On October 22, 2020, the Consumer Financial Protection Bureau (CFPB or Bureau) issued an advance notice of proposed rulemaking (ANPR) that seeks comment on consumer access to financial information, pursuant to Dodd-Frank Act Section 1033. In the ANPR, the CFPB asks for input to aid the development of regulations to implement Section 1033, which imposes a new obligation on financial institutions to provide consumers, upon request, with electronic access to their account information, subject to rules to be promulgated by the CFPB. In its press release, the CFPB noted that “[w]hile consumer access to financial records can enable the development of innovative and beneficial consumer financial products, it can also present consumer risks.”
Section 1033 requires a “covered person” to make available to a consumer “information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person,” including information relating to any transaction, series of transactions, or the account, including costs, charges, and usage data. 12 U.S.C. § 5533. Covered persons include any person that offers or provides a “consumer financial product or service,” as well as certain affiliates. Section 1033 further requires a covered person to make this information available in an electronic form that is usable by the consumer. Section 1033 is silent regarding the right of a covered person to impose fees on consumers who access this information, and the ANPR does not address this issue directly. Section 1033 appears to apply to both existing customers and former customers.
A covered person is not required to make available to the consumer: (1) any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors; (2) any information collected by the covered person for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding, unlawful or potentially unlawful conduct; (3) any information required to be kept confidential by any other provision of law; or (4) any information that the covered person cannot retrieve in the ordinary course of its business.
Section 1033 expressly states that it does not impose any duty on a covered person to “maintain or keep any information about a consumer.” However, other laws often require financial institutions to maintain records. For example, a financial institution may be required to maintain records as a matter of safety and soundness. Moreover, many consumer financial laws impose record retention requirements of their own. For example, the Equal Credit Opportunity Act generally imposes a 25-month record retention requirement after the date that a creditor takes action on an application, which may be extended for certain reasons. In short, a financial institution may have an independent duty to maintain records, and certain information in these records may ultimately be accessible by consumers pursuant to the Section 1033 disclosure requirement.
Under Section 1033, the CFPB is required to prescribe standards applicable to covered persons to promote the development and use of standardized formats for information to be made available to consumers. When prescribing rules under this section, the CFPB is required to consult with the federal banking agencies and the Federal Trade Commission to ensure, to the extent appropriate, that the rules: (1) impose substantively similar requirements on covered persons; (2) take into account conditions under which covered persons do business both in the United States and in other countries; and (3) do not require or promote the use of any particular technology in order to develop systems for compliance. Section 1033 became effective on July 21, 2011; however, since it is not self-executing, the section becomes fully effective when regulations of the CFPB are in place.
Consumers increasingly authorize data aggregators, other fintech companies, and other third parties to access and aggregate their data from various accounts held in financial institutions to provide products and services, including personal financial management advice, bill payment, fraud prevention, and identity verification. Such financial data aggregation allows companies to offer innovative products and services that make it easier for consumers to manage their finances. However, such access to consumer financial records has raised concerns among some in the financial services industry with respect to data security, privacy, and unauthorized access.
In 2017, the CFPB issued a set of consumer protection principles on provision of products and services based on consumer-authorized use of financial data. The principles address data access, data scope and usability, control of the data and informed consent, payment authorizations, data security, transparency on data access rights, data accuracy, accountability for access and use, and resolution of disputes regarding unauthorized access. In addition, the CFPB held a symposium on Section 1033 on February 26, 2020 and subsequently issued a report summarizing the proceedings.
The ANPR seeks public comment on a number of questions on topics relating to potential rulemaking. The topics include questions on:
In the absence of CFPB rulemaking under Section 1033, industry participants, including account-holding financial institutions, trade organizations, and data aggregators, have tried to find workable solutions for providing access to consumer information in a manner that appropriately accounts for consumer preferences, technical integrations, compliance risks, and data security liabilities.
These efforts have met with varying degrees of success. Regulations to implement Section 1033 may add substantial new requirements for covered persons to provide customer-authorized companies with electronic access to the customer’s account and transaction information. At the same time, the resulting regulations may help industry stakeholders by providing an agreed-upon framework where consumers may effectively control how their data is accessed and shared.
Comments are due within 90 days after publication of the ANPR in the Federal Register, which is anticipated shortly.