The CFPB has issued an Advance Notice of Proposed Rulemaking in connection with its rulemaking to implement Section 1033 of the Dodd-Frank Act.  Section 1033 requires consumer financial services providers to give consumers access to certain financial information.  Comments on the ANPR will be due no later than 90 days after the date the ANPR is published in the Federal Register.

Section 1033 requires that “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.  The information shall be made available in an electronic form usable by consumers.”  It also requires the Bureau to consult with the Fed, OCC, FDIC, and FTC to ensure, to the extent appropriate, that any rule implementing Section 1033 imposes substantively similar requirements on covered persons, takes into account conditions under which covered persons do business both in the U.S. and in other countries, and does not require or promote the use of any particular technology in order to develop compliance systems.

The Bureau indicates in the ANPR that its discussion of the issues raised by Section 1033 implementation and the questions on which it seeks comment are informed by the various steps it has previously taken with respect to Section 1033.  Those steps include a 2016 request for information, a 2017 statement of principles, and a 2020 symposium.

Highlights of the Bureau’s discussion include the following:

  • In recent years, there has been a rapid and substantial growth in the number and usage of products and services that use or rely upon consumers’ ability to authorize third-party access to consumer data.  The growth in authorized data access has been accompanied by an expansion of the number of distinct applications for authorized data, such as personal financial management, financial advisory services, assistance in shopping for and selecting new consumer financial products and services, making payments, credit profile improvement and underwriting.
  • While data users may access consumer data from data holders without the use of intermediaries, the Bureau understands that currently most authorized data access is effected through data aggregators who access and transmit consumer financial data pursuant to consumer authorization.  While the market for data aggregation services has thus far focused primarily on aggregators offering services to data user clients, there has been a shift in recent years towards aggregators performing services for providers in the providers’ capacity as data holders.
  • To date, most consumer-authorized third parties have accessed consumer data through data holders’ digital banking portal using digital banking credentials the consumer shared with third parties.  Such access generally does not require a formal agreement between data holder and data user or aggregator.  Recently, formal, bilateral access agreements between large aggregators and large data holders have emerged.  These agreements seek generally to move authorized access away from credential-based access and screen scraping toward tokenized access, commonly through application programming interfaces or “APIs.”  Recent developments may signal a broader move towards multilateral standards for data access, similar to how network standard function in two-sided payment card markets.
  • It is unclear how evolving access practices and standards will effect competition or innovation in markets in which participants use authorized data or how effectively they will address other consumer protection risks that may arise with authorized access, including risks related to the methods by which consumer data is accessed and the purposes for which data users may use authorized data.
  • Other federal laws with potential implications for consumer access to financial records pursuant to Section 1033 include the Gramm-Leach-Bliley Act, the FCRA, and the EFTA.

The ANPR contains a series of questions on which the Bureau seeks comment.  The questions are grouped into the following nine topics:

  • Benefits and costs of consumer data access
  • Competitive incentives and authorized data access
  • Standard-setting
  • Access scope
  • Consumer control and privacy
  • Legal requirements other than section 1033
  • Data security
  • Data accuracy
  • Other information