Over the last decade, the Consumer Financial Protection Bureau (CFPB) has been quietly taking steps toward regulating the way financial institutions allow parties to access consumer data. It began with the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), passed in 2010, which contained Section 1033: a mandate for the CFPB to develop regulations around consumer rights to access their financial records.
More recently, on October 22, 2020, the CFPB issued an advanced notice of proposed rulemaking (ANPR) soliciting feedback from stakeholders before it begins developing regulations around this topic. Last week, on February 4, 2021, the comments period for the ANPR closed.
Financial institutions, fintech companies, and data aggregators should pay close attention to the CFPB’s rulemaking agenda this spring, especially as it pertains to Section 1033.
What is Section 1033?
On its face, Section 1033 seems straightforward. The mandate directs “covered persons” to make information in its control or possession—including transaction information, costs, and usage data—available to consumers.
This seems benign enough. Most financial institutions and service companies already offer consumers at least one way to access their own account history fairly easily. Most, if not all, financial institutions and service companies offer online consumer portals with real-time transaction history available 24/7.
On the surface, it seems as though the CFPB is trying to remedy a problem the financial services industry has already solved.
But digging deeper into the ANPR reveals the CFPB’s real focus. The CFPB intends to use its rulemaking authority to focus on regulating third- and “fourth-party” access to consumer data.
The CFPB’s real concern lies with data aggregation
The rapid growth of non-bank financial technology (fintech) firms and data aggregators (companies who gather consumer data from multiple, discrete accounts in order to provide insights and services to the consumer) is the CFPB’s main concern here.
According to the CFPB, these fintech firms and data aggregators often have legitimate consumer authorization to access their data from financial institutions, and their intuitive functions, like budget management and money sharing, which are very appealing to the average consumer.
But the data access ecosystem between these parties is too complex for the average consumer to understand. And, importantly, the imperfect data accessed and duplicated by the third- and sometimes fourth-party data aggregators results in more billing and credit reporting disputes for financial institutions.
As a result, the CFPB is stepping in to examine this ecosystem and determine what regulations need to be implemented.
Further steps to regulate access to consumer data are coming
Since its inception, the CFPB has not focused much on Section 1033. Instead, its approach to regulating access to consumer financial data has been to identify and promote consumer interests while allowing the market to develop through innovation, without direct regulatory intervention.
In the last six years, however, the CFPB has taken some steps to begin promulgating regulations around consumer data access, including:
- Issuing a request for information on this topic in 2016;
- Issuing consumer protection principles concerning consumer-authorized financial data sharing and aggregation in 2017;
- Organizing a symposium on this topic in 2020; and
- Publishing a report summarizing the 2020 symposium.
The October 2020 ANPR appears to be signaling the CFPB’s intent to shift away from its mainly passive role into a more active one.
Section 1033’s future under the Biden administration
Note that the CFPB began signaling this shift to a more active role concerning Section 1033 before the 2020 general election, so it is not directly tied to the Biden administration and the new CFPB leadership.
President Biden’s choice for incoming director of the CFPB, Rohit Chopra, has been known to take aggressive stances on both enforcement and technology companies. So it is likely that the CFPB’s focus on these issues will become more burdensome for financial institutions in the coming years, especially as it relates to financial institutions’ relations with third-party data aggregators and money transfer platforms.
Interestingly, the current Acting Director of the CFPB, Dave Uejio, issued a blog post last week in which he outlined his vision for the CFPB’s policy in the coming weeks. Section 1033 was not mentioned in that post. Rather, the CFPB appears focused on COVID-19 pandemic response as it relates to mortgage servicing.
Public comments identify liability, EFTA, and FCRA issues
The CFPB allowed stakeholders to publish comments regarding the ANPR through the regulations.gov website through February 4, 2021. There were 64 public comments posted from traditional financial institutions and service providers as well as fintech companies and data aggregators alike. Of note, many of the commenters focused on two central issues:
- Whether data aggregators can and should be considered “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA) and regulated accordingly, and
- Whether an account-holding institution should bear liability under the Electronic Fund Transfer Act (EFTA) and Regulation E for an unauthorized transaction initiated by a data aggregator.
Regarding the applicability of the FCRA to data aggregators, the consensus among commenters is clear: If a data aggregator is assembling consumer-permissioned data to provide such data to a creditor/insurer for use in assessing that consumer’s creditworthiness, then that aggregator fits within the definition of a “consumer reporting agency” under the FCRA and should be regulated as such.
Some data aggregators, however, merely operate as a conduit for consumer data. Commenters requested clarity from the CFPB about what level of assembly or evaluation by the data aggregator is required before it becomes a “consumer reporting agency” as defined by the FCRA.
Many financial institutions expressed concern that they could be considered “furnishers” to data aggregators who are ultimately considered to be “consumer reporting agencies.”
Regarding who should bear liability under the EFTA and Reg. E, the commenters were less united. Many consumer rights groups commented that consumers are not able to absorb an unexpected loss due to an unauthorized transfer that occurs due to a data aggregator, so the CFPB must protect the consumer’s right to contest unauthorized charges under the EFTA and Reg. E.
But many financial institutions expressed concern with the added regulatory and financial burdens this would place on account-holding institutions who do not have control over the data being held by fintech companies and aggregators.
Essentially, many commenters expressed concern the current regulatory scheme leaves account-holding institutions holding the bag for the data aggregators’ failure to safeguard their data.