How the CFPB Can Protect Consumers’ Financial Data & Promote A Competitive Marketplace
Next week, the Consumer Financial Protection Bureau (CFPB) will receive input from stakeholders on the Bureau’s outline of proposals to implement Section 1033 of the Dodd-Frank Act. Once finalized, the regulation will have wide-ranging implications for the safety and security of consumers’ personal financial data. Here’s what’s happening, why it matters, and what policymakers must consider to get it right on behalf of the millions of Americans they serve.
What’s Happening
Section 1033 of the Dodd Frank Act mandates consumers have the ability to access personal information held by their financial services provider. Last year, more than a decade after that legislation was first enacted, the CFPB initiated a formal rulemaking process to implement Section 1033. In October, the Bureau released a Small Business Regulatory Enforcement Fairness Act (SBREFA) outline – providing key insights into what a proposed rule may look like including proposals for how both consumers and third parties, which are predominantly non-banks and data aggregators, can access personal financial information.
Why It Matters
The financial services ecosystem continues to rapidly evolve, highlighted by the growth of large fintechs and other non-bank providers that now offer many of the same products and services as traditional banks. According to the New York Federal Reserve, these firms now issue nearly three-quarters of all personal loans – double their share from just five years ago and pushing balances to all-time highs. Unlike well-regulated financial institutions, non-banks and third-party aggregators do not have the same stringent federal oversight standards as banks, potentially putting the safety of consumers and the security of the sensitive financial data at risk.
Here are the facts:
- Data aggregators hold a substantial amount of sensitive financial information, and although they consent to sharing their financial data, consumers are generally unaware of how that data may be used or shared.
- Because many consumers commonly mistake deleting a mobile phone or computer application with revoking consent, many non-bank third parties maintain continued, unfettered access to their personal information even after the relationship has seemingly been severed.
- A December 2021 consumer survey report on data privacy and financial app usage found that 80% of consumers were largely unaware that apps use third-party providers to gather users’ financial data, and only 24% knew data aggregators can sell their personal data to other parties for marketing, research, and other purposes.
- To access data, data aggregators often rely on screen scraping, to obtain a consumer’s personal financial information. Screen scraping, which uses a consumer’s access credentials, is fundamentally unsafe and puts consumer information at risk.
In light of the growth and behavior of non-bank providers, the importance of delivering a final Section 1033 rule that promotes a safe, fair, and competitive marketplace could not be greater.
What CBA Is Saying
While well-intentioned, some of the proposals included in the Bureau’s SBREFA outline stand to undermine competition, innovation, and consumer protection. Here’s where the Bureau is missing the mark:
Limited Scope: Instead of applying new data-sharing requirements equally to all financial services providers, the Bureau signaled intent to apply the rule only to deposit institutions like banks and credit card companies.
- As a result, consumers will have a built-in blind spot and will not have a full picture of their financial health.
- Non-bank mortgage originators, captive auto lenders, fintech Buy Now Pay Later lenders, and other firms that lack federal supervision would be exempt – depriving millions of Americans from the high level of protections, insights, and access they deserve.
- This limited scope also promotes unfair competition, as covered banks, which represent a limited amount of the financial ecosystem, will be forced to provide information to an unlimited amount of non-bank third parties, as long as those third parties are authorized by a consumer.
Accessible Information: Under these proposals, the Bureau would obligate banks to allow third parties to access an extensive amount of sensitive information about their customers, even though it is unclear how some of that information is related to their financial accounts.
- For example, a bank could be forced to provide a third-party with sensitive consumer information, including the consumer’s marital status, veteran status, social security number, and driver’s license number.
- Most non-bank third parties and data aggregators are not subject to the same data security and privacy standards as banks, and many non-bank third parties and data aggregators are not subject to federal supervision and oversight.
- As a result, once this sensitive information leaves the bank and is in the hands of a third-party non-bank, the data becomes far less secure, leaving consumers in the dark about how it may then be used or further distributed.
Anti-Competitive: Rather than use this rulemaking as an opportunity to provide durable data-sharing standards equally, CFPB Director Rohit Chopra has stated this rule is intended to “empower people to break up with banks that provide bad service and unleash more market competition.”
- Not only does this sentiment stray from the plain language of Section 1033, it fails to account for the fact that the financial services ecosystem is among the most competitive and innovative in the world. The agency’s proposal would – ironically – hinder competition by creating an unlevel playing field between well-regulated financial institutions and non-banks.
The Bottom Line
Banks fully support the intent of Section 1033 and remain committed to ensuring every consumer – regardless of where they go to meet their needs – has access to their personal financial data and knowledge of how it may be used. As such, CBA will continue to advocate for the final rule to reflect the following principles:
- Level Playing Field: The Bureau lacks supervisory and enforcement authority over non-bank providers, even though they compose a significant, continuously growing segment of the market for consumer financial products and services. It is therefore vital for data aggregators to be supervised and examined by the Bureau to ensure consumers’ data is appropriately protected.
- Data Security: To facilitate both innovation and interoperability, all participants in the data access ecosystem who hold or process consumer financial data must be held to the same, or a materially comparable, standard contained in the Gramm-Leach-Bliley Act.
- Privacy: To promote control of their data security and privacy, non-bank third parties and data aggregators must provide consumers disclosures that explicitly communicate any secondary or downstream use of their data as well as instruction on how they can revoke consent.
- Clear Liability: All parties in the data access ecosystem must have clear liability that should be imposed on the party who was in control of the consumer’s data at the time of the breach or action.
CBA Advocacy
- Responding the CFPB’s Section 1033 SBREFA outline in October, CBA President & CEO Lindsey Johnson, said: “we look forward to continuing to work with the Bureau on developing a well-founded, durable final rule that promotes competition, spurs innovation, and provides consumers’ the certainty of knowing their financial data is safe and secure.”
- Responding to the CFPB’s request for comment in February 2021, CBA advocated for the Bureau to approach Section 1033 cautiously by developing clear, transparent standards for both consumers and banks. To read the full letter, click HERE.
- CBA and several other financial trade groups also submitted a petition to the CFPB in August 2022 urging the Bureau to examine all large data aggregators and users for compliance through the requirements outlined in the Section 1033 rulemaking. To read the full petition, click HERE.
