Consumer Data Rulemaking Underway at CFPB: Here Are Four Things Your Company Should Know


The Consumer Financial Protection Bureau released its Advance Notice of Proposed Rulemaking (ANPR) on Oct. 22, seeking comment on 46 questions in nine categories surrounding consumer access to financial information under section 1033 of the 2010 Dodd-Frank Act (15 U.S.C. § 5533).

Section 1033 entitled “Consumer Rights To Access Information” provides that “a covered person shall make available to a consumer . . . information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person” and authorizes the Bureau to make rules concerning consumer access to such data.

The ANPR follows the CFPB’s symposium earlier this year on consumer access to financial information. In a report summarizing the symposium issued in July, the Bureau pointed out that consumers’ access to “their financial records in electronic form empowers them to better monitor their finances” and “their ability to permission a third party to access those records may enable consumer-friendly innovation in financial services.” Particularly, the growing use of consumer data aggregators can lead to “new products and services aimed at making it easier, cheaper, or more efficient for consumers to manage their financial lives.” But the report also emphasized that this expansion in access to and distribution of consumer financial data “raises a number of concerns, particularly with respect to data security, privacy, and unauthorized access.”

The ANPR’s 46 questions are grouped into nine categories: (1) costs and benefits to consumers and covered persons; (2) competitive incentives; (3) the development of standards; (4) the scope of access to consumer financial information; (5) consumer privacy and control; (6) existing law impacting the field; (7) data security; (8) accuracy; and (9) “other information.” The categories underscore the broad scope of section 1033 and the impact any rules could have on the consumer financial services industry.

The release of the ANPR is just the first in the Bureau’s rulemaking process and, having participated in Bureau rulemaking activities over the past decade, it may be years before rules are released, if at all. But the impact of any rules would be significant. Aside from defining the nature and scope of consumer data, how that data is aggregated, disseminated, and protected are all on the table. While the subject matter appears to be concerned with developing technologies and services (like FinTech and RegTech), any rule would also impact how consumer data is collected and used by the mature consumer financial services industry.

That industry is broader than one may think. While it certainly includes traditional lenders like banks, credit unions and non-bank lenders, a “covered person” under the Dodd-Frank Act is much more and includes “any person that engages in offering or providing a consumer financial product or service” and affiliates who act as service providers to the covered person. The Bureau has an expansive interpretation of the types of persons that fall within this definition as well as what constitutes a consumer “financial product or service.” For example, the definition includes “collecting debt related to any consumer financial product or service.”

1. What Information Can a Consumer Access?

Several questions posed by the ANPR concern the scope of “access rights” to consumer financial information. Particularly whether certain data should not be subject to consumer access. Such consumer information can intersect with protected “confidential commercial information,” data required by law to be kept confidential or information collected to prevent fraud “or other illegal conduct.”

Section 1033(d) of the Dodd-Frank Act provides that “[t]he Bureau, by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine readable files, to be made available to consumers under this section.” The Bureau’s “standard-setting” questions request comments on the use and development of standards for access to and delivery of consumer financial information.

2. Intersection With Existing Law

In the context of privacy, the ANPR notes that the Gramm–Leach–Bliley Act, Fair Credit Reporting Act, Electronic Fund Transfer Act and the regulations promulgated under each all have privacy components, and “the Bureau might need to resolve potential stakeholder uncertainty with respect to application of the [] laws and their implementing regulations.” It adds in a footnote that the while the Bureau has “certain authorities” under the GLBA, it “has no supervisory, enforcement, or rulemaking authority with regard to the Act’s data security provision.”

3. Privacy Expectations and the Movement and Sharing of Information

The Bureau is also seeking comments on the extent to which consumers “understand the actual movement, use, storage, and persistence of authorized data,” and how this may “align with reasonable consumer expectations or preferences, including privacy expectations or preferences,” among other things.  This leads to the question whether the Bureau should “consider placing any restrictions on the movement, use, storage and persistence of authorized data, and if so, what restrictions and why?”

4. Data Security

In the area of data security, several questions seek comment on existing law and how these laws mitigate risk in the context of consumer financial information. Notably, the Bureau asks if it does issue a rule, “how should that rule take appropriate account of data security concerns?”

Comments are due 90 days after the date the ANPR is published in the Federal Register.

Article by Donald Maurice