KPMG Insight: Amidst heightened regulatory attention on data – including its collection and use alongside consumer privacy and data security concerns – the CFPB has released its long-anticipated outline of proposals to implement section 1033 of the Dodd-Frank Act, which provides consumers with more choices and direction over their own financial data. The Bureau considers this a step toward “open banking” in the United States, adding that the plan to start with transaction accounts, such as deposit accounts and credit cards, is a point “where industry infrastructure for consumer-authorized financial data sharing has already begun to take shape.” Financial institutions and credit issuers subject to the Bureau’s future rulemaking on financial data rights and should anticipate increased supervisory activities relating to collection, use, and retention of consumer information as well as heightened consumer awareness of and attention to policies and practices impacting their personal financial data.
The Consumer Financial Protection Bureau (CFPB) released an outline of proposals and alternatives under consideration for a rulemaking to implement section 1033 of the Dodd-Frank Act, which provides consumers rights to access their own financial data. The outline is provided for review to a panel of small entities (e.g., banks, financial companies, data aggregators) likely to be directly affected by the regulations, if finalized. CFPB expects to release a notice of proposed rulemaking incorporating comments received from this panel as well as other interested parties in the first quarter of 2023. Public comments on the outline may be provided to the CFPB through January 25, 2023.
The CFPB is considering proposing applicable rules in the following areas:
Data providers subject to the proposals under consideration. If finalized, the CFPB’s proposed rules would apply to Regulation E financial institutions (including non-depository and depository financial institutions that provide consumer funds holding accounts) and Regulation Z card issuers—together “covered data providers”. Such entities would be required to make available to consumers (or authorized third parties) data that relates to asset accounts (e.g., deposit accounts and other transaction accounts) and credit card accounts. The CFPB intends on covering more products over time under section 1033.
Recipients of information. Under the CFPB’s proposal, covered data providers will be obligated to make information directly available to consumers and authorized third parties that request account data. According to the CFPB, it is not considering any proposal that would affect current requirements of covered data providers under consumer financial laws such as the Electronic Fund Transfer Act (EFTA), the Truth in Savings Act (TISA), and the Truth in Lending Act (TILA).
Types of information made available by a covered data provider. Pursuant to section 1033(a) of the Dodd-Frank Act, the CFPB is considering requiring data providers to make available information that is in their possession concerning consumer financial products or services that were obtained from the data provider. Categories of information that may be required with respect to covered accounts include:
- Periodic statement information for settled transactions and deposits (e.g., transfer amount, date, location, and fees charged)
- Information regarding prior transactions and deposits that have not yet settled
- Prior transaction information not typically shown on periodic statements or online financial account portals
- Online banking transactions that have been set up by the consumer but have not yet occurred
- Account identity information (e.g., name, age, race, veteran status, social security number)
- Other account information such as consumer reports from consumer reporting agencies, fees assessed by the covered data provider, and information about security breaches that exposed a consumer’s identity or financial information.
Availability of information. Covered data providers may be required by the CFPB to make information available in response to requests for direct access through online financial account management portals. Furthermore, data providers will be required to make information available to authorized third parties requesting information on behalf of a consumer.
Third party obligations regarding collection, use, and retention of consumer information. Under the CFPB’s considerations, third parties acting on behalf of an individual consumer and accessing consumer information would be subject to requirements including:
- Providing “authorization disclosures” that:
- Inform consumers of key terms of access (including general categories of information to be accessed, identity of the covered data provider, accounts to be accessed, terms related to duration and frequency of access, and how to revoke access)
- Solicit and obtain consumers’ consent to the terms of access
- Issuing consumers with a certification statement on adherence to certain obligations regarding collection, use, and retention of the consumer’s information
- Limiting collection, use, and retention of consumer-authorized information to what is reasonably necessary to provide a product or service
- Providing consumers with a simple means to revoke authorization
- Implementing data security standards to prevent exposing consumers to data security harms
Small Entity Representatives (SERs), data providers and third parties are invited by the CFPB to provide feedback on questions listed throughout the proposal and should support their answers with quantitative information and feedback on costs and benefits of the proposals and alternatives.
Relevant KPMG Though Leadership:
KPMG Regulatory Alert | Data Retention and Deletion: Increasing Regulatory Expectations