The Bank Policy Institute1 appreciates the opportunity to comment on the Advanced Notice of Proposed Rulemaking2 issued by the Consumer Financial Protection Bureau seeking input on consumers access to financial records pursuant to Section 1033 of the Dodd-Frank Act.
BPI commends the CFPB for taking steps to address the financial data sharing marketplace and appreciates how the CFPB’s actions to date have enabled industry to move data sharing practices forward with limited regulatory intervention. Given the potential importance of Section 1033 in furthering a consumer’s right to access information about a consumer financial product or service that the consumer obtained from a bank or other covered person, including information relating to any transaction, or series of transactions, to the account including costs, charges, and usage data, BPI supports the CFPB’s efforts to ensure consumers retain such access, but believes that such access should be provided in a manner that appropriately safeguards consumer data.
The CFPB has an opportunity to enhance the protections applicable to consumer authorized financial data sharing, allowing for further transparency regarding their data for consumers. To this end,
- Coordination with Other Regulators. As an initial principle, it is important for the CFPB to coordinate its efforts to implement Section 1033 with the other prudential regulators, as well as the Federal Trade Commission, given that the CFPB’s primary authorities do not extend over all operational risks related to such data sharing. Section 1033(e) specifically requires that the CFPB consult with Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and the FTC to ensure consistency in any promulgated rule across various types of covered persons. Additionally, the CFPB has limited jurisdiction under the Gramm-Leach-Bliley-Act (“GLBA”), which directly relates to the sharing and safeguarding of consumer financial data. The CFPB shares GLBA rulemaking authority with the Securities and Exchange Commission, the Commodity Futures Trading Commission, and the FTC. As such, BPI recommends that the CFPB coordinate with the prudential banking agencies, FTC, SEC, and CFTC to ensure coordinated efforts in any potential rulemaking.
- Sufficient Flexibility and Innovation in the Marketplace. The CFPB’s efforts to set standards for consumer authorized data sharing should ensure sufficient flexibility and innovation in the marketplace. The financial services industry continues to collaborate to develop technical solutions that enable consumer access to financial data while ensuring appropriate consumer protections. These efforts include the development of common technical standards for the secure access of consumer-permissioned data. BPI believes that industry-led standards setting bodies are best positioned to unify the financial industry around common and interoperable technical standards while ensuring continued innovation and competition throughout the marketplace. The CFPB should encourage market-driven solutions and avoid engaging in specific technical standard setting for consumer data sharing.
- Comprehensive Approach to Consumer Privacy and Transparency. Ensuring consumer privacy and transparency in how data is accessed, shared, and maintained should be central to the CFPB’s process under Section 1033. The CFPB should clarify that the GLBA would apply to data aggregators and other authorized entities to ensure the appropriate consumer privacy standards and leverage existing GLBA disclosure obligations in place to protect customer information. The CFPB also should consider ways to improve the transparency of the consumer consent process, which would provide consumers with more awareness and control over their financial data. Additionally, the CFPB should consider promulgating specific disclosure requirements under Section 1032 of the Dodd-Frank Act, ensuring that data aggregators provide consumers with the information needed to make responsible decisions about the sharing of their information.
- Consistent Safeguarding of Consumer Data. The CFPB should ensure that data aggregators appropriately safeguard consumer data in a manner commensurate with the legal obligations placed on banks. The CFPB should clarify that GLBA applies to data aggregators for the purposes of consumer data security, and coordinate with the FTC to expand the Safeguards Rule to expressly address data aggregators’ security practices. The CFPB should consider designating data aggregators as larger participants of the consumer financial data services marketplace, providing direct oversight over data aggregators through regular supervision and examination. The CFPB should also clarify the rights of consumers and the allocation of liability based on how the data flows between permissioned entities, beginning with clarifying liability for unauthorized transactions under Regulation E.
The rest of this letter elaborates on BPI’s views regarding each of these important issues.
1 The Bank Policy Institute is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.
2 Advance Notice of Proposed Rulemaking on Consumer Access to Financial Records (November 6, 2020) (hereafter “ANPR”).
the CFPB should consider the following overarching principles in promulgating any potential rulemaking: