New federal regulation on financial data: CFPB publishes long-awaited notice of proposed regulation | Arent Renard


It would also extend beyond the banking sector and encompass technology companies. What does this mean, why now and what are the opportunities that come with it? Below, we address each of these questions.

Legal authority for the new rule: article 1033

Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) of 2010 authorized the Bureau to draft new regulations outlining specific statutory obligations of businesses with respect to access consumer data and financial data protection. But there have been no official regulations on this for ten years. On October 22, 2020, the Bureau published an “Advance Notice of Regulatory Proposal” (ANPR) seeking comments on how best to implement section 1033.

Subject to certain exceptions, section 1033 provides, in part:

A covered person makes available to a consumer, upon request, information under the control or possession of the covered person regarding the consumer financial product or service that the consumer has obtained from that covered person, including information relating to any transaction, series of transactions, or on the account, including costs, fees and usage data.[1]

This statutory language is incredibly (and intentionally) non-specific. As a rule, the rules of the Bureau or other agencies in the consumer credit industry are tailored to a product, for example, debt collection services, payday loans, electronic bank transfers, etc. On the face of it, however, the Section 1033 obligation is not limited to a single industry, but rather regulates every imaginable consumer financial product or service. At a minimum, this will include all types of consumer loans, loan services, brokers, personal or real estate leases, deposit collection activities, stored value instruments, check cashing, payments, financial advisory services, consumer reports (credit scores), debt-collection, and FinTech.

As a result, the obligation applies not only to data companies, but also to banks, non-bank financial services companies, merchants, mortgages, payments, auto finance, technology companies, retailers, data aggregators, prepaid card providers, student loans and more.

Why are the proposed regulations important for the FinTech and banking industries?

The proposed regulations are the first of their kind and aim to fill a void in the patchwork of federal and state privacy regulations created, among other things, by technological innovation.

With the proliferation of third-party authorized consumer access in the FinTech industry, new business models present the need for regulators to address consumer protection concerns arising from, among other things, application programming interfaces. (API) FinTech, which allow clients to do more with their money without the need to visit a local bank branch or brokerage house. Why? Some political concerns are illustrated in the following hypothesis.

A consumer wants to manage her family’s household expenses using a personal budgeting mobile app. An API allows the application to communicate directly with the server of the consumer’s bank. By clicking yes on the app to give it (i.e. app (and do it instantly without waiting to check minute deposits over multiple days). From a business point of view, significant friction is removed by authorized access Some of the policy concerns, however, for regulators triggered by this model include: how far should consumers be able to access their data, how do we protect the transfer of bank data, how financial records should be. they be collected and stored by the application, what should the application be allowed to do with the data, what level of information should the consumer have the right to see and who is responsible in case of violation?

You might be wondering why these issues would not be addressed by existing federal law? Existing privacy and consumer protection regulations such as the Gramm-Leach Bliley Act (GLBA), Electronic Fund Transfer Act (EFTA) and Fair Credit Reporting Act (FCRA) regulate data privacy. financial, but are considered insufficient in some respects. because they do not directly and expressly apply to each of the specific activities required to complete the transaction in the above model.

This is in part due to the fact that GLBA, EFTA, and FCRA were written decades before API technology existed.

CFPB Section 1033 ANPR represents the first major step in regulating data privacy and transfers of financial records, period, including transfers using APIs. The key policy goal behind ANPR is the notion that consumers should be able to control their own data. In fact, Bureau Director Kathleen Kraninger spoke publicly at a CFPB symposium in February 2020 and outlined how regulation should be enacted, in the face of a myriad of consumer-friendly innovations, in order to ensure that consumers can control their own data while using new technologies. As a result, ANPR has the potential to affect a multitude of products and services, including payments, lead generators, peer-to-peer lending, e-commerce, crypto-commerce, improvement of credit score, financial management and other types of financial records. transfers. To add to the existing complexity, the CFPB is also able to hold technology companies accountable (as service providers to financial service companies) for breaches of consumer privacy rules such as those envisioned by the ANPR.

Why are these regulations being proposed now? Does it mean a new political orientation to the post-electoral CFPB?

There are two reasons why questions are ripe now to justify the CFPB’s public notice and comment process that is triggered by formal regulation. First, the CFPB has focused on technology and data companies, both in terms of direct control of the application and indirect investigations through monitoring processes. Second, it only takes time for the rule-making processes to mature in a young agency. In the first years after the founding of the CFPB in 2010 (and independence in 2011), the CFPB was busy meeting legislated deadlines on other rules (e.g., mortgages) that took precedence over other priorities in the 18 other listed statutes of CFPB or Dodd-Frank Act authorities. It naturally took the Bureau several years to arrive at Section 1033, and the Bureau has used the last decade to gather relevant information to refine the agency’s policy preferences on data protection. For example, the Bureau first issued a Request for Information in 2016. In 2017, the Bureau issued a Statement of Principles (the Principles) for the data aggregation marketplace.

The lack of specificity of the CFPB principles has led to uncertainty in the market, as players across the data ecosystem have sought to assign privately determined liability regimes in bilateral agreements. In February 2020, the Bureau hosted the Symposium to begin formal implementation of Section 1033.

Rather than a sudden policy shift in the wake of the general election, last month’s rule-making on the Section 1033 effort represents the natural maturation of a regulatory initiative that has been ongoing for many years. Fortunately, the ANPR as published is worded broad enough to allow companies the opportunity to provide comments on the scope of regulation and compliance measures.

What opportunities are presented to companies by section 1033 ANPR?

The ANPR is soliciting public comments on 45 separate issues, with the ultimate goal of assisting the Bureau in developing draft regulations under Section 1033. This process provides an opportunity to bring to the attention of the Bureau the information needed to define their own compliance expectations. The ANPR also presents a neutral, non-adversarial forum for businesses to contribute to efforts to draft national standards for consumer data access and privacy. Without industry involvement, it may be more difficult to ensure that the new rules are pragmatic. To participate in the feedback process, it is not necessary to have an answer to the 45 questions.

For convenience, we’ve condensed the 45 questions into the following eight key topic categories:

  1. The damages and benefits arising from authorized access to data by the consumer by third parties.
  2. The extent to which market competition (between small and large data owners, data users and data aggregators) is expected to influence the types of restrictions on authorized access to data.
  3. Should the government impose requirements that standardization work should be undertaken by businesses in the authorized data access ecosystem and if so, how?
  4. Who should be covered by the regulation? What exclusions should apply?
  5. How does direct access to consumer data pose privacy concerns that the Bureau should act to protect? To what extent should the government take into account the understanding and expectations of consumers based on the disclosures?
  6. What other laws or rules (federal, state or foreign), if any, conflict with the proposed obligation to make consumer data accessible under Section 1033? How should the agency deal with this tension?
  7. Are there sufficient incentives for market players to ensure the security of consumer data, or should the agency take specific measures to improve existing rules governing data security?
  8. What are the risks of data inaccuracy in the data access ecosystem and what should the Bureau do about it?

Although not stated explicitly, we expect the Bureau may use research to help determine what is not an unfair, deceptive or abusive practice (Sections 1031 and 1036 of the Dodd-Frank Act) regarding access to consumer data. The ANPR questions set out a practical outline for doing this.

Comments are due February 4, 2020.

[1] 12 USC § 5531. As stated in the Dodd-Frank Act, a “covered person” includes any individual, firm, corporation or other entity that undertakes to “offer or provide a financial product or service to consumers” and any corporation affiliated with such an individual or entity insofar as the affiliate acts as a service provider. 12 USC § 5481 (6).


Comments are closed.