Alerts

Financial Institutions Invited to Comment on CFPB’s Initial Sketch of New Consumer Data Rights Rule

November 3, 2022

The Consumer Financial Protection Bureau (“CFPB”) is beginning to craft a data portability rule it hopes will foster greater competition and consumer choice (the “Data Rule”).[1] The initial draft of the Data Rule applies to “financial institutions” under Regulation E and “credit card issuers” under Regulation Z.[2] This covers “financial institutions offering deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts.”[3] It would also reach companies who provide electronic fund transfer services through an “access device” even if that company does not hold the account.[4]

The CFPB is seeking input from regulated entities to assist it in crafting these regulations. The burden the ultimate Data Rule will impose is far from clear. In addition to the costs of complying with an entirely new regulation, covered entities will also have to confront the technical challenge of making the data they hold accessible “upon request” to the universe of recipients the Data Rule envisions. The potential solutions are difficult to anticipate from the thumbnail sketch the CFPB’s current proposal provides.

While Congress required that the CFPB specifically consult with small businesses in order to address the special burdens they will face, all regulated entities are invited to submit comments.

Section 1033

The Dodd-Frank Act provides that consumers have the right to request the information that a financial institution has about the consumer financial product or service the institution provided the consumer — but only once the CFPB implements regulations for how to do this.[5] The information could include, but is not limited to, the consumer’s transaction history, or the costs, charges or usage data related to that consumer.[6]

Limited Existing Law on Consumer Data

The CFPB acknowledges that there is little existing federal law on consumer data privacy, data rights or cybersecurity. For example, the Fair Credit Reporting Act (“FCRA”) protects the detailed personal information consumer reporting agencies and credit bureaus collect by limiting the “permissible purposes” for which they can release that information.[7] Additionally, the Gramm-Leach-Bliley Act (“GLBA”) and Regulation P require banking institutions to provide a notice of privacy practices to consumers at onboarding and annually thereafter.[8]

Even though the CFPB administers these regulations, Director Chopra complained that “Much of [existing regulation] involves financial institutions handing consumers a lot of fine print that they may not even read, like those financial privacy notices companies send.”^{^[9]} He specifically criticized the GLBA’s “notice and opt-out regime” that in his view does not “give consumers meaningful control over how their data is being used.”[10]

Some state laws, like the California Consumer Privacy Act/California Privacy Rights Act (“CCPA/CPRA”), grant individual consumers certain rights to control their data. A federal Data Rule is thus certain to break new ground by offering nationwide rights to individual consumers.

The Benefits the CFPB Aims to Achieve

The CFPB expects that its Data Rule will enhance competition. Once a consumer can require an existing service provider to share all of the consumer’s transaction history, the consumer can transition to a new provider as if they were a long-time customer. Director Chopra analogizes this ease of switching to the right to keep your phone number when you choose a new carrier — even though the old carrier does not transfer call logs and text chats to the new provider.[11]

The Data Rule could also foster innovation. A consumer can grant a platform access to information from multiple providers to more easily manage their money, apply for credit or shop for lower fees. Currently, consumers often grant a third-party service visibility into an account by sharing their login credentials. In addition to the security concerns of sharing usernames and passwords, these services do not have real access to the underlying data, but only the web platforms the institution provides. As a result, the services engage in “screen scraping,” attempting to read the information from the webpage. If consumers had the right to require the institution to share the actual data with an authorized third-party, consumers would know the information they see in the third-party service is accurate, and would not have to reveal their passwords to enable the connection.[12]

Recognizing that many financial institutions will not have the capacity to transfer consumer data themselves, the proposal envisions the emergence of “data aggregators” who will facilitate collecting the information from the origin financial institution and transmitting it to the consumer or an authorized third-party.[13]

Looking further ahead, Director Chopra even envisions a new approach to credit, based on a lender’s direct access to the consumer’s transaction history rather than opaque three-digit credit scores.[14]

Proposals Under Consideration

The CFPB released a detailed outline of its anticipated proposals and a long list of questions on which it is seeking input.[15] Specifically, the CFPB is inviting comment on:

Who Will Be Subject to the Data Rule. As noted above, the CFPB intends for the Data Rule to focus on accounts, including digital wallets, access devices, prepaid cards, credit cards and others presently subject to Regulation E or Regulation Z. The Data Rule may adjust the scope of the providers and accounts it governs, and may provide exemptions.[16]

Who Can Receive Information. The CFPB’s proposal departs from the statute, which only commands institutions to make the consumer’s information “available to the consumer.”[17] To achieve its competition and innovation aims, the CFPB reads these words as empowering consumers to direct institutions to make their information available to whoever the consumer authorizes. Among other things, this broad reading requires the Data Rule to spell out how to obtain the consumer’s “informed, express consent” for the transfer, and intends to impose disclosure and compliance certification requirements on the third-party recipients.[18]

What Third Parties Cannot Do With the Data. The CFPB is considering limiting authorized third parties’ processing, collection, use and retention of consumer financial data to what is “reasonably necessary to provide the product or service the consumer has requested.”[19] These obligations may include capping the maximum duration for a consumer authorization, providing methods for the consumer to revoke the authorization and prohibiting certain uses of the data.

How Covered Entities Must Demonstrate Their Compliance. Covered entities may be required to maintain certain records to confirm their compliance with the Data Rule. Importantly, as Section 1033 emphasizes, covered entities are not obligated “to maintain or keep any information about a consumer.”[20] The inclination against storing consumer information echoes the CFPB’s concern with the “immense amounts of granular consumer data” some of the largest companies collect.[21]

What Types of Information Should Be Made Available. The CFPB anticipates requiring institutions to supply the consumer data regarding: (1) periodic statement information regarding transactions and deposits that have settled; (2) transactions and deposits that have not yet settled; (3) prior transactions that are not typically shown on periodic statements; (4) online banking transactions that the consumer has prepared but have not yet occurred; (5) account identity information; and (6) “consumer reports obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service.”[22]

How and When Information Must Be Made Available. Consumer financial data would be made available directly to the consumer when a covered entity has “enough information from the consumer to reasonably authenticate the consumer’s identity and reasonably identify the information requested.”[23] With respect to third-party access, covered entities may be required to establish a third-party access portal, which the CFPB recognizes will pose burdens on covered entities and may also create new security issues.

When the Data Rule Should Take Effect. Realizing that it will take time for covered entities to come into compliance and that the Data Rule is completely new, the CFPB is interested in the factors that should inform the appropriate timeline, including whether there should be a second phase for rolling out a requirement that covered entities establish their third-party portal.[24]

Conclusion

The CFPB’s entry into the consumer data space is novel in substance and approach. Director Chopra hinted that the Data Rule is the first in paradigm shift that would retire regulations that serve to entrench existing business models and prioritize technical compliance over consumers’ actual experiences, in favor of a generation of “procompetitive regulations” that could, among other things, “reduce switching costs or barriers to entry, promote price transparency and shopping, reduce conflicts of interest, and place limits on business activity in order to ensure that firms don’t exploit their control over critical networks.”[25]

Financial institutions subject to Regulation E and credit card issuers subject to Regulation Z, who will be the first to have to comply with the Data Rule, should take this opportunity to shape the Rule and limit its associated burdens. The requirement to open transaction history upon request will sometimes conflict with other state and federal laws, and by creating more ways to access consumers’ personal information may impair the security and privacy of that information.

The CFPB is accepting comment until January 25, 2023.[26]

Schulte Roth & Zabel’s lawyers are available to assist you in preparing a public comment or addressing any questions you may have regarding these developments. Please contact the Schulte Roth & Zabel lawyer with whom you usually work, or any of the following attorneys:

Donald J. Mosher – New York (+1 212.756.2187, donald.mosher@srz.com)

Alexander M. Kim – New York (+1 212.756.2075, alex.kim@srz.com)

Melissa G.R. Goldstein – Washington, DC (+1 202.729.7471, melissa.goldstein@srz.com)

Kara A. Kuchar – New York (+1 212.756.2734, kara.kuchar@srz.com)

Adam J. Barazani – New York (+1 212.756.2519, adam.barazani@srz.com)

Jessica Romano – New York (+1 212.756.2205, jessica.romano@srz.com)

Jessica Sklute – New York (+1 212.756.2180, jessica.sklute@srz.com)

Noah N. Gillespie – Washington, DC (+1 202.729.7483, noah.gillespie@srz.com)

Hadas A. Jacobi – New York (+1 212.756.2055, hadas.jacobi@srz.com)

Rebecca A. Raskind – New York (+1 212.756.2396, rebecca.raskind@srz.com)

[1] Press Release, CFPB Kicks Off Personal Financial Data Rights Rulemaking (Oct. 27, 2022), available here (“Press Release”).

[2] CFPB, High-Level Summary and Discussion Guide of Outline of Proposals and Alternatives Under Consideration for SBREFA: Required Rulemaking on Personal Financial Data Rights, at 4 (Oct. 27, 2022), available here (“High Level Summary”).

[3] Director Chopra, Speech, Prepared Remarks at Money 20/20, at 4 (Oct. 25, 2022), available here (“Money 20/20”).

[4] High Level Summary at 4 (citing 12 C.F.R. § 1005.2(a)(1)).

[5] In full, this section states “Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.” 12 U.S.C. § 5533(a).

[6] See id.

[7] 15 U.S.C. §§ 1681b, 1681d.

[8] 12 C.F.R. §§ 1016.4-.9.

[9] Money 20/20, at 2.

[10] Id. at 5.

[11] Id. at 2.

[12] Id. at 3; High Level Summary at 9-10.

[13] High Level Summary at 2 n.3.

[14] Money 20/20, at 4.

[15] See Consumer Financial Protection Bureau, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights, Outline of Proposals and Alternatives Under Consideration (Oct. 27, 2022), available here.

[16] High Level Summary at 4.

[17] 12 U.S.C. § 5533(a).

[18] High Level Summary at 5.

[19] Id. at 15.

[20] 12 U.S.C. § 5533(c).

[21] E.g., CFPB, Final Rule, Limited Applicability of Consumer Financial Protection Act’s “Time or Space” Exception with Respect to Digital Marketing Providers, 87 Fed. Reg. 50,556, 50,557 (Aug. 27, 2022).

[22] High Level Summary at 7.

[23] Id. at 9.

[24] Id. at 20-21.

[25] Money 20/20 at 2 (cleaned up).

[26] Press Release.

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2022 Schulte Roth & Zabel LLP.