CFPB Moves Forward With 1033 Consumer Financial Data Access Rulemaking

By Chris Napier & Shelby Schwartz

On October 27th, the Consumer Financial Protection Bureau (CFPB) announced that it is moving forward with a Section 1033 rulemaking and provided an outline of proposals that would provide structure and limitations to financial services companies’ ability to obtain, use and redisclose consumer data from institutions holding the consumers’ accounts. Given that an entire data- and technology-based ecosystem has arisen around the concepts of data “portability” and a consumers’ right to their own financial data set forth in Section 1033, such rulemaking can profoundly alter the data sharing, privacy, and information security landscape for banks, lenders, fintechs, third-party service providers and many other companies. 

Section 1033 of the Dodd-Frank Act was created to foster competition by removing barriers to personal financial data portability. It provides a statutory right for consumers to obtain their account and transactional information from certain financial institutions in a usable form, and tasked the CFPB with promulgating implementing regulations. Over a decade has passed without a rulemaking by the Bureau, giving rise to data aggregation services that utilize consumer-permissioned access to online banking portals and screen-scraping currently fueling much of the financial technology (“fintech”) boom. With potential rules on the way seeking to require data-holding institutions to provide more structured access to consumer data while simultaneously looking to severely curtail the ability of other companies to obtain and use that data, the CFPB is poised to create both new opportunities and material costs and burdens for industry participants. 

The CFPB begins the rulemaking process by assembling a small business advisory review panel and releasing a slew of proposals for the industry to consider. Financial institutions will want to follow the Bureau’s activities in this space closely and consider submitting comments to its recently released proposals and, eventually, the proposed rule. Certain key elements of the Bureau’s initial proposals are highlighted below. 

The Takeaways: What Does This Mean for You? 

This announcement has major implications for all players in the financial services ecosystem. 

• Depository institutions and credit card issuers could face significant costs implementing new technology and be required to make accessible a much broader array of account and transactional data than has typically been made available to consumers in electronic form.   

• Data aggregators reliant on screen-scraping may need to pivot their business models, and a new set of third-party service providers could emerge to facilitate access across the industry or establish data clearinghouses. While such changes could lead to more consistent, higher-quality data, it would also lead to new data streams and formats that data consumers will need to invest engineering resources to digest. 

• Some fintechs, technology-focused banks and lenders, third-party service providers, and other companies could find new opportunities in an expansion of the types of data made available, while others may experience a significant diminution in the value of data they currently rely upon due to new restrictions on the use of that data.  

4 Key Elements of the Bureau’s Initial Proposals 

1. Covered Scope of Data 

The proposals consider six types of information that covered data holders would need to make available:  

• Periodic statement information, including information on account terms, conditions, interest rates and APRs 

• Information about pending transactions and deposits that have not yet settled. 

• Information about prior transactions not typically shown on periodic statements or online financial account management portals (I.e., online banking) 

• Online banking transactions that the consumer has set up but that have not yet occurred, such as future-dated fund transfers 

• Account identity information 

• “Other” information, such as fees assessed on accounts, bonuses, rewards, discounts, and even security breach information  

In general, the proposals suggest that the information currently made available by most data- holding institution’s online banking systems or similar would not meet a new Section 1033 rule’s requirements. While expanding the type and amount of financial data available to consumers will offer a wealth of opportunities for new products, services, and business models, it would also create new burdens on data-holders whose systems are not currently designed to capture or report such information to external parties electronically.  

2. Focus on Third-Party Access Technology and Data Security 

Given the financial services ecosystem that has arisen around the current breed of data aggregators, the CFPB assumes that the majority of consumer data access will occur through third parties who obtain consumer authorization to retrieve data from data-holding financial institutions on the consumer’s behalf. The proposals seek to impose standardized disclosure and consent requirements on such consumer authorizations, as well as obligate such third parties to abide by limitations on the collection, use, security, and retention of the data collected. 

The proposals are also clearly intended to eliminate screen scraping in favor of moving the industry toward the use of more secure and reliable methods of collecting and transferring data. Namely, through the use of application programming interfaces (commonly referred to as “APIs”), which the Bureau calls “access portals,” implemented by each data-holding financial institution. This may further lead to industry standardization with respect to how data accessible by such APIs is formatted. A sudden move away from data obtained through screen-scraping, combined with the creation of new data format standards, could necessitate significant engineering changes to existing products and services reliant on the current models. Data aggregators reliant on screen-scraping may face significant challenges to their business models and need to substantially revamp the product offerings and supporting technology that underpins their services, as well as potentially compete with new entrants to the industry. 

The proposals further suggest the creation of SLA-like standards for uptime, latency, unplanned outages, error response, and usage “caps” associated with the APIs data-holding institutions would need to implement. Banks and credit card issuers would thus need to invest in and develop APIs to meet the Bureau’s new standards, potentially placing burdens on institutions felt more sharply by smaller data-holders like community banks and credit unions. 

3. Coverage Limited to Deposit and Credit Card Accounts  

In contrast to the statutory language of Section 1033, the proposals indicate that the Bureau may limit which data holders need to make financial information available. The proposals suggest that only companies that meet the definition of “financial institutions” under Regulation E or “card issuers” from Regulation Z would need to comply with Section 1033. This means that the proposed rules will focus almost exclusively on deposit accounts, prepaid cards, wallets and credit cards, essentially excluding all other forms of lending. Institutions relying on data related to mortgages, installment loans, and other forms of credit beyond a consumer’s credit report, as well as debt collection related data, may therefore have a more difficult time accessing such data in the future, particularly when combined with other limitations the CFPB is considering. 

4. Limitations on Authorized Third-Party Use of Data 

A significant portion of the proposals is devoted to considering different methods for limiting how authorized third parties can access and use consumer financial data obtained from data-holding institutions. In many respects, these proposed limitations are similar to those found in the GLBA’s reuse-and-redisclosure provisions or in the EU’s General Data Protection Regime (“GDPR”). One proposal would restrict third parties to collecting consumer information for only as long, and as often, as is reasonably necessary to provide the product or service that the consumer has requested. Additional approaches prohibit some or all secondary uses of the data. For many companies that currently obtain access to data through aggregators, this would present a significant diminution in the amount and value of data currently being ingested. For example, it could impact a company’s ability to use data to train machine learning models or fine-tune underwriting algorithms, develop new products and services, or to engage in marketing. In addition, the proposals consider imposing data retention limits and requirements for providing consumers the ability to revoke an institution’s access to their data.  

How to Participate in the Rulemaking Process 

While the CFPB independently selects members of the small business advisory review panel, other stakeholders may provide written feedback on the CFPB’s initial proposals. Such feedback should be emailed here no later than January 25, 2023. Once the panel convenes, the CFPB will publish a report of its input, which is expected in the first quarter of 2023. 

After the report is released, the Bureau will publish a Notice of Proposed Rulemaking, likely in the second quarter of 2023. At that time, industry participants will be able to submit comments once more on the Bureau’s proposed rule. 

How Can We Help?  

If you have any questions about how a Section 1033 rule may impact your institution or would like to discuss submitting comments to the Bureau, please contact Chris Napier or Shelby Schwartz. 

About The Authors

SIGN UP FOR UPDATES

Never miss our news, insights or events.

FEATURED NEWS