Sylvia Yarbough
Regulatory expert and former Head of Compliance
I was recently doing some desk research on proposed rulemaking and found myself going down a rabbit hole with the Consumer Financial Protection Bureau’s (CFPB) proposed rulemaking of Dodd-Frank section 1033 – Consumers Rights to Access Information. The CFPB proposed rule is now titled Personal Financial Data Rights or the Open Banking Rule. For purposes of this article, I will continue to refer to the rule as 1033.
As part of the 2010 Dodd-Frank Act, section 1033(a) authorizes the CFPB to create rules that would allow consumers to request all information about the financial products or services they currently use. This information request could include the transaction level, account cost, charges, and usage of data.
What is covered under the 1033 Proposal?
Covered persons, as defined in the CFPB proposal, include depository and non-depository financial institutions and credit card issuers. This would also cover payment services, prepaid card providers, brokerage firms, and so on.
The only exceptions currently under consideration are non-bank mortgage lenders, education lenders, and instalment lenders. Consumer information can be provided directly to the consumer or third party authorized by the consumer.
Under the CFPB proposal, to be an authorized third party, the third party must:
- provide an “authorization disclosure” to inform the consumer of key terms of access;
- obtain the consumer’s informed, express consent to the key terms of access contained in the authorization disclosure; and
- certify to the consumer that it will abide by certain obligations regarding the collection, use, and retention of the consumer’s information.
The information that can be requested includes periodic statements, fees, account terms and conditions; annual percentage yields and interest rates; all transactions including historical, posted, and pending; account identity information; consumer reports used to make decisions on providing a customer with an account; and information on security breaches that exposed the consumer’s identity or financial information. The data request can go as far back as the financial institution/credit card issuer would provide directly to the consumer.
Organizations would need to provide the data to consumers, after reasonable authentication, through a portal that would allow for exporting the data in a user-friendly readable format or file-friendly format. As it pertains to third parties, the organization would need to set up and maintain a third-party access portal that would not require the third party to possess or maintain the information. These third-party portals would have required standards on uptime, latency, unplanned outages, error response, and access caps.
The responsibility for verifying the third party is appropriately authorized to access the consumer information and authenticate the third party’s identity would fall on the data provider. In addition, if the organization does not have the information requested, it must disclose the reason to the consumer or third party.
What are the third-party obligations under 1033?
As it pertains to the third party thus far their obligations would focus on:
- Limiting data collection, use and retention to what is reasonably necessary to provide the product or service the consumer requested.
- Requiring term limits on consumer authorization and seeking renewal from the consumer.
- Providing the consumer with an easy means to revoke authorization at any point. The CFPB is also contemplating limiting third-party sharing of data with other entities.
- Deleting consumer information that is no longer necessary to provide consumer products or services.
- Requiring authorized third parties to develop, implement, and maintain a comprehensive written data security program appropriate to their size and complexity, and the volume and sensitivity of the consumer information at issue.
- Ensuring the accuracy of the data that they collect and use to provide the product or service the consumer has requested, including procedures related to addressing disputes submitted by consumers.
Why is the CFPB undertaking this approach to implementing 1033?
The CFPB outlines the following significant advantages to consumers in implementing 1033:
This far-sweeping implementation of Dodd-Frank 1033 will allow for more market competition in providing consumers with the products and services needed especially for underserved communities. Examples include allowing individuals with little to no credit history to use their deposit account transaction history to demonstrate creditworthiness; or, to better manage their finances. I will caveat my statement “far sweeping” with reference to the inclusion of third parties being engaged on behalf of the consumer and the requirements of a portal using application programming interfaces (APIs).
They acknowledge that this sharing of consumer information already exists. Companies like Plaid and Mint are already engaged in this data collection, aggregation, and analysis. Consumers today provide their user access information for their various financial accounts to these companies and others. For example, Mint pulls this information together to help consumers manage their budgets. Consumers began this practice as part of the natural growth of managing their finances through technology.
By putting structure and framework around these practices, the CFPB believes that this new regulation will promote more security and data accuracy when accessing consumer information with the standardization use of API and do away with screen-scraping consumer information that they believe is subject to inaccuracies.
What other regulations may be impacted or intersected by 1033?
Currently, the proposed 1033 regulation has implications or intersections with several existing regulations. The most problematic include:
- Gramm Leach Bliley Act (GLBA) – There is concern that exporting consumer data, especially to third parties, is counterintuitive to GLBA and Regulation P. Many in the industry are concerned that 1033 may expose consumers to more intrusion on their privacy and potential data security and fraud issues. One very sticky point that must be resolved is the sharing of joint account information when only one of the account holders has authorized access.
- Fair Credit Reporting Act (FCRA) – 1033 has implications in the provision of credit reporting data. The Credit Reporting Agencies’ comments on the proposal object to the inclusion because consumers can already request access to their credit reports.
Other impacted regulations include the Electronic Funds Transfer Act (EFTA), the Truth in Lending Act (TILA), the Real Estate Settlement Procedure Act (RESPA), and the Truth in Savings Act (TISA).
What are the practical implications of 1033 for consumers?
As I came out of the rabbit hole of researching 1033, I started reflecting on who I believe would benefit from this new regulation. In my opinion, financially savvy consumers will be slow to adapt unless it becomes a standard in financial services, such as credit reporting.
Financially savvy consumers typically can move and rearrange their financial product and service relationships on their own. They seldom rely on online rudimentary budgeting applications, and they take issue with letting organizations have too much access to their information.
To the CFPB’s point, for the underserved population, there may be opportunities for the right organizations to better serve these groups. The ease of porting all of your information to a company to help you establish or improve your credit position, better manage your budget, or begin investing your extra cash may be well worth exposing your financial information to security and fraud risk.
Many of the underserved find the entire process of applying for loans, opening bank accounts, understanding overdrafts, and other fees challenging. Many are often reluctant to change financial services even when they are dissatisfied out of anxiety of starting over again with a new provider.
1033 may have an audience of consumers who need help in navigating the murky waters of financial health.
What are the potential impacts on financial service organizations?
Challenges:
If this regulation becomes final, all financial services organizations, including FinTechs, will find themselves in the position of being data providers and data requesters. We often think about these types of regulations as only impacting large banks. However, unless the CFPB sets some size limits for mandatory participation, even small organizations may find themselves having to implement this new rule.
The concept of setting up portals, and extracting customer data with the appropriate degree of accuracy will be a daunting undertaking to most organizations. Many large organizations are still challenged, even with cloud computing, to pull all related consumer information into one place accurately. Those who can pull it together are often challenged with appropriate tools and data understanding to export it in a digestible fashion.
This is an expensive undertaking for small organizations that may not have the right tools, technology, or people resources to make it happen. They may need a very extended implementation timeline if they cannot get some sort of exemption.
Benefits:
For organizations designing products for the mass market and sales campaigns, this regulation may be the advent of meeting the individual consumer needs and adapting. Imagine designing unique services based on a true complete picture of a consumer’s financial history. For example, take an eighteen-year-old just getting started and cultivating a financial profile right down to his/her/their spending habits to provide appropriate deposit, savings, credit, budgeting, and financial planning services. Notice how I didn’t say “products” as I believe the financial offering will become more and more a-la-carte for consumers – like eating from a financial buffet.
The provider who can really think strategically about how to leverage a full flow of consumer financial history could find themselves with a profitable customer for life. As we well know, most of us are creatures of habit and to find a financial service firm that can rapidly adjust to our continuing changing lifestyle would make any one of us stay with that provider for life.
Financial professionals would become true fiduciaries and financial advisors rather than pushing the next product or service coming down the line from sales and marketing teams. It may foster a need for a new breed of financial professionals who are well-versed in financial counselling and planning.
A thought on third parties and portals
If the CFPB could take note from history, rather than pushing every organization to figure this out for themselves, they may want to consider deliberately working with about three to four organizations to establish Personal Data Exchange Agencies.
This would be akin to the credit reporting agencies that grew out of necessity versus planning. If the CFPB would do the appropriate due diligence and identify organizations that may have the data collection and aggregation power; wrap in standards on access, data submission, security and privacy, these data exchange agencies could be the place all organizations must submit and access the consumer data as needed – no different than the power of Equifax, Experian, or Transunion. This approach would go a long way in getting 1033 implemented in a more timely, seamless, and responsible fashion.
As we all know, small and micro businesses are the expanding markets in the United States. These businesses struggle to get access to good affordable financial services and credit. A deliberate effort to build business financial history through data collection would go a long way in aiding the growth of these entities.
A message for compliance teams
In summary, to all you compliance professionals, I highly recommend you don’t sleep on this one. It has been a slow meandering proposed regulation. However, when it becomes a final rule, in whatever form, the financial organizations that are the best prepared to take advantage of it will ensure compliance.
If you were involved in recent data-intense regulatory implementations, like the Home Mortgage Disclosure Act revision or California Consumer Privacy Act, you will know fulfilling data requirements tend to be the hardest to implement due to the variety of applications within any organization. 1033 will touch all your consumer applications.
This will require engaging a variety of technology resources, and your business owners, creating new disclosures, and amending existing ones — a big lift. More importantly, getting your business to be aware of the possible impact on their business strategy will be your value-add to the organization. Other organizations will only focus on having to provide the consumer data, not the strategy around accessing it.
To the FinTechs that are decent at data collection, data aggregation, data mining, and data security and can quickly scale, work with your compliance team and compliance industry associations to convince the CFPB to establish consumer data exchange agencies and eliminate the wild, wild west of implementing 1033.
Contact CUBE so we can help you proactively manage every single regulatory change.