The CFPB has taken a significant step towards issuing regulations to implement Section 1033 of the Dodd-Frank Act by releasing an outline of the proposals it is considering in preparation for convening a small business review panel (Panel). Section 1033 authorizes the CFPB to issue rules requiring “a covered person [to] make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.”
The Small Business Regulatory Enforcement Fairness Act (SBREFA) and the Dodd-Frank Act require the CFPB to convene a Small Business Review Panel (Panel) when developing rules that may have a significant economic impact on a substantial number of small businesses. The Panel, which includes representatives from the CFPB, the Small Business Administration’s Chief Counsel for Advocacy, and the Office of Information and Regulatory Affairs in the Office of Management and Budget, is required to consult with representatives of small business entities that will likely be subject to the rules under consideration. The Panel must complete a report on the input received from the small business representatives within 60 days of convening. In its Spring 2022 rulemaking agenda, the CFPB gave an estimated November 2022 date for convening the Panel. This estimate is consistent with remarks given by Director Chopra preceding the release of the SBREFA outline in which he stated that the CFPB will publish its SBREFA report in the first quarter of 2023 and plans to issue a proposed rule later in 2023 to be finalized in 2024.
The Bureau is considering a proposed rule that would include the following provisions:
Coverage. A “covered data provider” is (1) a “financial institution” as defined in Regulation E with respect to an “account” as defined in Regulation E, or (2) a Regulation Z “card issuer” with respect to “a credit card account under open-end (not home-secured) consumer credit plan” as that term is defined in Regulation Z. Consistent with these definitions, a financial institution that does not hold consumer accounts, but that issues access devices (such as digital credential storage wallets) and provides EFT services, such as providing payment services through the wallets) would be a covered data provider with respect to the EFTs it processes notwithstanding that the EFTs rely on funds in an account held by another financial institution. Similarly, a card issuer that does not hold consumer credit card accounts but that issues credit cards, such as by issuing digital credential storage wallets, would be a covered data provider with respect to the consumer credit card transactions it processes notwithstanding that the transactions rely on card accounts held at another financial institution. The CFPB is considering possible exemption criteria such as a threshold based on asset size or activity level, such as number of accounts. The CFPB also notes that it is proceeding to regulate Regulation E accounts and Regulation Z credit card accounts first because they implicate payments and transaction data but intends to evaluate how to proceed with regard to other data providers in the future.
Recipients of information. Section 1033 generally requires data providers to make information available to a “consumer,” which includes making information directly to the consumer and to an agent, trustee, or representative acting on behalf of a consumer (which the outline refers to as “third-party access.”) The proposal includes an authorization procedure under which a third party seeking to access consumer information would be required to (1) provide an “authorization disclosure” to inform the consumer of the key scope and use terms of access, (2) obtain the consumer’s express consent to the key terms of access contained in the disclosure, and (3) certify to the consumer that it will adhere to certain obligations requiring collection, use, and retention of the consumer’s information. Key scope terms to be included in the authorization disclosure might include the general categories of information to be accessed, the identity of the covered data provider and accounts to be accessed, terms related to the duration and frequency of access, and how to revoke access. Key use terms might include the identity of intended data recipients (including any downstream parties) and data aggregators to whom the information may be disclosed, and the purpose for accessing the information.
Types and scope of information a covered data provider must make available. The categories of information that the CFPB is considering requiring covered data providers to make available with respect to covered accounts are:
- Periodic statement information for settled transactions and deposits
- Information regarding prior transactions and deposits that have not yet settled
- Other information about prior statements not shown on periodic statements or portals, such as data elements received from a payment network regarding the interbank routing of a transaction.
- Online banking transactions that the consumer has set up but that have not yet occurred, such as information about companies for which the consumer has provided information to allow the covered data provider to make payments to the companies on the consumer’s behalf.
- Account identity information, such as the consumer’s age, gender, marital status, race, ethnicity, residential and email addresses, and phone, social security and driver’s license numbers.
- Other information, such as consumer reports used by the covered data provider in making decisions about the consumer and fees charged by the covered data provider in connection with its covered accounts.
With regard to the scope of current and historical information that a covered data provider would have to make available, the CFPB is considering proposing that a provider would only be required to make available information going as far back in time as the provider makes transaction history available directly to consumers. The CFPB indicates that this approach reflects Dodd-Frank Section 1033(c) which states that Section 1033 shall not be construed to impose a duty on a data provider to maintain or keep any information about a consumer.
Availability of information. For consumer requests for direct access to information, the CFPB is considering proposing that a covered data provider would be required to make information available through online account management portals if it has enough information to reasonably authenticate the consumer’s identity and reasonably identify the information requested. Providers would be required to allow consumers to export the information in both human and machine readable forms.
For third-party requests for information, the CFPB is considering proposing that covered data providers would be required to establish and maintain a third-party portal that does not require the authorized third party to possess or retain consumer credentials. The third-party portal would have to meet certain availability requirements dealing with (1) the portal’s general reliability in responding to electronic requests for information by an authorized third party, (2) the length of time between the submission of a request to a portal and a response, (3) system maintenance and development that involve planned interruptions of data availability and responses to unplanned interruptions, (4) responses to notices of errors from authorized third parties, and (5) limits on fulfilling a request for information even when data are otherwise available.
The CFPB is also considering what role screen scraping should play in the context of a covered data provider’s compliance with the rule. However, the CFPB is concerned that screen scraping has significant limitations and risks for consumers, data providers, and third parties, including risks related to possession of a consumer’s credentials. In the outline, the CFPB asks the Panel for input on a variety of issues relating to screen scraping. For example, the CFPB suggests the possibility of staggered implementation periods and asks for input on how the appropriate time for required compliance might be impacted if covered data providers were permitted to rely on screen scraping to comply with an obligation to make information available to authorized third parties before they establish a third-party access portal. It also seeks input on how the CFPB could mitigate the consumer risks associated with screen scraping to the extent screen scraping is a method by which covered data providers are permitted to satisfy their obligations to make information available, such as by requiring covered data providers to provide access tokens to authorized third parties to use to screen scrape so that third parties would not need a consumer’s credentials to access the online financial account management portal.
With respect to availability and accuracy of information, the CFPB is considering (1) requiring covered data providers to establish and maintain reasonable policies and procedures to ensure availability and that the transmission of information through the portal does not introduce inaccuracies, (2) establishing performance standards related to third party portal availability and accurate transmission of information through portals, (3) prohibiting covered data provider conduct that adversely affects the third-party portal availability factors or the accurate transmission of information, and (4) requiring a combination of (1) through (3).
With respect to security of third-party access portals, the CFPB states that because all, or nearly all, covered data providers must comply with the Safeguards Rule or Guidelines issued under the Gramm-Leach-Bliley Act (GLBA), it is not considering proposing new or additional data security standards other than with respect to the method for authenticating the authorized third party. The CFPB is considering proposing that a covered data provider would be required to make information available to a third party, upon request, when the provider has received evidence of the third party’s authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party’s identity. To implement this requirement, the CFPB is considering proposing that:
- To be an authorized third party, a third party would generally have to provide the consumer an “authorization disclosure” as discussed above. For data recipients that partner with data aggregators to facilitate linking consumers’ financial accounts to the data recipients’ systems, the CFPB expects that in many cases, data aggregators would likely provide the required authorization disclosure and certification statement on behalf of the third parties involved.
- A covered data provider would be required to make information available on the durational terms and frequency requested by the third party unless the authorization has been revoked or has lapsed.
- In addition to determining that a third party is authorized to act on a consumer’s behalf before making information available, a covered data provider would need to have received information sufficient to authenticate the third party’s identity.
Third party obligations. The CFPB is considering proposals to limit authorized third parties’ collection of information to what is reasonably necessary to provide the product or service the consumer has requested. As used in the outline, a third party is generally a “data recipient” or a “data aggregator.” A “data recipient” is a third party that uses consumer-authorized information access to provide (1) products or services to the authorizing consumer or (2) services used by entities that provide products or services to the authorizing consumer. A “data aggregator” is an entity that supports data recipients and data providers in enabling consumer-authorized information access. Third parties would be:
- Permitted to access consumer-authorized information for only as long and as often as would be reasonably necessary to provide the product or service the consumer has requested. The CFPB is considering proposing a maximum authorized duration after which third parties would need to seek reauthorization for continued access.
- Required to provide consumers with a simple way to revoke authorization at any point consistent with the method used by the consumer to provide authorization.
- Limited in their use of consumer-authorized information to what is reasonably necessary to provide the product or service that the consumer has requested, including the third party’s own use and the sharing of data with downstream entities. The approaches under consideration by the CFPB include prohibiting: all secondary uses; certain high risk secondary uses; any secondary use unless the consumer opts into such uses; or any secondary uses that the consumer has opted out of.
- Obligated to delete consumer information that is no longer reasonably necessary to provide the product or service that the consumer has requested or upon revocation of the consumer’s authorization, subject to an exception for compliance with other laws.
While the CFPB believes that authorized third parties are also likely subject to the GLBA data security safeguards framework, it is nevertheless considering whether it should impose specific data security standards on authorized third parties. General approaches under consideration include requiring authorized third parties to develop, implement, and maintain a comprehensive data security program appropriate to the third party’s size and complexity and the volume and sensitivity of the consumer information involved. This approach could be combined with a provision incorporating the GLBA framework as a specific option for complying with any CFPB data security requirements. Alternatively, the CFPB could require compliance with the GLBA framework.
Other proposals for authorized third party users that the CFPB is considering include:
- A requirement for third parties to maintain reasonable policies and procedures to ensure the accuracy of the information they collect and use to provide the product or service the consumer has requested, including procedures related to addressing disputes submitted by consumers. (The CFPB notes that while the FCRA, EFTA, and TILA impose accuracy requirements relating to, respectively, information furnished to consumer reporting agencies, errors in connection with EFTs, billing and servicing errors, there is no law that creates general accuracy requirements regarding the collection of data by authorized users.)
- A requirement for third parties to periodically remind consumers how to revoke authorization and to provide consumers with a mechanism to request information about the extent and purposes of the third party’s access.
- A record retention requirement to demonstrate compliance with certain requirements of the rule. (The CFPB is also considering a record retention requirement for covered data providers.)
At a high level, the regulatory regime that the CFPB is considering imposing on data providers and data users is very similar to what all of the new U.S. state privacy laws require: data access rights, data minimization, and limitations on third party sharing and usage of covered data. The U.S. state privacy laws largely exempt financial institutions and GLBA-covered data from their scope. If the CFPB were to adopt the requirements it is considering in something approaching their current form, it likely will disrupt compliance programs and policies of financial institutions who created such programs and policies based on their understanding that they could use GLBA-covered data without concern about the types of requirements found in state privacy laws. For example, financial institutions have already begun taking steps to comply with the California Privacy Rights Act’s contracting requirements for service providers, which go into effect in January 2023. The California law imposes obligations on financial institutions only for data they collect that is not subject to GLBA. The new obligations that the CFPB is considering imposing on the use of both GLBA-covered data and and data that is not covered by GLBA could require amendments to service provider and third-party contracts.