November 30, 2020
Ask and You Shall Receive: CFPB Issues ANPR on Consumer-Permissioned Access to Financial Records
Financial institutions and fintech firms increasingly access consumer financial data and provide services to consumers using data from various financial accounts. This includes programs that assist consumers in managing budgets, making payments and monitoring their accounts as well as programs that access consumer financial information to verify a consumer's identity when the consumer opens a new account or applies for a loan. To date, the Consumer Financial Protection Bureau has maintained a hands-off approach focused on research and guidance, seeming to leave space for innovation and market development. With looming litigation involving larger platforms and questions of consent, we may be seeing signs that the CPFB is considering regulating consumer-permissioned access to financial records.
The CFPB first issued a Request for Information ("RFI") about the challenges consumers face in securely sharing access to digital financial records in November of 2016. In the RFI, the CFPB sought to gather information about the benefits and risks of consumer-permissioned sharing of financial information. Following up on the RFI, on February 26, 2020, the CFPB held a symposium on Consumer Access to Financial Records and Section 1033 of the Dodd-Frank Act. According to the CFPB, the symposium's purpose was to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data. In particular, the symposium was aimed at exploring consumer protection in today's dynamic financial services marketplace while stimulating a proactive and transparent dialogue to assist the CFPB in its policy development process, including possible future rulemakings.
More recently, the CFPB published a blog entitled What to Consider When Sharing Your Financial Data (July 24, 2020) directed at educating consumers about data sharing. In the blog, the CFPB explained how data sharing works, offered information to consumers about making sure they are comfortable sharing their data, and provided suggestions for protecting their data.
With that backdrop, the CFPB now has turned to rulemaking. On October 22, 2020, the CFPB issued an Advance Notice of Proposed Rulemaking ("ANPR") requesting information for a rulemaking related to consumer-authorized data access, or third-party access to consumer financial data pursuant to the consumer's permission pursuant to Section 1033. Section 1033 of the Dodd-Frank Act provides that a consumer financial services provider must make available to a consumer information in the control or possession of the provider concerning the consumer financial product or service that the consumer obtained from the provider. This requirement includes information relating to any transaction, to any series of transactions, or to the account, including costs, charges, and usage data. Such information must be made available in an electronic form that is usable by consumers. Section 1033 specifically provides the CFPB with authority to establish rules related to such access.
The ANPR seeks information regarding the scope of data that should be subject to protected access and the concerns that might arise regarding such access, including security, privacy, consumer control, accountability for errors, and unauthorized access. Additionally, the ANPR solicits feedback as to areas of potential regulatory uncertainty and how such regulatory uncertainty may be negatively impacting consumers.
The ANPR further seeks comments and information on ways that the CFPB might effectively and efficiently implement the financial record access rights described in Section 1033, recognizing that various market participants have helped authorized data access become more secure, effective, and subject to consumer control. The CFPB posed a series of questions seeking comments and information on topics, including costs and benefits of consumer data access, competitive incentives, standard setting, access scope, consumer control and privacy, and data security and accuracy.
The ANPR's was published in the Federal Register on November 6, 2020, and comments are due on or before February 4, 2021.