Recently, the CFPB released an outline of proposed measures related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts that would allow consumers to take control of their personal financial data and determine which third parties could have access to such data. The CFPB is seeking comments on the rulemaking, by January 25, 2023.
Data aggregation companies have been pursuing such a rule for years, primarily in the face of opposition by banks and other financial institutions concerned about data security and liability related to allowing third-party access to customers’ online accounts. The outline discusses proposed regulations that would require covered financial institutions to make consumer financial data available directly to a consumer and to any third parties authorized by the consumer. In a high-level summary of the proposed regulations, the CFPB discusses the regulatory provisions it is considering proposing, including the following:
- The types of information to be made available to third parties:
- periodic statement information for settled transactions and deposits
- information regarding prior transactions and deposits that have not yet settled
- other information about prior transactions not typically shown on periodic statements or portals
- online banking transactions that the consumer has set up but that have not yet occurred
- account identity information.
- How and when information would need to be made available. The Bureau is considering ways to define the methods and the circumstances in which a financial institution would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The CFPB is considering proposals under which authorized third parties would have to limit their collection, use, and retention of consumer information to what is reasonably necessary to provide the product or service the consumer has requested.
- Implementation period. The Bureau is seeking feedback on timeframes to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
The CFPB proposals have parallels to many recent state privacy laws in California, Virginia, Colorado, Utah, and Connecticut that have focused on data access rights, data minimization, and third-party obligations. One meaningful difference from the state regimes is that the CFPB’s outline does not exempt data or entities subject to the Gramm-Leach-Bliley Act (GLBA). In fact, companies subject to GLBA are one of the primary targets of these regulations.
Putting it Into Practice: Data sharing protocols that have been in place at banks for nearly two decades under GLBA (e.g., notice-and-opt-out requirements) are likely to require significant updates under the new rules, in-line with some of the state privacy laws currently that give consumers more control of how data is shared.