CFPB Begins Rulemaking on Data Access and Portability

The Consumer Financial Protection Bureau (CFPB) on October 27, 2022 took the long-anticipated first step to issue a regulation implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.[1] This followed a preview by CFPB Director Rohit Chopra at the Money 20/20 conference on October 25 in which he outlined the “CFPB’s new approach to regulation,” which is designed to create “catalysts for more competition.” With respect to Section 1033, Director Chopra said that the CFPB is “exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms”[2] and will be working toward avoiding regulations that could be “rigged in favor of some players over others.”[3] Director Chopra’s focus on competition as an essential element of consumer protection has been a hallmark of his directorship.[4]

Section 1033 authorizes the CFPB to write regulations under which consumers may access information about themselves from their financial service providers. As a first rulemaking step, the CFPB is required to consult with a panel representing small businesses under the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA). The CFPB released an outline for that discussion (Outline).[5] Section 1033 requires the CFPB to balance a number of different priorities — including data privacy, consumer choice, and information security — and the Outline provides some initial information on how the CFPB is approaching that task.

Covered Data Providers. The CFPB proposes to initially require two types of financial companies to make consumer data available under Section 1033: “financial institutions” as defined in the CFPB’s Regulation E, and “card issuers” as defined in the CFPB’s Regulation Z. These definitions include retail banks and others that issue debit cards, credit card issuers, and prepaid card issuers. This approach implements the CFPB’s intent to cover consumer financial service companies that have transaction-level information. The CFPB also explains in the Outline that these terms may cover “digital credential storage wallets.” This is noteworthy because wallet providers often have much less information about consumer transactions than the actual debit card or credit card issuers. In addition, this could signal a broader attempt by the CFPB to cover wallet providers under these regulations.

Information to Be Provided. The CFPB proposes that data providers would be required to make available at least the following five categories of information:

  1. periodic statement information for settled transactions and deposits
  2. information regarding prior transactions and deposits that have not yet settled
  3. other information about prior transactions not typically shown on periodic statements or portals
  4. online banking transactions that the consumer has set up but that have not yet occurred
  5. account identity information[6]

Category 3 is particularly noteworthy because the CFPB acknowledges that this is not information typically made available to consumers or third parties. Requiring such information to be made available could require upgrades in technology, data retention, and/or contractual obligations among data providers and their service providers to ensure that the data provider could make this information available. It also may present trade secret risks. Beyond these categories, the CFPB proposes that the data provider should provide consumer reports from consumer reporting agencies that it obtained and used in deciding whether to provide an account or other financial product or service to a consumer.[7] This would potentially make the data provider subject to the requirements of a “consumer reporting agency” under the Fair Credit Reporting Act (FCRA).[8]

Information Portals. The CFPB proposes that data providers make information available (1) directly to consumers through the data providers’ online financial account management portals and (2) to third parties accessing the information on a consumer’s behalf, through a portal that does not require the authorized third party to possess or retain consumer credentials.[9] The CFPB is seeking input on the current ways in which consumers share information with third parties; whether they should require data providers that do not have a third-party access portal to establish one; and whether there are circumstances in which screen scraping should still be permitted even where a third-party access portal exists (e.g., during maintenance downtime).[10]

Consumer Disclosures and Authorization. Under the Outline, a third party seeking access to a consumer’s data would need to “(1) provide an ‘authorization disclosure’ to inform the consumer of key terms of access; (2) obtain the consumer’s informed, express consent to the key terms of access contained in the authorization disclosure; and (3) certify to the consumer that it will abide by certain obligations regarding collection, use, and retention of the consumer’s information (certification statement).”[11] The CFPB seeks input on whether these requirements should be placed on a data aggregator or the data recipient, or both.[12] These requirements may require changes to existing practices by data aggregators.

Third-Party Limitations. The CFPB proposes certain limitations on third-party collection, use, and retention, in each instance “beyond what is reasonably necessary to provide the product or service the consumer has requested.”[13] In connection with this limitation standard, the CFPB is considering different approaches to limitations on secondary use of the consumer’s information by third parties and limitations on use of even de-identified information.[14]

Data Accuracy. The proposals include obligations with respect to information accuracy for both data providers and third parties. The CFPB is also seeking input on whether data providers should be required to make information available to third parties when the data provider knows such information is inaccurate.[15] With respect to third parties, the CFPB proposes to require third parties to “maintain reasonable policies and procedures to ensure the accuracy of the information that they collect and use to provide the product or service the consumer has requested, including procedures related to addressing disputes submitted by consumers.”[16] These standards are similar to standards under the FCRA and echo emerging rights of correction under U.S. state privacy laws, which could indicate a fairly high compliance burden given how those terms have been construed under that statute.

Data Security. Finally, the proposal also includes obligations regarding data security for both data providers and third parties. With respect to data providers, the CFPB acknowledges that the third-party access portal would be covered under the data providers’ existing obligations to comply with the requirements of the Gramm-Leach-Bliley Act’s safeguards rules[17] and the prohibition against unfair practices.[18] Therefore the CFPB does not propose to impose new or additional data security standards with respect to data provider’s provision of the third-party access portal.[19] Similarly, the CFPB believes that third parties are also likely to already be subject to the safeguards rules but seeks input as to whether third parties should be subject to specific data security standards.

CFPB Next Steps. According to Director Chopra, the CFPB intends to publish a report on input received through the SBREFA process in the first quarter of 2023, followed by issuance of the proposed rule later in 2023, with finalization of the rule in 2024.

Conclusion. While a final rule remains far off, companies in the consumer financial data sharing industry would be well served to consider the CFPB’s Outline, the issues raised above, and whether and how they can satisfy these standards. To that end, Sidley has experience in advising clients on all facets of consumer financial products and services — including consumer privacy and data sharing — and can help you identify solutions to these and other issues. Please contact John Van De Weert, Tom Ward, Colleen Brown, Kerry Nilsen, or the Sidley lawyer with whom you work for more information.

[1] Public Law 111-203, Section 1033(a), 124 Stat. 2008 (codified at 12 U.S.C. 5533(a)).

[2] https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20/.

[3] Id.

[4] https://www.sidley.com/en/insights/newsupdates/2022/03/the-cfpb-in-the-biden-administration-the-newest-federal-competition-enforcer.

[5] https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf.

[6] Outline, at § III.C.1.

[7] Outline, at § III.C.1.vi.

[8] 15 U.S.C. § 1681 et seq.

[9] Outline, at § III.D.1 (with respect to direct access) and § III.D.2 (with respect to third-party access).

[10] Id.

[11] Outline, at § III.B.2.i.

[12] Id. (Q14 requesting input on authorization procedures); Outline, at § I, FN 9 (definition of data aggregator and data recipient).

[13] Outline, at § III.E.1.i.

[14] Outline, at § III.E.1.iii-iv.

[15] Outline, at § III.D.2.iv.

[16] SBREFA Outline, at § III.D.3.

[17] Outline, at § III.E.2 n. 49.

[18] See Bureau of Consumer Fin. Prot., Consumer Financial Protection Circular 2022-04 (Aug. 11, 2022),

https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/.

[19] Outline, at § III.D.2.ii.c. The CFPB notes that there would be standards with respect to the method of authenticating the authorized third party. Id.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.