Privacy & Information Security Law Blog

On October 22, 2020, the Consumer Financial Protection Bureau (“CFPB”) issued a notice of proposed rulemaking (the “Proposed Rule”) to implement Section 1033 of the Dodd-Frank Act (the “Act”) regarding consumers’ access to their financial information.

The Proposed Rule contains five sections:

Section I summarizes the Act’s description of a consumer’s right to access his or her financial records. This section notes that the access provided to the consumer must include transaction information and summaries of costs, charges and usage data and must be made available in electronic form. Section I also discusses exemptions to the consumers’ access right, such as the fact that a financial institution is not required to divulge any confidential commercial information to the consumer (e.g., algorithms regarding credit scores).

Section II sets forth the defined terms for the Proposed Rule, distinguishing between “data holders” that control or possess consumer financial data and “data users” that use consumer data to provide products and services.

Section III provides an overview of the data access ecosystem and discusses the roles of various parties, including (1) financial institutions that provide traditional financial accounts; (2) fintech companies that access consumer financial data from a variety of sources to provide financial advisory services or assistance with selecting new consumer financial products and services; and (3) data aggregators. Section III also discusses how increased data access has the potential to increase financial competition and innovation. Finally, Section III briefly discusses other consumer financial privacy laws such as the Gramm-Leach-Bliley Act (“GLB”), the Fair Credit Reporting Act and the Electronic Fund Transfer Act.

Section IV summarizes the CFPB’s prior actions regarding consumer-authorized data access. These include a prior request for information from industry participants, a stakeholder report and a recent symposium involving large and small banks, data aggregators and their trade groups, fintech companies, consumer advocates and other market observers and researchers.

Section V includes a series of questions on the issue of consumer access to financial data. These questions include:

• What are the costs and benefits of consumer data access?
• What costs to consumers flow from authorized data access?
• Are there ways in which access to consumer data has limited (or may in the future limit) competition and innovation resulting in harms to consumers?
• Do customers of smaller financial entities receive the same benefits from competition and innovation enabled by consumer data access as do customers of larger entities?
• Are there types of financial entities that should not be subject to the access requirements?
• Are there specific data elements to which the Act’s access rights should not apply?
• To what extent does direct access to consumer data pursuant to the Act raise any privacy concerns that should be considered by the CFPB?
• How should any potential regulation consider data security concerns?

The Proposed Rule is an important development because financial institutions are not subject to similar access requirements in other federal and state privacy laws. For example, the California Consumer Privacy Act, which requires business in California to provide access to consumers’ personal information, explicitly excludes nonpublic personal information collected pursuant to GLB.

Interested parties may submit comments on the Proposed Rule to the CFPB until February 4, 2021.