October 2017, it released a set of “Consumer Protection Principles” for participants “in the developing market for services based on the consumer-authorized use of financial data.” Since then the CFPB has continued to analyze and collect information, and in July of this year released a report of its findings from its February 2020 Symposium on this issue. Following its acceptance of comments in the ANPR, it is unclear how long it will be before the CFPB develops draft rules and initiates a notice of proposed rulemaking.
Authored by Tim Tobin and Roshni Patel.