On October 22, 2020, the CFPB issued an advance notice of proposed rulemaking (ANPR) soliciting comments on implementation of Section 1033 of the Dodd-Frank Act. As outlined in the ANPR, Section 1033 will require consumer financial service providers to give consumers access to financial account data in a usable electronic format. This data includes information relating to any transaction, series of transactions, or to charges and usage data on the account.
The CFPB first issued a related Request for Information in 2016. At that time, the CFPB sought information to assist it in developing practices and procedures that “enable consumers to realize the benefits associated with safe access to their financial records, assess necessary consumer protections and safeguards, and spur innovation.” In 2017, the CFPB issued a Stakeholder Insights Report and Consumer Protection Principles, providing guidance on nine Consumer Protection Principles.
In February 2020, the CFPB hosted a symposium where participants raised concerns about balancing rights described in Section 1033 with maintaining necessary security measures that may result in prohibiting access to authorized third parties. Additionally, participants discussed how implementation of Section 1033 might affect compliance with other federal laws, including GLBA, FCRA, and EFTA and Regulation E.
In issuing the ANPR, the CFPB is concerned with consumer financial data held by providers of consumer financial products and services. The ANPR requests comments on nine topics:
- Costs and benefits of consumer data access
- Competitive incentives
- Access scope
- Consumer control and privacy
- Other legal requirements
- Data security
- Data accuracy
- Other information
Comments must be submitted within 90 days after publication of the ANPR in the Federal Register. The CFPB is encouraging stakeholders to submit comments early and electronically due to delays caused by the COVID-19 pandemic.
Financial institutions could face significant costs implementing new technology that conforms to these proposed regulations. Commentary continues to focus on multiple topics, including whether application programming interfaced based access (APIs) should replace credential-based access and screen scraping, what type of disclosures and informed consent are required, and who is liable for unauthorized access and Reg E error disputes. As the CFPB moves forward with its rulemaking, financial institutions should take this time to review current policies and procedures in place for granting consumers access to financial information and accessing information as a third party.