Testimony & Comment Letters
FinRegLab Responds to the CFPB’s Proposed Rule on Personal Financial Data Rights
BY EMAIL
Comment Intake—Financial Data Rights
C/O Legal Division Docket Manager
Consumer Financial Protection Bureau
1700 G Street NW, Washington, DC 20552
RE: Docket No. CFPB–2023–0052
FinRegLab appreciates this opportunity to comment on the Bureau’s Notice of Proposed Rulemaking regarding personal financial data rights published on October 31, 2023 (the NPRM).1 We commend the Consumer Financial Protection Bureau for developing rules to govern customer-authorized data flows by implementing § 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).2 This is a critical step toward modernizing the federal regulatory frameworks governing consumer financial data to benefit consumers, markets, and the broader U.S. economy.
Over the past three decades, customer-permissioned data flows have become critical to a growing range of consumer financial products and services as well as to public research focusing on household financial health, markets for consumer financial products and services, and the role of consumer financial activity in the nation’s economy. However, the benefits of these information flows are not distributed evenly, and strengthening and harmonizing existing federal laws is critical both to mitigate current risks and frictions and to encourage greater inclusion, competition, and customer-friendly innovation, particularly to serve the interests of historically underserved consumers. We were pleased that the NPRM recognized FinRegLab’s research on the use of cash-flow data in credit underwriting as documenting an important and beneficial use case for customer-permissioned transfers.
We recognize the scope and complexity of building robust guardrails to govern customer- authorized transfers and the careful thought that is reflected in many aspects of the NPRM. However, we urge the Bureau to adjust its approach on a number of topics to provide better staging as new regulatory components are built out and to better achieve both the rulemaking’s goal to “accelerate the shift to a more open and decentralized [financial services] system”3 and the Bureau’s broader institutional mandate to ensure that consumer financial markets “operate transparently and efficiently to facilitate access and innovation.”4 Specifically, we urge the Bureau to:
- Expand coverage as quickly as practicable to include transfers of data relating to the electronic distribution of needs-based benefits, payroll processing records, and other types of credit products besides credit card accounts. Access to these kinds of information would substantially benefit consumers—particularly vulnerable and historically underserved populations—by facilitating greater competition and innovation in related financial services markets.
- Refine and clarify the proposal’s approach to regulating primary and secondary uses of transferred data to avoid jeopardizing substantial benefits for consumers, reinforcing the advantages of certain incumbent financial services companies, and substantially curtailing public research. We believe that a more nuanced approach can still guard against commercial misuse of consumer data while accelerating the shift to a more open and decentralized financial services system that benefits consumers and the broader public.
- Expedite follow-up proceedings to address potential overlaps with regard to the treatment of customer-authorized data under the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA) and to exercise supervisory authority over critical actors. While the Bureau has taken early steps toward a broader FCRA rulemaking process, components of those rules affecting the status of customer-authorized data flows and data aggregators as consumer reporting agencies are closely intertwined with issues regarding the collection, use, and retention of data under the § 1033 rulemaking. Trying to solve for customer protections and competitive dynamics would be substantially facilitated by clarifying how the three major data regimes intersect and positioning the Bureau to examine critical non-bank actors for compliance with applicable requirements.
- In recognition of the complexity of revising and strengthening existing consumer financial data guardrails to adjust for the digital era, give additional thought to consultation processes, implementation timelines, and intermediate measures that can encourage positive movement as major framework components are built out. This rulemaking is a critical component of modernizing federal regulatory frameworks, but as evidenced by the preceding points it cannot comprehensively address all of the necessary components. In addition to follow-on CFPB rulemakings, industry standard setting organizations and other federal regulators both have critical roles in the broader process, and industry actors will require time to adjust to meet various new expectations. Adjusting timelines and staggering components to provide for an orderly process and to encourage positive interim steps can help to ensure better long-term outcomes for all participants.
Background and past comment
Established in 2018, FinRegLab is an independent, nonpartisan innovation center that tests and monitors the use of new technologies and data to drive the financial services sector toward a responsible and inclusive marketplace. Through our research and policy discourse, we facilitate collaboration across the financial ecosystem to inform public policy and market practices. We concentrate our work on market and policy issues that will be particularly critical in determining the benefits, risks, and scale of adoption for specific data and technology uses that have important implications for financial inclusion and equity.
We have focused on the potential for customer-authorized data transfers to spur greater competition and innovation in financial services markets since our inception, including the following initiatives:
- We issued the first major public empirical evaluation of the use of customer-authorized cash-flow data in underwriting consumer and small business credit in 2019, finding that the data hold substantial promise to improve default prediction and increase access to credit when used in addition to or in lieu of traditional credit history. Our subsequent reports analyzed the market for customer-authorized data transfers and the need to update regulatory frameworks for consumer financial data and credit underwriting.5
- In 2020, we issued a joint report with the Financial Health Network, Flourish, and Mitchell Sandler detailing the federal laws governing consumer financial data and highlighting issues that have arisen as data transfers and use have evolved.6
- In 2021, we published a report jointly with the Urban Institute analyzing initiatives (including ones relying on customer-authorized data flows) to incorporate data about utility, telecommunications, and rental payments history into credit underwriting.7
- In 2022, we launched a research project examining the use of customer-authorized bank account data to assess the finances of households who are struggling to manage unsecured credit and to identify the most promising workout strategies and structures.8
- In 2023, we announced a follow-up research project examining the use of bank account data and other non-traditional sources of information for increasing access to credit among minority-owned and small businesses and the scale of mission-based lenders’ business credit programs.9
We have engaged repeatedly with both federal regulators and Congress on related topics, including participating in the CFPB’s 2020 Symposium on Consumer Access to Financial Records, commenting on its 2021 Advanced Notice of Rulemaking and 2022 Outline of Proposals and Alternatives Under Consideration for the small business review panel process,10 submitting comments on related topics to the prudential regulators,11 and testifying before Congress on data and technology issues.12 Our prior reports and comments are incorporated by reference.
Discussion
A. The importance of the rulemaking for improving financial services markets
As we have discussed in our previous CFPB comment letters, customer-authorized data flows are both fueling consumers’ ability to obtain additional financial services from the providers of their choice and providers’ ability to deliver immediate services, develop new products, and compete more generally in the marketplace. But the current market is both imposing substantial burdens and risks on consumer and industry participants and is not yet living up to its full potential to drive customer-friendly innovation and competition. Addressing these issues could be particularly important to improving services to communities of color and other groups whose needs have not been fully met by either traditional financial services or early fintech initiatives.
Use of customer-authorized data to underwrite credit illustrates the potential benefits, risks, and frictions of the status quo. Prior to the pandemic, an estimated 50 million consumers lacked sufficient traditional credit history to be evaluated using the most widely adopted credit scoring models, and an additional 80 million consumers were rated as “nonprime” even though many of them individually may be likely to repay.13 These patterns also affect small business credit access, since many lenders consider business owners’ personal credit records when making loans. The COVID-19 downturn created additional uncertainty about the performance of current scoring and underwriting models, as well as concerns that consumers and entrepreneurs who have suffered financial hardships through no fault of their own could face difficulty in accessing credit for years to come based on the way that traditional models treat negative historical information. These concerns are particularly important for Black and Hispanic households and business owners in light of racial wealth gaps, historical disparities in credit reports and access, and disproportionate health and economic effects from COVID-19.
Bank account records and other sources of cash-flow information can potentially provide more holistic and timely views of loan applicants’ finances, in part because the percentage of U.S. households with bank or prepaid accounts exceeds 95 percent.14 FinRegLab’s 2019 empirical research based on data from six companies using cash-flow inputs for underwriting suggests that the information can be valuable in predicting credit risk among a broad range of applicants because it provides somewhat different insights than traditional credit reports.15 Stakeholder outreach suggests that the information can be particularly valuable in detecting signals when economic circumstances are changing relatively rapidly or individual applicants are working to stabilize their finances. Initiatives that rely on transaction account data for credit underwriting have increased substantially over the past three years in response to both the economic uncertainty of the pandemic and heightened focus on racial justice issues.16
Nevertheless, challenges in securing reliable data flows and uncertainty about applicable regulatory requirements continue to complicate adoption efforts.17 Data flow frictions may have a particular impact on efforts to meet the financial services needs of underserved populations, for instance where providers’ margins are already thin due to higher costs or lower returns, or where particular customer groups are especially sensitive to concerns about privacy, security, and other aspects of data control. To the extent that bank account information is already being used for credit underwriting, many transfers of such data rely on the use of consumers’ login credentials despite potential security and liability concerns. It is also unclear exactly whether and how the Fair Credit Reporting Act applies to such information, and the CFPB does not yet regularly examine data aggregators who facilitate such transfers as it does for large traditional consumer reporting agencies.
Our previous letters detail additional use cases for customer-authorized data that can also help better meet the needs of underserved populations and customers of smaller financial services providers, which fill critical market gaps but cannot offer the full spectrum of products provided by the very largest and most technologically sophisticated institutions. A consistent regulatory framework could substantially accelerate this process by providing greater certainty to all ecosystem participants, moving past current competitive sticking points, and facilitating research and investment in customer-friendly innovations. While customer protection is a fundamental component of the rulemaking, it also provides a unique opportunity to foster greater competition, innovation, and access to financial services in ways that could have substantial positive effects on individual households, markets, and the broader U.S. economy.18
B. Scope of data coverage
As the Bureau proceeds with the rulemaking, we understand and applaud its focus on data from transaction accounts, digital wallets, and credit cards as playing a particularly important role in fueling credit underwriting, personal financial management tools, and new payment applications. However, we urge the CFPB to expand coverage as quickly as practicable to include the full range of electronic benefit transfers (EBT) information as well as payroll processing records and data concerning other types of credit accounts.
These information sources can help spur greater competition and innovation in related markets, facilitating delivery of highly beneficial financial products and services to historically underserved consumers. For example, the CFPB itself has noted the need to improve competition, efficiency, and customer service in the delivery of government benefit programs, particularly those that deliver cash assistance.19 Apps that help recipients manage public benefits and their broader finances are providing critical value to vulnerable households by allowing them to check balances, monitor for fraud, and manage their household finances more generally.20 These functions are particularly critical because Congress decided to exempt some government benefit programs from the Electronic Fund Transfer Act in 1996 due primarily to concerns about implementation costs of certain liability provisions.21 Particularly in the absence of such coverage, ensuring consistent data access to the full range of electronic benefit programs would help to encourage the further development and delivery of tailored personal financial management services and assist recipients in protecting themselves against a recent uptick in fraudulent activity.22
Increased access to payroll data and information about the full spectrum of loan products could also be particularly beneficial to consumers who currently struggle to access and manage credit, for instance by helping them qualify for more favorable loans, compare credit products, and/or manage existing loan accounts. While income and loan payment history can often be obtained through bank and transaction account data, not all consumers have such accounts.23 Moreover, transaction account records do not provide access to product and pricing terms or information about other aspects of existing credit relationships or the full details of wage and benefit information. Thus, ensuring consistent access to these other data sources could further facilitate credit-related personal financial management services and comparison shopping/loan refinancing over time, consistent with the Bureau’s stated goals for the rulemaking and its broader statutory objectives.24
C. Regulation of primary and secondary data use
As highlighted in our previous letters, the standards for data collection, use, and retention by third parties that access data on consumers’ behalf are central to the promise of consumer- authorized data flows to spur greater competition, innovation, and access in consumer financial markets. While we understand and share the Bureau’s deep concern about the risk of commercial entities misusing consumer data primarily for their own commercial purposes, we fear that the NPRM’s current approach to these issues could in certain respects decelerate the shift to a more “open and decentralized” financial services system relative to the status quo. We urge the Bureau to adopt more nuanced standards to facilitate the use of customer- authorized data for improving consumer financial products and services, combatting fraud, encouraging public research, and possibly other uses that promote the development of more inclusive, competitive, and innovative financial markets.
We address two topics in more detail below: (1) the reasonably necessary limitation and general prohibition on secondary use; and (2) potential exceptions for consumer consented and/or de-identified data. Part D addresses related issues concerning the potential intersections between the § 1033 standards and FCRA and GLBA.
1. Reasonably necessary limitation and prohibition on secondary use
The proposed regulation would require third parties to certify that they would abide by certain restrictions in order to access data “on behalf of” a consumer pursuant to § 1033.25 The limitations would include restricting their collection, use, and retention of consumer data to only what information is “reasonably necessary” to provide the consumer’s requested product or service.26 The restrictions on collection include the scope of the data collected as well as the duration and frequency of collection, and the proposal would set a maximum collection period of one year subject to reauthorization.27 Upon expiration of authorization or receipt of a consumer revocation notice, third parties would be required to cease collection and to stop use and retention of previously collected data except to the extent reasonably necessary to provide the requested product or service.28
The proposal text does not fully define “reasonably necessary” data uses but provides three examples: (1) “servicing or processing” the product or service the consumer requested; (2) activities that are “reasonably necessary” to protect against or prevent actual or potential fraud, unauthorized transactions, or similar claims and liabilities; and (3) uses that are specifically required under other provisions of law.29 It also states that targeted advertising, cross-selling of other products or services, or the sale of covered data are not “reasonably necessary” data uses when a third party is providing some other project or service to a consumer, although the preamble clarifies that the proposal would not limit such activities as primary, standalone services in their own right.30
More broadly, the preamble indicates that the NPRM is intended to prohibit all “secondary” uses that are not reasonably necessary to provide the product or service that the consumer has requested.31 Although the Bureau requests comment on whether third parties should be permitted to seek opt-in consent for some limited secondary uses as discussed further below,32 the NPRM preliminarily concludes that permitting any secondary use “risks positioning the third party as the primary beneficiary of data access,” “undermin[ing] the consumer’s understanding of the authorizations they provided,” and “undermin[ing] a consumer’s ability to control their data.”33 The NPRM therefore preliminary rejects a range of other formulations, concluding that the “reasonable necessity” standard is sufficiently flexible to authorize a variety of uses while assuring that third parties are acting on behalf of the consumer.34
Despite the Bureau’s preliminary conclusion regarding the flexibility of its proposed approach, FinRegLab is deeply concerned that the current language could unnecessarily curtail the use of customer-authorized data to improve consumer financial products and services, combat fraud, facilitate public research, and possibly other uses that promote the development of more inclusive, competitive, and innovative financial markets. For example, we urge the Bureau to consider the following steps:
- Elaborating on the description of primary use cases beyond “servicing or processing the product or service the consumer requested.” Customer-permissioned data can be used in a variety of ways in the course of providing consumer financial products or services, including as an input to eligibility or verification determinations (e.g., in credit underwriting and payments processing), as an input to the product or service itself (e.g., in personal financial management tools), and in the course of servicing an account (e.g., in credit limit adjustments). In some cases, providing the customer-permissioned data to other entities is the service requested by the consumer (e.g., companies that provide rental payment history to consumer reporting agencies or lenders on behalf of prospective home buyers). The preamble also suggests that facilitating comparison shopping and account switching is a beneficial use case that the rule is designed to facilitate, yet does not discuss how such activities would be conducted under the reasonably necessary standard in the use restrictions section (other than with regard to the treatment of targeted advertising, cross-selling of other products or services, or the sale of covered data as described above). Particularly if the Bureau maintains the “reasonably necessary” standard as the only permissible use, it would be helpful to provide a more fulsome description that contemplates the full set of use cases the Bureau has in mind.
- Permitting activities that practically facilitate the financial service provider’s ability to deliver the product or service that the consumer is seeking over time, including downstream work to improve fraud protections and the same general category of products or services requested by the consumer.35 The NPRM language could be read as only permitting third parties to collect, use, and retain the individual data elements that they already rely upon for detecting fraud, determining credit eligibility, or providing other products and services to serve the individual applicant or customer, prohibiting even such limited activities as backtesting against previously collected data to improve models over time or developing closely related supplemental offerings (such as additional personal financial management features or services). We are concerned that the current approach would essentially freeze the current generation of models, products, and services that rely in part on customer-permissioned inputs, while allowing financial services providers that can access the same data through other channels or other types of traditional data to continue to improve existing models and services and to develop new ones.
- With appropriate privacy and security safeguards, permitting use of transaction-level and consumer-level data for research to serve the public good and broader improvements in other categories of consumer financial products and services. Such safeguards could include pseudonymization protocols to reduce the risk of re- identification while preserving some limited ability to link information relating to the same consumer across datasets, permanent anonymization/de-identification, contract restrictions on the use and reidentification of data, and other privacy enhancing technologies and mechanisms. As discussed further in the next section, we are concerned that the current approach would make it practicably impossible to use customer-authorized data that is held by fintechs or other financial services providers for public research, making it more difficult to evaluate their data, process, and product innovations and reducing the volume of beneficial research overall. We are also concerned about challengers’ ability to develop new models and products and services in the first instance. Given that the Fair Credit Reporting Act and Gramm-Leach-Bliley Act provide greater flexibility in the use of de-identified data for public research and product development, we urge the Bureau to promote a consistent approach that does not shut off access to certain types of data and/or data held by certain types of financial services providers.
- Allowing third parties to use customer-authorized data to offer additional products or services that may be useful to the consumer. This last category may make sense to consider in combination with a robust disclosure and opt-in consent regime, but we note that it can have important implications for account switching, comparison shopping, the provision of more diverse data for credit reporting purposes, and other activities that can lead to more competitive and responsive markets. Similar to the NPRM, our previous letters have expressed skepticism whether use of § 1033 data for general secondary commercial uses constitutes activity “on behalf of” the consumer. However, we note that there are circumstances where consumers may conclude that there are material benefits to some targeted activities, such as alerts about new financial products and services that meet their particular circumstances. Indeed, such offerings may have more value than general mass marketing of offerings that are actually not suitable to the individual consumer’s circumstances, which would be permissible under the proposed rule.
Absent greater clarity and flexibility to permit these kinds of activities, we are concerned that the rule could further advantage certain incumbent data sources and the financial services providers that can accumulate large amounts of such information under other statutory regimes that are not as restrictive concerning the use and retention of data for product development/improvement and broader public research. This would be particularly unfortunate in the credit underwriting context, where traditional information sources have substantial gaps and limitations that operate to the particular disadvantage of historically underserved populations as discussed above. We recognize and share serious concerns about data misuse but believe that an overly restrictive approach could undermine the broader goals of the rulemaking by making it very difficult to use the customer-permissioned data to derive broader insights and evolve products and services to better meet the needs of consumers, particularly those whose needs are not well served by the current system.
The Bureau could take a variety of approaches to developing more nuanced standards that prevent commercial entities misusing consumer data primarily for their own commercial purposes while accelerating the shift toward more competitive, innovative, and inclusive markets. These include providing greater definition to the “reasonably necessary” limitation, adopting a slightly more flexible formulation, differentiating standards between initial collection and downstream use/retention, and creating exceptions to permit certain secondary uses as discussed further in the next section.36
2. Potential exceptions for consumer consent and/or de-identified data
Related to the points above, we note that despite recommendations by the SBREFA panel to consider “options that would permit uses of data (including de-identified or anonymized data, …) for product maintenance or improvement, if appropriate consumer protections can be put in place” and “whether it would be appropriate to align the treatment of de-identified data with other statutes and regulations,”37 the NPRM takes an even more conservative and divergent stance with regard to potential exceptions to the “reasonably necessary” limitation than the outline presented to the small business review panel. That outline sought comment on a range of approaches to secondary uses—ranging from a total prohibition to barring certain high-risk secondary uses to imposition of opt-in or opt-out permissioning regimes—as well as on potential exceptions for de-identified data. The NPRM has now effectively merged the two concepts, seeking comment on opt-in exceptions, both in general and in combination with a de- identification requirement.
We urge the Bureau to de-couple the two concepts and adopt provisions that would permit the use and retention of de-identified data for purposes that benefit consumers, markets, and the broader public, subject to appropriate privacy and security protections. In particular, we are concerned that requiring separate individual opt-in consent to use for public research and model development purposes would risk information overload for consumers and create substantial challenges with regard to the representativeness of the data and potential cost/operational burdens for researchers depending on the structure of the consent process. This would be a major setback, given the critical need for more inclusive and representative data to better understand the financial activities, health, and needs of understand historically underserved populations and to develop more inclusive, responsible, and responsive financial products and services.
As noted above, the Bureau has a range of tools and examples of regulatory frameworks to draw upon in crafting appropriate safeguards for the use of de-identified, pseudonymized, and anonymized data. While simply deleting the most obvious personally identifiable information from data may not be sufficient as we have discussed in prior comments, striking a more nuanced balance would substantially advance the Bureau’s goals for the rulemaking and broader institutional objectives. We believe that the 2012 Federal Trade Commission standard noted in a footnote to the NPRM has helpful elements in that it combines both data storage practices and downstream legal/process safeguards,38 although we urge the Bureau to consider additional tools such as pseudonymization that can be used to allow limited linkages of data across different information sets to permit beneficial uses while limiting the risk of privacy and security violations.39
We also urge the CFPB to consider the potential use of opt-in consents for other purposes that individual consumers may deem useful to their individual situations. While we have written at length about the potential limitations and challenges of meaningful, informed consent to manage the full range of concerns about the appropriate use and protection of consumer financial data, consumers’ ability to “vote with their feet” in directing how their data is used and what products and services they are offered and provided is also pivotal to developing markets that are more competitive, inclusive, and responsive. There seems to be a substantial tension in portions of the NPRM that emphasize the centrality of consumer control and yet preliminarily conclude that allowing any secondary use risks “undermin[ing] the consumer’s understanding of the authorizations they provided” and “a consumer’s ability to control their data.”40
D. Follow-up activity to harmonize with existing laws and expand supervisory activities
On a related note, we urge the Bureau to expedite consideration of the potential intersection between the § 1033 rules governing third parties (both data aggregators and their customers41) with existing requirements under FCRA and GLBA and to take steps necessary to extend its supervisory monitoring of key non-bank actors. These issues have important implications for the application of the collection, use, and retention restrictions discussed above and for how financial services providers practicably manage data that they have acquired through different channels subject to different standards. Trying to solve for customer protections and competitive dynamics with regard to customer-permissioned data flows would be substantially facilitated by clarifying how the three major data regimes intersect and positioning the Bureau to examine critical non-bank actors for compliance with applicable requirements.
The NPRM has already started down this path by declaring that data aggregators are consumer reporting agencies with regard to at least some of their activities:
As described above, entities engaged in data aggregation activities play a role in the open banking system by transmitting consumer-authorized data from data providers to third parties. When the data bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living and is used or expected to be used, or collected, for ‘‘permissible purposes’’ as defined by the FCRA, such as when a third party uses the data to underwrite a loan to a consumer, and when the entity, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating such data for the purpose of furnishing reports containing the data to third parties (and uses any means or facility of interstate commerce to prepare or furnish such reports), the data aggregator is regulated as a consumer reporting agency under the FCRA.42
However, the NPRM does not elaborate on the implications of this statement for aggregators, their customers, or their data sources. We recognize that the Bureau has begun a separate proceeding to update FCRA regulations that could serve as a vehicle for clarification, but the breadth and complexity of other topics contemplated for that rulemaking may complicate its timing.43
We emphasize the importance of defining which transmissions of customer-authorized data constitute “permissible purposes” under FCRA and are therefore subject to its rules regarding the collection, use, and retention of such data. While underwriting loans is clearly a permissible purpose under FCRA,44 that statute also lists providing consumer report data “[i]n accordance with the written instructions of the consumer to whom it relates,” and to persons that have “a legitimate business need for the information … in connection with a business transaction that is initiated by the consumer.”45 The law also prohibits parties from obtaining or using consumer reports for purposes that are not permitted under the same section.46 These provisions have obvious potential overlap with regard to activities that are discussed Section C and thus could potentially affect how aggregators and their customers collect, use, and retain customer- permissioned data. Determining how the various regimes intersect and potentially apply at the same time to the same data depending on how it is acquired will have a critical effect on the nature of consumer financial services markets going forward, particularly in the context of hybrid activities that may involve reliance on both consumer-authorized information and data obtained through other channels.
The potential application of FCRA requirements to data aggregators also raises a broad range of other compliance questions with regard to the aggregators’ accuracy and dispute resolution obligations, particularly given differences in aggregators’ relationships with data providers as compared to companies that voluntarily furnish data to traditional consumer reporting agencies.
We therefore urge the Bureau to expedite processes to provide guidance and harmonization among the new and existing regimes in order to provide a more consistent playing field between large incumbent financial institutions and other providers of consumer financial products and services, and in particular to address the pivotal role that data aggregators are playing in customer-permissioned transfers.47 We also note that clarifying how and when the Bureau intends to extend its supervisory activity to encompass additional aspects of the evolving data ecosystem would give industry stakeholders more confidence with regard to compliance burdens and potential liability. While supervision of data aggregators is an obvious place to start—and could potentially be addressed through clarifying their status as consumer reporting agencies—supervision of emerging non-bank financial services providers that also rely on § 1033 data transfers will be critical to enhance monitoring and enforcement as protections are strengthened.
E. Consultation processes, implementation timelines, and intermediate measures
Finally, we urge the Bureau to give careful thought to the need for coordination among different entities, timelines, and intermediate measures in light of the complexity of this undertaking and the need for follow-up activities both by the Bureau and other critical actors. Providing for an orderly implementation process and encouraging positive interim steps can help to reduce tensions among stakeholders and ensure better long-term outcomes for all participants.
For example, we urge the Bureau to consult expeditiously with prudential regulators to clarify the NPRM’s language giving data providers latitude to “reasonably deny[] a consumer or third party access to an interface … based on risk management concerns” and any subsequent related guidance by federal banking regulators.48 While we agree that a specific, reasonable data security concern is an appropriate reason to deny access, we do not believe that it makes sense for banks to treat data aggregators as third party service providers under the Bank Service Company Act when the aggregators are effectuating a customer-permissioned transfer on behalf of a competing financial service provider rather than acting as a vendor to the bank.49 We therefore urge the Bureau and prudential regulators to work together as quickly as possible to articulate the appropriate grounds for denials of service on risk management grounds.
In addition, while we applaud the Bureau’s decision to provide an avenue for a qualified standard setting organization (SSO) to develop standardized data formats and other potential industry standards to be treated as “indicia of compliance” with regard to other practices,50 we note that potential candidate organizations would need some time to adjust their structures and processes to meet the regulatory requirements, obtain Bureau approval, and then adjust or articulate standards on relevant matters consistent with the final rule. However, the NPRM’s tiered implementation schedule would require the very largest banks to come into compliance with the final rule within six months of publication, followed by the next tier at 12 months and the final two tiers at 2.5 and 4 years, respectively.51 We are concerned that the timelines at least for the first few tiers could jeopardize some of the very benefits that the NPRM is attempting to achieve through the creation of an SSO system, and urge the Bureau to factor in the need for coordination with both the prudential regulators and the SSO into its implementation timelines.
We were also struck by the NPRM’s dismissal of any steps short of full developer portal access as an alternative to credential-based screen scraping. While we agree that dedicated portal access is preferable, in light of the challenges facing small entities, the fact that implementation timelines are proposed to last at least four years by the smallest depositories, and the fact that data concerning important consumer financial products and services may not be covered until subsequent rulemakings as discussed in Section B above, we believe that alternatives such as tokenized screen scraping may have benefits that are worth consideration in at least some contexts. More broadly, we urge the Bureau to consider whether there are other informal or formal steps it can take to ensure that the current level of data access is preserved and even improved during interim periods.
We share the desire to make rapid progress on modernizing the federal regulatory frameworks governing consumer financial data, particularly as we approach the fourteenth anniversary of § 1033’s enactment. However, the complexity of the system and the need to balance consumer protections, competitive dynamics, inclusion and innovation considerations, and broader public interests is tremendously challenging. We urge the Bureau to coordinate across markets, agencies, and stakeholders to encourage greater consistency, efficiency, and customer-friendly innovation with regard to the full spectrum of financial products and services.
Thank you again for the opportunity to comment on these issues.
Endnotes
[1] 88 Fed. Reg. 74,796 (Oct. 31, 2023).
[2] 12 U.S.C. § 5533.
[3] 88 Fed. Reg. at 74,796.
[4] 12 U.S.C. § 5511(a), (b)(5).
[5] See FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Empirical Research Findings (2019) (summarizing our independent analysis of data from six non-bank financial services providers—Accion, Brigit, Kabbage, LendUp, Oportun, and Petal—conducted in conjunction with Charles River Associates); FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Small Business Spotlight (2019); FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Market Context & Policy Analysis (2020). These sources are available at https://finreglab.org/cash-flow-data-in-underwriting-credit/.
[6] Financial Health Network, Flourish, FinRegLab & Mitchell Sandler, Consumer Financial Data: Legal & Regulatory Landscape (2020), available at https://finreglab.org/cash-flow-data-in-underwriting-credit/.
[7] Kelly Thompson Cochran & Michael Stegman, Utility, Telecommunications, and Rental Data in Underwriting Credit, The Urban Institute & FinRegLab (2021), available at https://finreglab.org/wp- content/uploads/2022/03/utility-telecommunications-and-rental-data-in-underwriting-credit_0.pdf.
[8] FinRegLab, Debt Resolution Options: Market and Policy Context (2022), available at https://finreglab.org/wp- content/uploads/2022/10/DB-MarketContext_FINAL-1.pdf.
[9] FinRegLab, FinRegLab to Evaluate Data to Increase Credit Access for Minority Business Enterprises and to Scale Lending by Mission-Based Lenders (Sept. 7, 2023), available at https://finreglab.org/wp- content/uploads/2023/09/FinRegLab-MBDA-Small-Business-Launch-PR_FINAL4_09072023_Web.pdf.
[10] FinRegLab, Letter Re: Advanced Notice of Proposed Rulemaking on Consumer Access to Financial Records, Docket No. CFPB-2020-0034 (Feb. 4, 2021), available at https://finreglab.org/wp- content/uploads/2021/04/FinRegLab-Section-1033-Comment-Letter-2021-1.pdf; FinRegLab, Letter Re: Outline of Proposals and Alternatives Under Consideration for Required Rulemaking on Personal Financial Data Rights (Jan. 25, 2023), available at https://finreglab.org/wp-content/uploads/2023/02/FinRegLab-Comment-Letter-1-25-23- Final.pdf.
[11] FinRegLab, Letter Re: Proposed Interagency Guidance on Third-Party Relationships: Risk Management, Docket No. FRB OP-1752, FDIC RIN 3064-ZA26, OCC-2021-0011 (Oct. 18, 2021), available at https://finreglab.org/wp- content/uploads/2021/11/FinRegLab-Comment-on-Interagency-Third-Party-Guidance-1.pdf.
[12] Testimony before the House Financial Services FinTech Task Force Hearing on “Preserving the Right of Consumers to Access Personal Financial Data” (Sept. 21, 2021), available at
https://docs.house.gov/meetings/BA/BA00/20210921/114061/HHRG-117-BA00-Wstate-CochranK-20210921.pdf.
[13] FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Market Context & Policy Analysis § 2.2.
[14] See, e.g., Federal Deposit Insurance Corporation, 2021 FDIC National Survey of Unbanked and Underbanked Households (2022).
[15] FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Empirical Research Findings § 5. For instance, it provides information about inflows, outflows, and reserves, including payment history on a broader range of recurring expenses than is typically reflected in credit reports. The data can also be pulled in real time, while credit report data is somewhat lagged.
[16] FinRegLab, Research Brief, Data Diversification in Credit Underwriting (2020); Cochran & Stegman, Utility, Telecommunications, & Rental Data in Underwriting Credit, §§ 4-5.
[17] FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Small Business Spotlight §§ 4-5; FinRegLab, The Use of Cash-Flow Data in Credit Underwriting: Market Context & Policy Analysis, §§ 4-5.
[18] We have focused our research and comments primarily on credit underwriting as particularly important to broader economic participation because it can facilitate long-term investments in home ownership, reliable transportation, and small business formation.
[19] Consumer Financial Protection Bureau, Public Benefits Delivery & Consumer Protection (March 2023).
[20] Jason DeParle, How Tech Is Helping Poor People Get Government Aid, N.Y. Times (Dec. 8, 2021); Julieta Cuéllar, The Tech-Enabled Social Safety Net: A Case Study of the EBT System, Community Development Innovation Review (Aug. 19, 2021).
[21] Public Law 104–193, 110 Stat. 2105 (1996) (codified at 15 U.S.C. § 1693b(d)(2)); see also 62 Fed. Reg. 43,467
(Aug. 14, 1997).
[22] Rabihah Butler, Government Benefits Fraud Continues to Increase Concern for the Most Vulnerable, Thompson Reuters Institute (Sept. 19, 2023); Tim English, Replacement of SNAP Benefits in the Consolidated Appropriations Act of 2023, Supplemental Nutrition Assistance Program (Jan. 31. 2023); Brian Krebs, Blog, How Card Skimming Disproportionally Affects Those Most in Need, KrebsonSecurity.com (Oct. 18, 2022). The CFBP’s authority over consumer financial products and services is broader than the scope of EFTA. For example, the Dodd-Frank Act defines relevant products and services as including a broad range of activities relating to transmitting funds, providing payment instruments, providing payments services, and financial data processing. See, e.g., 12 U.S.C. § 5481(15)(A)(iv), (v), (vii).
[23] The CFPB is also proposing to exempt depositories that do not maintain consumer interfaces. Proposed § 1033.111(d).
[24] Payroll data can also be useful for general personal financial management tools given its detailed breakdown of wages, benefits, and taxes, and some aggregators are focusing on helping consumers set up and switch direct deposit accounts. See, e.g., Benjamin Pimentel, Payroll Data Is Fintech’s $10 Billion ‘Holy Grail,’ Protocol (Aug. 31, 2021).
[25] On its face, § 1033 applies to requests by consumers to access data about consumer financial products or services that they have obtained from covered persons, but the Dodd-Frank Act defines “consumer” to include “an individual or an agent, trustee, or representative acting on behalf of an individual.” 12 U.S.C. §§ 5481(4), 5533.
[26] Proposed § 1033.421(a)(1).
[27] Proposed § 1033.421(b).
[28] Proposed § 1033.421(b)(4), (h).
[29] Proposed § 1033.421(c).
[30] Proposed § 1033.421(a)(2); 88 Fed. Reg. at 74,832-74,834 & n.130.
[31] 88 Fed. Reg. at 74,832-74,833.
[32] 88 Fed. Reg. at 74,836-74,837.
[33] 88 Fed. Reg. at 74,832-74,833.
[34] 88 Fed. Reg. at 74,833.
[35] Other examples of activities that practically facilitate the financial service provider’s general ability to deliver the product or service that the consumer is seeking include audit and compliance functions, securitization activities, and due diligence during mergers. The Gramm-Leach-Bliley Act permits data sharing with third parties in such situations.
[36] We note that there is already some tension within the existing standard, since uses that are required by other sources of law such as complying with a subpoena are not intuitively “reasonably necessary” to provide the requested product or service. As we discussed in our January 2023 comment, existing laws such as the Gramm- Leach-Bliley Act separately recognize activities that are supplemental to provision of a primary consumer financial product or service and those that support secondary public purposes such as law enforcement and research. In light of these considerations, a standard such as “reasonably related to” the primary product or service might be helpful to better describe the range of permissible activities. However, we continue to believe that tying the scope to consumers’ expectations as the Bureau had originally explored in its Advance Notice of Proposed Rulemaking can present practical challenges with regard to disclosures and consumers’ awareness of supplemental activities that support the providers’ practical ability to provide the requested product or service. FinRegLab, Letter Re: Advanced Notice of Proposed Rulemaking on Consumer Access to Financial Records, Docket No. CFPB-2020-0034 (Feb. 4, 2021), at 16.
[37] Consumer Financial Protection Bureau, Final Report of the Small Business Review Panel on the CFPB’s Proposals and Alternatives Under Consideration for the Required Rulemaking on Personal Financial Data Rights 45 (March 30, 2023).
[38] See, e.g., Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change (2012).
[39] See, e.g., Rachel Shipsey & Josie Plachta, Guidance, Linking with Anonymised Data – How Not to Make a Hash of It, U.K. Office for National Statistics (updated July 16, 2021); Raphaël Chevrie et al., Use and Understanding of Anonymization and De-Identification in the Biomedical Literature: Scoping Review, 21 J. of Medical Internet Research (May 2019); William Lowrance, Essay, Learning from Experience: Privacy and the Secondary Use of Data in Health Research, 8 J. of Health Services Research & Policy Supp. 1 (2003).
[40] 88 Fed. Reg. at 74,832-74,833.
[41] We applaud the Bureau for defining data aggregators more specifically in the NPRM than the SBREFA outline and distinguishing them in some respects from other third parties that access data on behalf of consumers under § 1033, although we believe that greater clarity could be helpful. For example, while the proposed definition of “third party” and the discussion of third parties in the preamble clearly contemplate that data aggregators qualify as third parties, the proposed definition of “aggregator” seems to imply that such entities are not “authorized third parties” under the rule. Proposed § 1033.131 (“Data aggregator means an entity that is retained by and provides services to the authorized third party to enable access to covered data. (second emphasis added)). If this is correct it would be helpful to acknowledge it and discuss the implications more directly in the final rule preamble.
[42] 88 Fed. Reg. at 74,801.
[43] Consumer Financial Protection Bureau, Small Business Advisory Review Panel for Consumer Reporting Rulemaking: Outline of Proposals and Alternatives Under Consideration (Sept. 15, 2023).
[44] 15 U.S.C. § 1681b(3)(B) (discussing use of the information “ in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer”).
[45] 15 U.S.C. § 1681b(a)(2), (a)(3)(F). While general marketing is not specified as a permissible purposes, the law does permit the provision of limited information to lenders and insurers to make certain “firm offers” regarding their products. 15 U.S.C. § 1681b(c).
[46] 15 U.S.C. § 1681b(f).
[47] The NPRM repeatedly attributes the existence of aggregators to the lack of consistent standards for data transmissions, and in certain ways treats aggregators rather indirectly as agents of the ultimate recipients. See, e.g., 88 Fed. Reg. at 74,798, 74,799, 74,841. Given the scale of the U.S. consumer financial system (including thousands of depository institutions and other data sources and thousands of data recipients) and the experiences of other jurisdictions with substantially more centralization, we suspect that aggregators will continue to play a critical connectivity role for the foreseeable future. Our conversations with a wide variety of stakeholders suggest that regulatory clarity regarding the status of data aggregators and direct CFPB supervision would help to increase confidence in the ecosystem going forward.
[48] Proposed § 1033.321(a).
[49] See, e.g., FinRegLab, Letter Re: Proposed Interagency Guidance on Third-Party Relationships: Risk Management, Docket No. FRB OP-1752, FDIC RIN 3064-ZA26, OCC-2021-0011 (Oct. 18, 2021).
[50] See, e.g., Proposed §§ 1033.141, 1033.311(b).
[51] Proposed § 1033.121.
About FinregLab
FinRegLab is an independent, nonprofit organization that conducts research and experiments with new technologies and data to drive the financial sector toward a responsible and inclusive marketplace. The organization also facilitates discourse across the financial ecosystem to inform public policy and market practices. To receive periodic updates on the latest research, subscribe to FRL’s newsletter and visit www.finreglab.org. Follow FinRegLab on LinkedIn and Twitter (X).
FinRegLab.org | 1701 K Street Northwest, Suite 1150, Washington, DC 20006