FinRegLab Responds to the CFPB’s Outline on Personal Financial Data Rights Rulemaking

RE: Outline of Proposals and Alternatives Under Consideration for Required Rulemaking on Personal Financial Data Rights

FinRegLab appreciates this opportunity to comment on the Bureau’s Outline of Proposals and Alternatives Under Consideration regarding personal financial data rights published on October 27, 2022, to facilitate the advisory panel review process pursuant to the Small Business Regulatory Enforcement Fairness Act (“the SBREFA Outline”).

We commend the Bureau for developing rules to implement § 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)¹ and address related questions concerning other federal consumer financial protection laws implicated by customer-authorized data flows. As we have documented in past reports and comment letters, these data flows are critical to a growing range of consumer financial products and services. Modernizing the regulatory frameworks governing these flows is important both to mitigate current risks and frictions and to encourage future applications that produce greater inclusion, competition, and customer-friendly innovation, particularly for historically underserved consumers.

We focus our comments primarily on the use of customer-authorized data flows in credit underwriting, which has been the core of FinRegLab’s past work, with a particular emphasis on the importance of facilitating product improvement and research to improve financial services markets. We recognize the scope and complexity of this rulemaking and the substantial effort that is already reflected in the SBREFA Outline. However, we believe that additional attention to balancing the interests involved in these activities is needed to realize the potential of consumer-authorized data to further the Bureau’s broader objective to ensure that financial services markets are “fair, transparent, and competitive” in order to “facilitate access and innovation.”²

Background

Established in 2018, FinRegLab is an independent, nonpartisan innovation center that tests and monitors the use of new technologies and data to drive the financial services sector toward a responsible and inclusive marketplace. Through our research and policy discourse, we facilitate collaboration across the financial ecosystem to inform public policy and market practices. FinRegLab is not an advocacy organization, but through our research and engagement we work to identify market and policy issues that will be particularly critical in determining the benefits, risks, and scale of adoption for specific data and technology uses that have important implications for financial inclusion and equity.

FinRegLab issued the first major public empirical evaluation of the use of customer-authorized cash-flow data in underwriting consumer and small business credit in 2019. We chose the subject as a case study of the potential for customer-authorized data transfers to spur greater competition and innovation in financial services markets, and issued subsequent analyses of market, technology, and policy issues.³ FinRegLab Deputy Director Kelly Thompson Cochran spoke about our research findings at the CFPB’s 2020 Symposium on Consumer Access to Financial Records. Later that year, FinRegLab published an update on pandemic-related data developments and a joint report with the Financial Health Network, Flourish, and Mitchell Sandler describing federal laws that govern consumer financial data in detail and highlighting various issues that have arisen as data transfers and use have evolved in recent decades.⁴

In 2021, we responded to the Bureau’s Advanced Notice of Rulemaking on consumer access to financial records (ANPR comment letter)⁵ as well as submitting comments on related topics to the prudential regulators⁶ and testifying before Congress.⁷ We also published a report jointly with the Urban Institute analyzing initiatives to incorporate more data about utility, telecommunications, and rental payments history into credit underwriting models, some of which relied upon customer-authorized channels.⁸ In 2022, we announced a research project that will examine the use of customer-authorized bank account data to assess the finances of households who are struggling to manage unsecured credit and to identify the most promising workout strategies and structures.⁹

Our prior publications contain substantial analyses of the technology, market, and regulatory context that is shaping customer-authorized data transfers, and are incorporated by reference.

Discussion

A. The importance of the rulemaking for improving financial services markets

As we discussed in our 2021 ANPR comment letter, customer-authorized data flows are both fueling consumers’ ability to obtain additional financial services from the providers of their choice and providers’ ability to deliver immediate services, develop new products, and compete more generally in the marketplace. But the current market is both imposing substantial burdens and risks on consumer and industry participants and is not yet living up to its full potential to drive customer-friendly innovation and competition. Addressing these issues could be particularly important to improving services to communities of color and other groups whose needs have not been fully met by either traditional financial services or early fintech initiatives.

Use of customer-authorized data to underwrite credit illustrates the potential benefits, risks, and frictions of the status quo. Prior to the pandemic, an estimated 50 million consumers lacked sufficient traditional credit history to be evaluated using the most widely adopted credit scoring models, and an additional 80 million consumers were rated as “nonprime” even though many of them individually may be likely to repay.¹⁰ These patterns also affect small business credit access, since many lenders consider business owners’ personal credit records when making loans. The COVID-19 downturn created additional uncertainty about the performance of current scoring and underwriting models, as well as concerns that consumers and entrepreneurs who have suffered financial hardships through no fault of their own could face difficulty in accessing credit for years to come based on the way that traditional models treat negative historical information. These concerns are particularly important for Black and Hispanic households and business owners in light of racial wealth gaps, historical disparities in credit reports and access, and disproportionate health and economic effects from COVID-19.

Bank account records and other sources of cash-flow information can potentially provide more holistic and timely views of loan applicants’ finances, in part because the percentage of U.S. households with transaction or prepaid accounts exceeds 95 percent.¹¹ FinRegLab’s empirical research based on data from six companies using cash-flow data suggests that the information can be valuable in predicting credit risk among a broad range of applicants because it provides somewhat different insights than traditional credit reports.¹² Stakeholder outreach suggests that the information can be particularly valuable in detecting signals when economic circumstances are changing relatively rapidly or individual applicants are working to stabilize their finances. Initiatives that rely on transaction account data for credit underwriting have increased substantially over the past two years in response to both the economic uncertainty of the pandemic and heightened focus on racial justice issues.¹³

Nevertheless, challenges in securing reliable data flows and uncertainty about applicable regulatory requirements continue to complicate adoption efforts.¹⁴ Data flow frictions may have a particular impact on efforts to meet the financial services needs of underserved populations, for instance where providers’ margins are already thin due to higher costs or lower returns, or where particular customer groups are especially sensitive to concerns about privacy, security, and other aspects of data control. To the extent that bank account information is already being used for credit underwriting, most transfers of such data rely on the use of consumers’ login credentials despite potential security and liability concerns. It is also unclear exactly whether and how the Fair Credit Reporting Act applies to such information, and the CFPB does not yet regularly examine data aggregators who facilitate such transfers as it does for large traditional consumer reporting agencies.

Our previous letter details other ways that customer-authorized data could help better meet the needs of underserved populations and customers of smaller financial services providers, which fill critical market gaps but cannot offer the full spectrum of products provided by the very largest and most technologically sophisticated institutions. A consistent regulatory framework could substantially accelerate this process by providing greater certainty to all ecosystem participants, moving past current competitive sticking points, and facilitating research and investment in customer-friendly innovations. While customer protection is a fundamental component of the rulemaking, it also provides a unique opportunity to foster greater competition, innovation, and access to financial services in ways that could have substantial positive effects on individual households and the broader U.S. economy.¹⁵

B. General comments

The SBREFA Outline is an important step forward in articulating potential requirements for data providers, aggregators, receiving financial services providers, and consumers. Core questions as to what types of financial services providers and data elements are subject to the rule, required elements of the authorization process, and technology and process requirements for data transmission require both substantial detail and nuanced balancing of interests. While our primary focus is the implications of the proposals under consideration for use of customer authorized data in product improvement and research as discussed in Section C below, we make a few high-level comments on other issues as follows:

Applying the initial rule to bank and prepaid transaction accounts as well as to credit card transactions would encompass data sources that are helping to fuel credit underwriting and a variety of other existing use cases. However, we urge the CFPB to expand the rule as quickly as practicable to include payroll processing records and closed-end credit card accounts since those data sources can also be important to helping consumers qualify for new credit, compare loan products, and/or manage existing credit accounts.

We urge the CFPB to prioritize avoiding disruption to the current provision of financial products and services that rely upon consumer-authorized data flows, mitigating the risks that accompany those data flows, and ensuring that all consumers can safely and reliably access their baseline information over creating access to data elements that are not widely accessible or used today. We therefore urge the CFPB to consider the potential time and burden tradeoffs and staging options with regard to mandating the provision of substantial additional information beyond what financial institutions typically provide through their periodic statements and customer websites. While some of the additional elements listed in the Outline could potentially provide value to some consumers in particular circumstances—including for underwriting and other credit related activities¹⁶—some may require substantially more systems build and implementation costs than others in order to provide access. Given the importance of accelerating the migration away from reliance on credential sharing and screen scraping to reduce security, privacy, and systems burdens, it would be helpful to explore whether postponing the inclusion of some elements would help data sources (particularly smaller institutions) build portal infrastructure more quickly.

As work on the substantive rulemaking progresses we urge the CFPB to exercise its authorities to begin supervision of key entities in the data ecosystem as well as to coordinate closely with prudential regulators and with other government agencies that work with providers of financial products and services that are outside the scope of § 1033 of the Dodd-Frank Act. Customer-authorized data transfers are expanding rapidly across financial services markets, raising important questions about both gaps and overlaps in existing authorities and standards. Coordination across markets and agencies can encourage greater consistency, efficiency, and customer-friendly innovation with regard to the full spectrum of financial products and services.

C. Particular concerns for credit and research related use cases

The Outline’s overview of potential requirements for “third parties” who access consumerauthorized data provides a high-level articulation of potential standards for their collection, use, and retention of data. The issues raised in this section are central to the promise of consumer-authorized data flows to spur greater competition, innovation, and access in financial services markets, particularly to the extent that they affect the scope of research and product improvement activities. They are also highly complex and might well merit a lengthy outline and substantial engagement processes in their own right, particularly to the extent that they implicate other existing federal consumer financial laws.

While the Outline provides a starting place for discussion, we urge the CFPB to continue engagement with key stakeholders as it builds out more specific substantive standards. We also urge the Bureau to give careful thought to the practical implications of those standards for product improvement and research in the context of specific use cases. There can be important differences between use cases with regard to the types and scope of data needed to improve performance and responsiveness to consumer needs, the nature of existing regulatory frameworks, the incentives of and relationships between different actors in different markets, and the potential benefits and risks to consumers of particular data uses. We focus specifically below on the use of consumer-authorized data for credit underwriting as particularly central to FinRegLab’s experience and activities, but acknowledge that the balancing of interests and considerations regarding use of data for product improvement and research may be somewhat different in other financial markets.

We address three topics in more detail below: (1) the reasonably necessary limitation standard and prohibition on secondary use; (2) potential exceptions from use and retention limitations for de-identified data; and (3) the potential intersections between the standards under consideration with FCRA and the Gramm-Leach-Bliley Act’s privacy and data security provisions.

One threshold comment concerns the Bureau’s use of “third party” to cover both data aggregators and the financial services providers to which aggregators transfer data so that they can provide a requested product or service to consumers. We believe that it is critical that the forthcoming rule cover both types of entities in detail, but also note that they play distinct roles in the ecosystem and may merit separate treatment in some respects. Using distinct terms—such as “data intermediaries,” “recipient financial services providers,” and “further downstream recipients” (where potentially applicable)—could help to sharpen the analysis and debates around the consistency of treatment and the nature of specific requirements. We use these terms in our discussion below and encourage the Bureau to consider adopting similar distinctions, as it did in its 2021 Advanced Notice of Proposed Rulemaking.¹⁷

1. Reasonably necessary limitation standard and prohibition on secondary use

The Outline anchors its discussion of third party obligations by articulating a general “limitation standard” that would prohibit the collection, use, or retention of consumer information beyond what is reasonably necessary to provide the product or service that the consumer has requested. It also seeks comment on a range of approaches to any “secondary use” of data that is not reasonably necessary to provide the product or service, ranging from a total prohibition to barring certain high risk secondary uses to imposition of opt-in or opt-out permissioning regimes. The Outline also discusses a potential requirement that third parties delete consumer information that is no longer reasonably necessary to provide the consumer’s requested product or service or upon revocation. Potential exceptions would include retention for compliance with other laws and for the use and retention of de-identified data.

The focus on reasonably necessary data uses has migrated in important respects from the 2020 ANPR, which sought feedback on potential approaches to uses reflecting the “primary purpose for which a consumer, acting pursuant to reasonable expectations, would choose to authorize access to consumer data” and all other secondary activities.¹⁸ However, the Outline does not explain how the CFPB would define the reasonably necessary threshold in general or in specific contexts. And while it states that the limitation standard would be consistent with various state and international privacy regimes, it does not explain how those regimes have defined key concepts or regulated particular secondary uses, and it does not discuss how the proposed limitations would intersect with FCRA or GLBA.

These issues require careful calibration to achieve an optimal balance between the interests of consumers, various financial services providers, and the general public. As we discussed in our 2021 ANPR comment letter, there are a spectrum of ways in which data can be used by financial services providers.¹⁹ Some of these uses may not be expected by consumers or be a condition precedent to delivery of the financial product or service to each individual consumer, but at a broader level may facilitate the provider’s practical ability to offer the product or service in general, improvements to the product or service over time, and broader public interests:

• Primary use for which a consumer has directly authorized access (e.g., for an intermediary, transmission and possibly some processing of the authorized data; for the lender recipient, evaluation of the data in support of an individual application for credit)
• Supplemental primary uses that are legally required or that practically facilitate the financial service provider’s ability to deliver the product or service that the consumer is seeking (e.g., for lender recipients, use of data in servicing/securitizing/selling the resulting loan, consumer reporting, and risk rating activities; for both intermediaries and lender recipients, auditing and compliance activities, fraud/risk control/information security activities, due diligence during corporate activities, etc.)
• Secondary public uses (e.g., research and product development relating to financial services, money laundering monitoring, other legal obligations)
• Secondary commercial use (marketing other products or services by primary or secondary parties, resale for other general commercial purposes)

As this description indicates, defining what data uses and retention practices are reasonably necessary for an intermediary as compared to a lender or other recipient financial services provider could be substantially different. In making these distinctions, it is important to consider direct delivery of the product or service to the consumer, supplemental primary activity, and the ability to improve the product or service in question over time. For example, retaining historical information about loan origination inputs and performance can be critical to helping lenders to analyze, test, and improve credit models. The amount, nature, and timeline of data retention to improve the services provided by intermediaries will vary depending on their business model (e.g., do they simply provide transmission services, engage in some basic data grouping activities, or provide sophisticated processing to facilitate credit underwriting activities?) and may increase the likelihood of triggering coverage as a consumer reporting agency under FCRA in some circumstances.

At the other extreme, secondary commercial uses are more likely to accrue to the benefit of the user company than the consumer, are less likely to correspond with consumer expectations and preferences, and may involve entirely different products or services. To the extent that customer information is passed to downstream parties with increasingly attenuated incentives to protect the interests of the consumer and/or obligations to help the original recipient company meet its compliance obligations, this can also increase risk levels. Indeed, there is a substantial question as to whether a company is “acting on behalf of” a consumer in using data received pursuant to a § 1033 transfer for secondary commercial activities, and both data minimization principles and stronger consent mechanisms could be helpful to reenforce consumer agency in this context.

As the CFPB builds out the basic concepts articulated in the Outline, we urge it to define the limitation standard, restrictions on secondary use and retention, and exemptions in ways that facilitate both supplemental primary uses and secondary public uses as defined above. It is particularly important to preserve the ability to use consumer-authorized data with appropriate privacy and security safeguards to validate models and processes used to deliver particular financial products and services, to assess consumer outcomes in meaningful ways, and to identify potential improvements in efficacy, fairness, and inclusion. For example, access to substantial historical data and the ability to link such information to new data sources (discussed further below) are particularly critical for building better and more inclusive credit models over time. Product improvement and research activities are critical to realizing the potential benefits of customer-authorized data for fairness, innovation, and competition, for instance by using more diverse and representative data to improve the structure and delivery of financial services as well as by informing improvements in market practices and regulation.

2. Potential exceptions for de-identified data

A related point concerns the Outline’s questions about whether to create exceptions to bans on secondary use and/or retention of data for information that has been “de-identified,” which is not specifically defined. Stripping large data pools of personally identifiable information is an important method of reducing privacy risks, and FCRA and GLBA both similarly provide more flexibility with regard to the sharing and use of data without personally identifiable information. However, it is important to recognize that de-identification techniques can have limitations and tradeoffs, and to articulate regulatory expectations with care. In this respect the rulemaking presents a substantial opportunity to advance federal consumer financial law since neither FCRA nor GLBA provide substantial guidance on de-identification techniques.

De-identification does not have a single universally accepted definition, but has been described by federal regulators in some contexts as hinging upon whether data can be reasonably linked or reidentified to an individual.²⁰ Depending on the data and circumstances, simply removing names and other common elements of “personally identifiable information” may not be sufficient to achieve this level of de-identification. However, there are a range of technical, business, legal, and ethical tools that can be used to reduce the risk that data will be associated with a particular consumer. Practices are continuing to evolve, particularly with the emergence of new “privacy enhancing technologies” that work to minimize the possession and transfer of personal data while facilitating beneficial use cases.

It is also important to note that the ability to link data concerning the same consumer across multiple data sets can often be critical for testing the use of new data sources to improve credit models over time, to conducting more nuanced assessments of the efficacy and outcomes of particular financial services and products, and to a broad range of other research and product improvement initiatives. Accordingly, in addition to considering de-identification standards and techniques, the use of “pseudonymization” and other processes that preserve the ability to link data sets in controlled circumstances for appropriate uses could be important to facilitate product improvement and research activities. Such techniques are also used in health care and other contexts to address similar concerns about using individual records for broader research purposes.²¹

In short, de-identification techniques could be an important tool to reduce risks to consumer privacy and security while facilitating activities that benefit consumers and the broader market. However, a simplistic standard that led to the automatic deletion of credit data shortly after the conclusion of a loan or a prohibition on use of credit data for improving credit models unless the information was structured in such a way that it could never be linked to other data sources could substantially complicate product improvement and research efforts. We urge the CFPB to define standards in a way that permits and facilitates these activities subject to reasonable and appropriate safeguards.

3. Intersection with existing laws

A final and related consideration involves the intersection of the requirements that the Bureau is considering imposing on third party data recipients with existing requirements under FCRA and GLBA. As we have detailed in past reports and comment letters, these existing regimes were developed decades ago in a much different market and technology environment. They do not focus in detail on consumer-authorized data transfers, and there are strong arguments for revisiting them more broadly to calibrate for today’s unprecedented levels of digital information, automated processes, and rapidly evolving technologies. At the same time, while it may be appealing to view this rulemaking as something of a blank slate, it is important to consider how new and existing data regimes would potentially operate side by side within the same markets and financial services providers.

In the credit underwriting context, for example, FCRA and GLBA do not restrict lenders’ ability to retain traditional credit reports after the original application process, so that the information can be used by their staff to assess performance of their credit models over time and to explore the use of additional data elements to optimize for performance, fairness, and access. If recipient lenders were restricted from retaining and using bank account data or other customer-authorized sources of information for the same purpose, that could reduce their ability to improve current generations of models that use such data. The implementation of two different sets of standards potentially raises both compliance and competitive considerations for recipient financial services providers that rely heavily on customerauthorized channels. We are concerned that such differentials could potentially have negative impacts on product improvement and research activities that could help to produce financial services and products that are more inclusive and responsive to consumers’ needs.

We do not mean to suggest that the existing regimes should operate as an absolute or automatic ceiling, but rather simply that it is important to consider the implications of imposing different substantive standards particularly in the context of hybrid activities that may involve reliance on both consumer-authorized information and data obtained through other channels. It could also be helpful to consider whether adjustments to the existing regimes in parallel to or in lieu of § 1033 standards could provide a more consistent and calibrated baseline across different data sources.

We recognize the scope and complexity of this rulemaking and the challenging tradeoffs between acting quickly to address evolving market conditions and deliberating to develop rules that may better calibrate long-term considerations. We also recognize the challenges involved in working to level the playing field between market actors that enjoy significant data and technology advantages today, their existing competitors, and potential innovators, while also trying to reduce the risk of creating new types of privileged actors. These competitive dynamics and the desire to promote consumer privacy, security, and broader empowerment over their personal information both warrant careful consideration to reduce the risks of over-collection and exploitation of consumer data. At the same time, it is important to calibrate protections to allow for reasonable use of the data to promote competition, product improvement, and access to more responsive financial products and services. We urge the CFPB to consider these questions with an eye toward the specific data needed to improve particular financial products and services and would be happy to provide additional information as we continue to probe these issues.

Thank you again for the opportunity to comment on these issues.

Download PDF

EndNotes