As discussed here, on October 27, 2022, the CFPB released an Outline of Proposals and Alternatives Under Consideration for public comments on the CFPB’s Section 1033 rulemaking. The window for providing written feedback closed on January 25, 2023. Below we have highlighted some of the submissions by industry and consumer groups.
The proposed rules are limited, at this time, to deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts. The proposed rules being considered, amongst other things, would:
- Require a defined subset of Dodd-Frank Act covered persons that are data providers to make consumer financial information available to a consumer or an authorized third-party.
- Require covered data providers to make available information such as: periodic statements; information regarding prior transactions and deposits that have not yet settled; information about prior transactions not typically shown on periodic statements or online financial account management portals; online banking transactions that the consumer has set up but that have not yet occurred; and account identity information.
- Ensure that data providers transmit consumer information accurately through third-party access portals.
- Limit third parties’ collection, use, and retention of consumer information to what is reasonably necessary to provide the product or service the consumer has requested.
The CFPB proposals reflect an “open banking” vision that would shift away from the current practice of “screen scraping” financial information to a system in which banks set up application programming interfaces (APIs) and data portals for transferring consumer information to so-called “data aggregators” purportedly acting on behalf of consumers.
The Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA) required the CFPB to elicit feedback on the impact on small entities of its proposed rulemaking and many industry groups took advantage of this comment window to express concerns on, amongst other things, data security risks, potential liability from data breaches, and implementation time.
Data Security:
The American Bankers’ Association (ABA) emphasized in its letter that the industry is committed to “consumers’ ability to access and share their financial data in a secure, transparent manner that gives them control,” but it identified multiple concerns with the CFPB’s proposed rulemaking, including the CFPB’s failure to adequately address data security. “The information that data aggregators are able to collect — which includes not just information from a single account of the consumer but potentially all of the consumer’s financial accounts — makes data aggregators an attractive target for bad actors as well as potential channel for criminals to obtain and use sensitive information.” The ABA proposed one way to address this concern was for the CFPB to allow for situations in which data providers may refrain from fulfilling a request for access notwithstanding consumer consent. The ABA further emphasized the need for the CFPB to extend its supervision to cover data aggregators.
The Credit Union National Association (CUNA)’s comments to the CFPB proposed that the CFPB address data privacy concerns by taking ownership of the required verifications before access to consumers’ financial information is provided to third parties. Specifically, CUNA recommended that the CFPB: 1) authenticate third parties on behalf of covered data providers, including credit unions; 2) provide a database of authenticated third parties and specify that reliance on the CFPB’s database should be a safe harbor from CFPB action or litigation; and 3) pare back the categories of information required to be made available by covered data providers.
The Electronic Privacy Information Center (EPIC)’s letter echoed the need to cull down the categories of required information that could be shared. “[W[e recommend that the [CFPB] impose a more exacting standard for sensitive information, limiting authorized third parties’ collection of sensitive consumer data to what is strictly necessary to provide the product or service the consumer has requested (i.e., data without which it is impossible to provide such product or service).”
In its letter, the Consumer Data Industry Association (CDIA), the trade association for consumer reporting agencies, requested that consumer reports and information derived from consumer reports be explicitly excluded from the definition of covered data. The CDIA also proposed safeguards to ensure data privacy. The CDIA proposed that before a third party is granted access to covered data, the data provider should not only be required to obtain evidence to authenticate the third party, but also be required to authenticate that the recipient requesting access is the third party whose identity has been verified — meaning not only confirming that the third party is who it says it is, but also that the third party identified in the consumer’s authorization is the recipient requesting access.
A multi-step login approach was also advocated by the Financial Technology Association (FTA) who proposed the use of third-party data portals that can encrypt and tokenize login credentials to reduce the risk that sensitive information is inadvertently accessed. Additionally, the FTA proposed a multi-factor authentication process for the consumer requesting its data to be shared.
Shifting Liability:
In agreement with the ABA, the Financial Data and Technology Association of North America (FDATA), an organization advocating for customer-permissioned access to financial data, proposed in its letter that in the case of a data breach the liability should attach to the entity responsible for the breach. “[W]e strongly support the underlying principle that the entity responsible for a data breach that causes financial loss to an end user should be responsible for making that end user whole … .”
The Bank Policy Institute (BPI) agreed stating in its letter, “[i]t is essential that the CFPB address the question of liability for loss or harm caused by the entity with possession, custody or control over the data or which is otherwise responsible for the loss or harm.” Specifically, [f]or data providers, any liability for any incident leading to loss or harm should end when the data leaves the data provider’s portal.”
Implementation Time:
Depending on the type of organization being represented, there were differing views amongst industry groups on the ideal speed of the CFPB’s implementation schedule for the proposed rule.
FDATA urged the CFPB to “swiftly require availability of all covered data types for covered data accounts once this rule is finalized” arguing that allowing “for the continued use of existing technologies, including credential-based access or PII and account number-enabled access in addition to dedicated data access portals, would facilitate the fastest and easiest transition into compliance and maximize customer benefit, particularly for the thousands of smaller data providers which will not be able to develop credential-less data access portal technology for the foreseeable future.”
Whereas, the ABA cautioned that given the current range of proposals under consideration by the CFPB, its members aren’t in position to even estimate the time it would take to implement the requirements and so the CFPB should proceed slowly. The “implementation period must give banks – and their core providers – sufficient time to develop, implement, and test APIs … And of course, the implementation period must give market participants of all sizes a reasonable opportunity to comply.”
In its letter, the Consumer Bankers Association (CBA) emphasized the Herculean task the CFPB is proposing and suggested a minimum of a year for implementation. “The [CFPB] significantly underestimates the ease with which a third-party access portal can be developed and implemented by data providers. Many data providers, small and large alike, do not currently have an [API] that could provide consumer information, especially to the extent currently under consideration, to authorized third parties. Developing an API from the ground up is costly and would pose a significant financial burden on many data providers. Moreover, data providers that seek to enter strategic partnerships to build out an API would need, at a minimum and under the best circumstances, at least 12 months. Even for data providers that already have a third-party access portal, the cost of maintenance would skyrocket to support the proposals in the SBREFA Outline.”