Section 1033 – Consumer Rights to Access Information ANPR

The CFPB released an Advance Notice of Proposed Rulemaking regarding consumer access to financial records.  The ANPR seeks comments and information on costs and benefits of consumer data access, competitive incentives, standard-setting, access scope, consumer control and privacy, and data security and accuracy.  The comment period will be for 90 days after publication in the Federal Register.

The ANPR comes amid the growing trend of consumers opting to share their financial data with third parties and data aggregators, while many financial institutions have deployed application programing interfaces to facilitate consumers’ choices to share data securely.

The CFPB has been working on this for a while:

In 2016 the CFPB issued a Request for Information Regarding Consumer Access to Financial Records seeking comments from the public about consumer access to such information, including access by entities acting with consumer permission, in connection with the provision of products or services that make use of that information.

Then in 2017, the CFPB released Consumer-authorized financial data sharing and aggregation:  Stakeholder insights that inform the Consumer Protections Principles and Consumer Protection Principles:  Consumer-Authorized Financial Data Sharing and Aggregation.

The Bureau held a symposium in February of this year followed by a report summarizing the symposium proceedings; a blog post that offered consumers “key information about how data sharing works, what consumers should consider before sharing their data, and some tips on how consumers can best protect their data and accounts“; and an announcement of the Bureau’s intention to publish this ANPR.

As a reminder:

Dodd Frank Act Section 1033. CONSUMER RIGHTS TO ACCESS INFORMATION

(a) IN GENERAL.—Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request,
information in the control or possession of the covered person concerning the consumer financial product or service that the consumer
obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including
costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.
(b) EXCEPTIONS.—A covered person may not be required by this section to make available to the consumer—
(1) any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors;
(2) any information collected by the covered person for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct;
(3) any information required to be kept confidential by any other provision of law; or
(4) any information that the covered person cannot retrieve in the ordinary course of its business with respect to that information.
(c) NO DUTY TO MAINTAIN RECORDS.—Nothing in this section shall be construed to impose any duty on a covered person to
maintain or keep any information about a consumer.
(d) STANDARDIZED FORMATS FOR DATA.—The Bureau, by rule, shall prescribe standards applicable to covered persons to promote
the development and use of standardized formats for information, including through the use of machine readable files, to be made
available to consumers under this section.
(e) CONSULTATION.—The Bureau shall, when prescribing any rule under this section, consult with the Federal banking agencies
and the Federal Trade Commission to ensure, to the extent appropriate, that the rules—
(1) impose substantively similar requirements on covered persons;
(2) take into account conditions under which covered persons do business both in the United States and in other countries; and
(3) do not require or promote the use of any particular technology in order to develop systems for compliance.

The ANPR seeks responses to the following questions.  In looking at these, how will they effect your institutions processes and operations?  Instructions for responding are included in the ANPR.

A. Benefits and costs of consumer data access
1. What are the benefits to consumers from authorized data access? What are the benefits to consumers from direct access? What specific regulatory steps by the Bureau would enhance those impacts and how would they do so?
2. How does authorized data access facilitate competition and innovation in the provision of consumer financial services? What are the impacts of direct access on such competition and innovation? What specific regulatory steps by the Bureau would enhance that impact and how would they do so?
3. What costs to consumers flow from authorized data access? What costs result from direct access? What specific regulatory steps by the Bureau would reduce any such impacts and how would they do so?
4. Are there ways in which authorized data access has limited (or may in the future limit) competition and innovation resulting in harms to consumers? Are there ways in which the development of the ecosystem for authorized data access has caused (or may in the future cause)
consumer harm? Are there ways in which direct access has had or may have such impacts? What specific regulatory steps by the Bureau would reduce any such impacts and how would they do so?
5. What should the Bureau learn about the costs and benefits of authorized data access from regulatory experience in State jurisdictions or in jurisdictions outside the United States? What should it learn from such sources with respect to direct access? How should this inform the
Bureau’s consideration of specific regulatory steps that it might take to implement section 1033?
6. How do the costs and benefits to data holders of authorized data access vary across different covered persons, including community banks and credit unions, and how should these variances inform the Bureau’s actions with respect to implementing section 1033? How do the
costs and benefits to data holders of direct access vary across different covered persons and how should these variances inform the Bureau’s actions with respect to implementing section 1033?

B. Competitive incentives and authorized data access
7. What reasons are there to believe that competitive incentives will facilitate or undermine authorized data access? What responsive actions should the Bureau take and why?
8. To what extent should the Bureau expect the overlap across data holders, data aggregators, and data users to impact competition and innovation favorably or unfavorably? How should the Bureau take account of such overlap in implementing section 1033?
9. Should the Bureau expect access-related agreements between data holders and other participants in the authorized data access ecosystem to impact competition and innovation favorably or unfavorably? How should the Bureau take account of such impacts in implementing section 1033?
10. Should the Bureau expect data access ecosystem participants to develop and adopt multilateral rules applicable to authorized data access? How should the Bureau expect any such rules to impact competition and innovation and how should the Bureau take account of any such
impacts in implementing section 1033?
11. Do customers of smaller data holders receive the same benefits from competition and innovation enabled by authorized data access as do customers of larger data holders? If not, why is that the case? How should any variance inform the Bureau’s actions with respect to the
implementation of section 1033?
12. Do consumers’ individual decisions to authorize data access entail significant negative or positive externalities on other consumers, data holders, data aggregators or data users?49 If so, what are those externalities and what impact do they have on competition, innovation, and the
benefits, costs, and risks faced by consumers? How should such externalities inform the Bureau’s actions with respect to the implementation of section 1033?

C. Standard-setting
13. To what extent should the Bureau expect broad-based standard-setting work by authorized data access ecosystem participants to enable and facilitate authorized data access? What favorable or unfavorable impacts to competition and innovation should the Bureau anticipate from such work? How should implementation of section 1033 access rights take account of such broad-based standard-setting by system participants?
14. Should the Bureau seek to encourage broad-based standard setting work by authorized data access ecosystem participants? If so, how should it do so?
15. What steps should the Bureau take to prescribe standards applicable to covered persons to promote the development and use of standardized formats for information that can be obtained by means of section 1033 data access rights? What form should such standards take? Should
these standards differ depending on whether data is accessed directly by the consumer or through an authorized entity?
16. What steps, if any, should the Bureau take to promote particular mechanisms of authorized data access? If some mechanisms are more beneficial (or as beneficial but at lower cost to consumers), what are the obstacles to further adoption of such mechanisms, and what
steps should the Bureau take to mitigate such obstacles?

D. Access scope
17. The Dodd-Frank Act defines “consumer” as “an individual or an agent, trustee, or representative acting on behalf of an individual.”50 Who should be considered “an agent, trustee, or representative” of an individual consumer for purposes of implementing section 1033 access
rights? Should any exclusions apply? If so, what exclusions and why?
18. Are there types of data holders that should not be subject to the access rights in section 1033? If so, why? Are there any unique issues for any types of data holders that the Bureau should consider in implementing the access rights provided in section 1033, and if so, how
should the Bureau account for such issues?
19. How might the Bureau protect against the exposure of confidential commercial information, information that must be kept confidential by law, or information collected for the purpose of preventing fraud or other illegal conduct while at the same time protecting the access
rights provided in section 1033? Should the Bureau’s approach differ depending on whether data is accessed by authorized third parties or directly?
20. Apart from any restrictions identified in response to the preceding question, are there data elements to which section 1033 access rights should not apply? If so, which elements and for what reasons? Should any restrictions on access to data elements differ depending on whether
data is accessed by authorized third parties or directly?
21. What information should be considered information that cannot be retrieved in the ordinary course of business? How should a Bureau rule seeking to implement the access rights provided in section 1033 account for such information? Should any such accounting differ depending on whether data is accessed by authorized third parties or directly by consumers?
22. Aside from any restrictions identified in response to earlier questions in this section, should any other restrictions on data access be permitted? For example, should a data holder be permitted to restrict authorized access to consumer data created during, or relating to, certain
time periods? Should a data holder be permitted to restrict the frequency with which data can be accessed? If such restrictions should be permitted, how and why should they be permitted? Should any of these restrictions differ depending on whether data is accessed by authorized third parties or directly? Should any of these restrictions differ based on the purpose for which data is accessed?
23. Should the Bureau propose to address the operational reliability of authorized data access, and if so, how and why? Should the Bureau consider any different ways to address the operational reliability of direct access, and if so, how and why?
24. How should the Bureau ensure that any implementation of section 1033 access rights does not promote or require the use of particular access (or other) technologies?

E. Consumer control and privacy
With respect to questions in this section, the Bureau encourages commenters to identify, where applicable, the extent to which their responses may differ between primary and secondary uses of authorized data, where primary use reflects the primary purpose for which a consumer,
acting pursuant to reasonable expectations, would choose to authorize access to consumer data, and secondary use reflects all other purposes for which authorized data may be used. With respect to secondary uses of authorized data, the Bureau encourages commenters to consider and
explain whether their responses differ depending on whether the consumer data remain identifiably associated with the authorizing individual as well as if and how such data may be disassociated. The Bureau also encouragers commenters responding to this section to identify, where applicable, the extent to which their responses may differ between uses of authorized data for the purposes of effecting payments on behalf of consumers and other uses.
25. To what extent does direct access to consumer data pursuant to section 1033 raise any privacy concerns that should be considered by the Bureau?
26. In what respects do consumers understand the actual movement, use, storage, and persistence of authorized data? To what extent do such movement, use, storage, and persistence of authorized data align with reasonable consumer expectations or preferences, including privacy
expectations or preferences? What should the Bureau do, if anything, to improve consumer understanding or to effect closer alignment between practice and consumer expectations or preferences? Should the Bureau consider placing any restrictions on the movement, use, storage
and persistence of authorized data, and if so, what restrictions and why?
27. To what extent are consumer understanding and expectations informed by the disclosed terms and conditions of authorized data access or other disclosures? What should the Bureau do, if anything, to improve consumer understanding of disclosed terms and conditions or to improve
alignment between such terms and conditions and consumer expectations and/or preferences? Should the Bureau consider requiring any specific disclosures in connection with authorized access? If so, please describe the form, content, and other features of such disclosures.
28. What tools can market participants provide consumers to align consumer expectations and preferences with the actual movement, use, storage, and persistence of authorized data, and what steps, if any, should the Bureau take to improve the effectiveness of such tools?
29. What steps, if any, should the Bureau take to address authorized entities combining authorized data with data from other sources? What are the costs, benefits, and risks to consumers from such combining, and how are those costs, benefits, and risks disclosed to consumers? Should the Bureau address such disclosure, and if so, how and why?
30. Should the Bureau propose to address any of the following, and if so, how and why: (i) data aggregators providing authorized data to entities other than in connection with the primary purpose or purposes for which the consumer authorized data access; or (ii) data aggregators
retaining consumer data other than in connection with the primary purpose or purposes for which the consumer authorized access?
31. Should the Bureau propose to address any of the following, and if so, how and why: (i) data users providing authorized data to entities other than in connection with the primary purpose or purposes for which the consumer authorized data access; or (ii) data users retaining consumer
data other than in connection with the primary purpose or purposes for which the consumer authorized data access?
32. How, if at all, should a Bureau rule implementing section 1033 seek to limit authorized access to the minimum amount of consumer data necessary to effect the purpose of authorizing access as reasonably understood by the authorizing consumer? What are the benefits and risks to
consumers, to competition, and to innovation in consumer financial services of such steps? What are the benefits and risks to consumers, to competition, and to innovation if such steps are not taken?

F. Legal requirements other than section 1033
Some questions in this section refer to “regulatory uncertainty.” As used in this section, that term refers to potential stakeholder uncertainty about provisions of law other than section 1033, including potential uncertainty that may arise because of the potential interaction or
overlap between these other provisions and section 1033.
33. How, if at all, are data holders subject to laws or regulations (whether Federal, State, or foreign) that may be in tension with any proposed obligation to make consumer data accessible per section 1033? How, if at all, should the Bureau address such potential tension?
34. To the extent not addressed in your response to the preceding question, is regulatory uncertainty impeding consumer data access, undermining competition or innovation in the provision of consumer financial services, or otherwise impacting benefits or contributing to risks
that consumers might derive from authorized access? If so, in what ways? Which legal provisions are the source of any such uncertainty, and what steps, if any, should the Bureau take to resolve any such uncertainty to the benefit of consumers?
35. In what ways, if any, is regulatory uncertainty around consumer data access imposing costs on consumers, data holders, data users, or data aggregators? Which legal provisions are the source of any such costs, and what steps, if any, should the Bureau take to address any such
uncertainty or to mitigate any such costs?
36. What foreign, Federal, or State laws or regulations impose requirements or grant rights that are substantively similar to section 1033? How should the Bureau take into consideration these substantively similar requirements in implementing section 1033? How should the Bureau
take account of the conditions under which covered persons do business in the United States and in other countries?
37. To the extent not already addressed above, what actions, if any, should the Bureau take to modify or clarify existing rules that have (or could have) application to consumer data access? What goals would such modification or clarification serve? What costs would they impose or
reduce?

G. Data security
38. How effectively does existing law that bears on data security mitigate data security risks associated with data access and, in particular, authorized data access? What steps, if any, should the Bureau take to improve the effectiveness of existing laws that bear on data security in the
context of data access?
39. Do data holders, data users, and data aggregators have adequate market incentives to ensure that consumer data is secure? To what extent have they acted on the basis of any such incentives to this point or should be expected to so act going forward?
40. If the Bureau proposes a rule to protect the access rights described in section 1033, how should that rule take appropriate account of data security concerns?

H. Data accuracy
41. To what extent are consumers harmed, or the benefits to consumers of data access endangered or otherwise restricted, by the risk of inaccurate consumer data being provided to consumers or data users? If such harms or restrictions arise, does their extent vary by the type of
use to which data is put? If so, why is that the case?
42. Are there risks that some data holders may not have adequate market incentives or legal requirements to ensure that the consumer data they provide to consumers or authorized third parties is accurate and that they correct inaccuracies when they occur?
43. What risks of data inaccuracy are introduced as a result of the data access ecosystem? Do data users and data aggregators have adequate market incentives or legal requirements to ensure that the consumer data they use is accurate or sufficiently accurate for the purposes to which it is put? If your answer varies by the type of use to which consumer data is put, please explain why that is the case. How can data users and data aggregators act on such incentives, to the extent that they exist? To what extent have they so acted to this point or should be expected to so act
going forward?
44. What steps, if any, should the Bureau take to address the accuracy of consumer data that as a result of authorized data access is in the control or possession of data aggregators or data users?
45. How effectively does existing law mitigate the risks that inaccurate consumer data is associated with direct access and authorized data access?

I. Other information
46. Is there any other information that would help inform the Bureau as it considers whether to initiate a rulemaking and how best to implement the consumer data access rights provided by section 1033?

 

Please be advised that CSG provides financial services compliance audit and consulting services to our clients.  The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers.  Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services.  Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest.  Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.

 

Leave a Reply

Your email address will not be published. Required fields are marked *