The Consumer Financial Protection Bureau (“CFPB”) is beginning to develop a data portability rule that it hopes will promote greater competition and consumer choice (the “Data Rule”). The initial draft of the data rule applies to “financial institutions” under Regulation E and to “credit card issuers” under Regulation Z. This covers “financial institutions offering deposit accounts, credit cards, digital wallets, prepaid cards and other transaction accounts”. It would also reach businesses that provide electronic funds transfer services through an “access device” even if that business does not hold the account.
The CFPB is seeking input from regulated entities to assist in developing these regulations. The burden that the ultimate data rule will impose is far from clear. In addition to the costs of complying with an entirely new regulation, covered entities will also face the technical challenge of making the data they hold accessible “on demand” to the universe of recipients envisaged by the data rule. Potential solutions are difficult to anticipate from the outline of the current CFPB proposal.
While Congress has required that the CFPB consult with small businesses specifically to address the particular burdens they will face, all regulated entities are invited to submit comments.
The Dodd-Frank Act provides that consumers have the right to request the information that a financial institution has about the financial product or service that the institution has provided to the consumer, but only after the CFPB has implemented regulations on how to proceed. The information may include, but is not limited to, the consumer’s transaction history, or costs, fees, or usage data related to that consumer.
Limited existing legislation on consumer data
The CFPB recognizes that there are few federal laws on consumer data privacy, data rights, or cybersecurity. For example, the Fair Credit Reporting Act (“FCRA”) protects the detailed personal information that consumer reporting agencies and credit bureaus collect by limiting the “permitted purposes” for which they may disclose that information. Additionally, the Gramm-Leach-Bliley Act (“GLBA”) and Regulation P require banking institutions to provide notice of privacy practices to consumers upon onboarding and annually thereafter.
Although the CFPB administers these regulations, Director Chopra complained that “most [existing regulation] involves financial institutions handing consumers a lot of fine print that they may not even read, like those financial privacy notices that companies send out. He specifically criticized the GLBA’s “notice and opt-out regime” which he said does not “give consumers meaningful control over how their data is used.”
Certain state laws, such as the California Consumer Privacy Act/California Privacy Rights Act (“CCPA/CPRA”), provide individual consumers with certain rights to control their data. A federal data rule is therefore certain to break new ground by offering national rights to individual consumers.
The benefits that the CFPB aims to achieve
The CFPB expects its data rule to enhance competition. Once a consumer can ask an existing service provider to share all of the consumer’s transaction history, the consumer can switch to a new provider as if they were a long-time customer. Manager Chopra likens this ease of switching to the right to keep your phone number when you choose a new carrier, even if the old carrier doesn’t transfer call logs and text chats to the new provider.
The data rule could also foster innovation. A consumer can grant one platform access to information from multiple providers to more easily manage their money, apply for credit, or purchase lower fees. Currently, consumers often grant a third-party service visibility into an account by sharing their login credentials. Apart from the security concerns of sharing usernames and passwords, these services do not have real access to the underlying data, only to web platforms provided by the institution. As a result, services engage in “screen scraping”, trying to read information from the web page. If consumers had the right to require the institution to share the actual data with an authorized third party, consumers would know that the information they see in the third party service is accurate and would not have to reveal their passwords to enable connection.
Recognizing that many financial institutions will not have the ability to transfer consumer data themselves, the proposal envisions the emergence of “data aggregators” that will facilitate the collection of information from the originating financial institution. and their transmission to the consumer or an authorized third party.
In the longer term, Director Chopra even envisions a new approach to credit, based on the lender’s direct access to the consumer’s transaction history rather than opaque three-digit credit scores.
Proposals under consideration
The CFPB has released a detailed outline of its anticipated proposals and a long list of issues on which it seeks comment. Specifically, the CFPB is seeking comments on:
Who will be subject to the data rule. As noted above, the CFPB wants the data rule to focus on accounts including digital wallets, access devices, prepaid cards, credit cards and others currently subject to Regulation E or Regulation Z. The data rule may adjust the scope of providers and accounts it governs and may provide exemptions.
Who can receive information. The CFPB proposal deviates from the law, which only orders institutions to make consumer information “available to the consumer”. To achieve its competition and innovation goals, the CFPB interprets these words as empowering consumers to direct institutions to make their information available to anyone authorized by the consumer. Among other things, this expansive interpretation requires the data rule to specify how to obtain the consumer’s “informed and express consent” for the transfer, and seeks to impose disclosure and compliance certification requirements on third-party recipients.
What third parties cannot do with the data. The CFPB plans to limit the processing, collection, use and retention of consumer financial data by authorized third parties to what is “reasonably necessary to provide the product or service requested by the consumer”. These obligations may include capping the maximum duration of a consumer authorization, providing means for the consumer to revoke the authorization, and prohibiting certain uses of data.
How Covered Entities Must Demonstrate Compliance. Covered Entities may be required to retain certain records to confirm compliance with the Data Rule. It is important to note that, as Section 1033 points out, Covered Entities are not obligated to “maintain or retain information about a consumer.” The tilt against storing consumer information echoes the CFPB’s concern about the “enormous amounts of granular consumer data” that some of the largest companies are collecting.
What types of information should be made available. The CFPB plans to require institutions to provide consumers with data regarding: (1) periodic statement information regarding transactions and deposits that have settled; (2) transactions and deposits that have not yet settled; (3) prior transactions which are not generally shown on periodic statements; (4) online banking transactions that the consumer has prepared but have not yet taken place; (5) account credentials; and (6) “consumer reports obtained and used by Covered Data Provider in deciding whether to provide an Account or other financial product or service”.
How and when information should be made available. Consumer financial data would be made available directly to the consumer when a covered entity has “sufficient consumer information to reasonably authenticate the consumer’s identity and reasonably identify the requested information.” With respect to Third Party Access, Covered Entities may be required to establish a Third Party Access Portal, which the CFPB believes will be burdensome for Covered Entities and may also create new security issues.
When the data rule should take effect. Realizing that it will take time for covered entities to come into compliance and that the data rule is completely new, the CFPB is interested in factors that should inform the appropriate timeline, including whether there should be a second phase to deploy a requirement that covered entities establish their third-party portal.
The CFPB’s entry into the consumer data space is novel in substance and approach. Director Chopra suggested that the data rule is the first in a paradigm shift that would remove regulations that serve to entrench existing business models and prioritize technical compliance over real consumer experiences, favor a generation of “pro-competitive regulations” that could, among other things, “reduce switching costs or barriers to entry, promote price and procurement transparency, reduce conflicts of interest and impose limits business activity to ensure that companies do not exploit their control over critical networks.
Regulated E financial institutions and Regulated Z credit card issuers, who will be the first to have to comply with the data rule, should take this opportunity to shape the rule and limit the charges therein. are associated. The requirement to open transaction history upon request sometimes conflicts with other state and federal laws, and by creating more ways to access consumers’ personal information, it can undermine security and privacy. confidentiality of this information.
The CFPB accepts comments until January 25, 2023.