The Consumer Financial Protection Bureau (CFPB) has proposed a significant rule under Section 1033 of the Dodd-Frank Act aimed at enhancing consumer financial data rights. This rule is a crucial step towards ensuring consumers have better access to and control over their financial data. However, it also brings forth considerable complexities and challenges that need to be addressed.
OpenFinity selected these 3 organizations --The Financial Health Network (FHN)[1], the Future of Privacy Forum (FPF)[2] and the American Bankers Association (ABA)[3] who have provided detailed comments and recommendations to help refine and improve the proposed rule to help you navigate the proposed Personal Financial Data Rights covered by the 1033 rule.
OpenFinity strongly recommends that any financial services institutions, data aggregators, and fintech organizations working on the implementation of the CFPB 1033 rule carefully review and learn this crucial aspect of open banking.
This blog post synthesizes their key insights and suggestions.
As a precaution, it is important to remind readers that the final rule expected to be published by the CFPB in October may differ from the proposed one and may or may not reflect the comments and recommendations shared by these organizations or others. OpenFinity does not have a preview of what the final rule will be.
"Open Banking represents the business case for consumer control and privacy rights. The CFPB is making some big steps forward - companies need to pay attention to a broad array of issues and consumers' best interests.” Zoe Strickland, Senior Fellow, The Future of Privacy Forum.
Complexity of Data Privacy under the Proposed CFPB 1033 Rule
Multiplicity of Notices and Choices
Both FHN and FPF highlight the challenge posed by the multiplicity of notices and choices that consumers will encounter under the proposed rule. Entities may need to provide several, segregated notices under different regulations such as the Section 1033 rule, the Gramm-Leach-Bliley Act (GLBA), and state data privacy laws. This multiplicity could lead to consumer confusion and significant compliance challenges for entities.
Harmonization with Other Regulations
Harmonizing the 1033 rule with other existing regulations, especially the Fair Credit Reporting Act (FCRA), is crucial to avoid conflicting obligations and ensure smooth implementation. All organizations recommend that the CFPB seek to harmonize key definitions and compliance dates between the 1033 rule and the FCRA rulemaking.
Standards and Industry Best Practices
The rule encourages the development and adoption of consensus industry standards to provide a consistent framework for data privacy. However, FPF emphasizes that establishing these standards involves intricate processes and governance structures, which could be challenging to balance across all interested parties, including smaller entities and non-profits. It should be noted the CFPB took the unusual step of finalizing a portion of the 1033 rule earlier this year. This partial final rule lays out the criteria for organizations to become recognized standard setters, and includes a set of step-by-step instructions on how to apply. See here:
Data De-identification and Security
The rule’s restrictions on de-identified data adds another layer of complexity. The use of deidentified data has significant beneficial uses for consumers, whether internally within a business or externally for research purposes, and also has privacy and security benefits. The risk of re-identification, despite de-identification efforts, necessitates stringent controls and possibly consensus industry standards.
Screen Scraping Phase-Out
The transition from screen scraping to more secure data access methods presents technical and operational challenges. The rule's phased approach allows smaller organizations time to adapt, but it requires careful management to prevent consumer disruption and ensure compliance.
Revocation Mechanisms and Manipulative Designs
Ensuring that consumers can easily revoke third-party access to their data without falling prey to manipulative designs (or "dark patterns") is crucial. FPF stresses that the rule needs to provide clear guidelines and examples to help data providers and third parties avoid these deceptive practices.
Recommended Rights and Coverage under the Final 1033 Rule
Inclusion of Needs-Tested EBT Accounts
FHN strongly advocates for the inclusion of needs-tested Electronic Benefit Transfer (EBT) accounts in the final rule. Access to EBT data can significantly benefit recipients by enabling third parties to offer personal financial management services, such as budgeting tools and cost-saving strategies.
Comprehensive Consumer Financial Products
Beyond needs-tested EBT accounts, the final rule should expand to cover other core consumer financial products, such as payroll processing data. Payroll data provides accurate and up-to-date information about a consumer's income, enhancing cash flow underwriting and facilitating bank switching by enabling direct deposit redirection.
FHN also urges the CFPB to ensure that all consumer financial products such as mortgage, auto, and student loans and services eventually fall under the purview of Section 1033. They warn that excluding certain products from the initial rule could lead data holders to restrict access to valuable data, undermining the goals of open data sharing and financial health improvement. They recommend that the CFPB make a clear statement of intent to expand the rule's coverage in future rulemakings
Recommendations to Enhance the Final 1033 Rule
Harmonization of Definitions and Compliance Dates
To avoid regulatory conflicts, the rule should harmonize key definitions and compliance dates with the FCRA and other relevant regulations. This will ensure smooth implementation and reduce compliance burdens on entities.
Opt-In Standards and High-Risk Use Cases
The rule should support an opt-in standard for secondary uses of data and, if the CFPB deems necessary, high-risk use cases should be defined and restricted to protect consumers. FPF argues that this will provide consumers with greater control over how their data is used and shared.
Development of Industry Standards for Data Use
Encouraging the development of industry standards for the appropriate collection, use, and retention of covered data will help ensure consistent privacy practices and better consumer experiences. These standards will minimize business friction and enhance data security.
Exclusion of De-Identified Data from Certain Obligations
FHN raises concerns about the prohibition on data retention after the termination of consumer authorization. They argue that allowing third parties to retain de-identified or pseudonymized data for research and product improvement purposes is crucial for advancing financial health technologies. The blanket prohibition on data retention, according to FHN, is overly restrictive and hinders the ability of service providers to refine their models and algorithms.
Clarification of Data Aggregators' Roles and Obligations
The final rule should clearly define the roles and responsibilities of data aggregators, especially regarding their interaction with consumers and their obligations when acting on behalf of authorized third parties. This includes outlining when data aggregators become authorized third parties and their specific responsibilities.
Prohibition of Screen Scraping
Directly prohibiting screen scraping by third parties and aggregators will enhance data security and privacy. The rule should ensure that data access methods are safe and compliant with the standards set forth by the CFPB.
Guidance on Manipulative Designs in Revocation Mechanisms
Providing examples and guidelines on avoiding manipulative designs in revocation mechanisms will help protect consumers from deceptive practices and ensure they can easily manage their data consents. This includes clear definitions and illustrative examples to prevent "dark patterns."
Payments Initiation
The ABA argues against using Section 1033 to require initiating payments, citing potential liability issues and the need for a separate legal framework to address such functionalities. Instead, any such use case should be market-driven.
Cost Recoupment
The ABA advocate for allowing data providers to recoup costs associated with implementing and maintaining the infrastructure required for data access, which the current proposal prohibits.
Fair Credit Reporting Act (FCRA) Implications
The ABA is concerned that data providers may be deemed furnishers under the FCRA, which could impose significant compliance burdens. They request that the final rule clarify that providing data under Section 1033 does not classify data providers as furnishers.
Conclusion
The CFPB's proposed 1033 rule represents a significant advancement in consumer financial data rights. However, it introduces complexities that must be carefully managed through robust standards, harmonized regulations, and clear guidelines on data use and consumer protections. By incorporating the recommendations from FHN and FPF, the final rule can create a more inclusive, secure, and effective financial data ecosystem that benefits all consumers.
Sources:
[1]: The Financial Health Network (FHN) is a non-profit organization that unites industries, business leaders, policymakers, innovators, and visionaries in a shared mission to improve financial health for all.
[2]: The Future of Privacy Forum (FPF) is a global non-profit organization dedicated to advancing privacy leadership, scholarship, and principled data practices in support of emerging technologies. FPF is focused on advancing responsible data practices and has deep expertise regarding privacy and data protection, including concerning the privacy implications of open banking.
[3]: American Bankers Association (ABA) is a banking trade association of community, regional, and money center banks, holding companies, savings associations, trust companies, and savings banks. American Bankers Association provides training and education programs, information products, professional certifications, and technical services to its members.
If you need help with most terms used in open banking, you can check this handy glossary: https://www.openfinity.org/post/glossary
![Primary_Logologonew[1].png](https://static.wixstatic.com/media/854546_b81fa07d6cd645b8b24abfbef09ac417~mv2.png/v1/fill/w_153,h_46,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/Primary_Logologonew%5B1%5D.png){kind=small}
Comments