The CFPB has announced that it plans to issue an advance notice of proposed rulemaking (ANPR) later this year on consumer-authorized access to financial records.  The announcement was made concurrently with the Bureau’s release of a report summarizing its February 2020 symposium on this topic.

Section 1033 of the Dodd-Frank Act requires that “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related  to any transaction, or series of transactions, to the account including costs, charges, and usage data.”  In November 2016, the CFPB issued a request for information about market practices related to consumer access to financial information, and in October 2017, it released a set of “Consumer Protection Principles” for participants “in the developing market for services based on the consumer-authorized use of financial data.”

According to the Bureau, the symposium’s purpose was to allow the Bureau to hear from stakeholders and to review the Bureau’s approach to consumer-authorized third-party access to financial records, “which has been largely identifying and promoting consumer interests—in access, control, security, privacy, and other areas—and allowing the market to develop without direct regulatory intervention.”  The Bureau intends to use the ANPR to obtain information to help it understand and address competing perspectives. 

ANPR.  Through the ANPR, the Bureau will:

  • Solicit stakeholder input on ways that the Bureau might effectively and efficiently implement the financial access rights described in Section 1033.  While market participants have helped authorized data access become more secure, effective, and subject to consumer control, the Bureau sees indications that some emerging market practices may not reflect the access rights described in Section 1033.
  • Seek information regarding the possible scope of data that might be made subject to protected access as well as information that might bear on other terms of access, such as those relating to security, privacy, effective consumer control over access and accessed data, and accountability for data errors and unauthorized access.
  • Inquire into whether (and if so, how) regulatory uncertainty with respect to Section 1033’s interaction with other statutes within the Bureau’s jurisdiction, such as the FCRA, may be impacting this market to consumers’ potential detriment, and seek information that may help resolve such uncertainty.

Report on Symposium.  In the report, the Bureau summarizes its understanding of the key facts, issues, and points of contention raised at the symposium.  The Bureau describes the composition of the symposium’s three panels as follows:

  • Six panelists represented non-bank fintech companies and consisted of: three “aggregator” companies, one trade association that represents aggregators and other companies that rely on consumer-permissioned access to financial data, one consumer-facing lender that relies on consumer-permissioned financial data, and one industry attorney who represents companies that use consumer-permissioned financial data
  • Five panelists represented banks, consisting of four “large banks” and one “smaller bank”
  • Two panelists were consumer advocates
  • Three panelists were researchers

The Bureau highlights the views presented by stakeholders in the following areas:

  • Data access and scope.  Panelists focused on permissioned third-party access to consumer data, the scope of data consumers should be allowed to share via authorized third parties, and sharing of proprietary data.
  • Credential-based access and “screen scraping.”  Panelists discussed different methods for accessing consumer data, the benefits of replacing current methods with application program interfaced (API)-based access, and challenges related to transitioning to API-based access.
  • Disclosure and informed consent.  Panelists discussed the adequacy of consumer disclosure and consent management practices of companies seeking consumer authorization for permissioned data sharing.
  • Privacy.  Panelists discussed privacy risks arising from credential-based access and screen scraping and whether increased regulatory oversight of aggregators and other fintechs is needed.
  • Transparency and control.  Panelists discussed consumer control over the data they permission, including consumers’ ability to monitor and regulate data flows, revoke access, and request retroactive deletion of data.
  • Security and minimization.  Panelists discussed security risks in permissioned data sharing and mitigation of such risks.
  • Accuracy, disputes, and accountability.  Panelists discussed accuracy of shared data and the FCRA’s applicability to credit-related uses of permissioned data, dispute resolution mechanisms for uses of permissioned data, and liability for unauthorized transactions associated with permissioned use of data.
  • Legal issues.  Issues raised by panelists included:
      • The meaning of Section 1033, including whether it is “self-executing” (i.e. effective without the issuance of Bureau rules), whether consumer agents (such as aggregators) are considered consumers for purposes of Sec. 1033, and whether Sec. 1033 provides authority for the Bureau to allow for data field exclusions from a consumer’s right to access or to deny data access to third parties relating to security concerns
      • Whether development of API standards should be market-led or Bureau-prescribed
      • Whether the Bureau should limit certain secondary uses of consumer-permissioned data
      • Whether a market-driven equilibrium of ultimate liability allocation for unauthorized transactions relating to permissioned data use would emerge absent regulatory intervention
      • Whether the Bureau, relying on Section 1033, should prescribe a right for consumers and permissioned third parties to access their data (as sought by fintechs)
      • Whether the Bureau should issue a larger participant rule for the data aggregation market (as sought by banks)