Last October, the
Given the obvious consumer benefits and protections included under the rule, it is no surprise that the CFPB’s proposal has been met with support from consumer advocates, fintechs, financial institutions and both parties on Capitol Hill. The implications of this rule are profound: Enabling a financial services ecosystem based on consumer centricity has the potential to facilitate a more competitive and vibrant marketplace. However, to fully realize the transformative potential of the CFPB’s rule, the CFPB should expand the range of covered account types under the rule, more thoughtfully consider how de-identified data may be utilized to benefit consumers and coordinate closely with the prudential regulators to ensure that third-party risk management guidance doesn’t inadvertently undermine consumers’ ability to exert their personal financial data rights.
A variety of third-party tools exist today to help improve consumers’ financial well-being. Regardless of the use case, all of these platforms require, as a condition of their functionality, connectivity to data held in accounts at financial institutions or other data providers. While a good deal of these applications need access only to data held in a checking, savings or credit card account, many of these third-party tools require access to data held at accounts not currently covered under the proposed rule. These tools allow households that depend on public benefits to better manage their monthly finances, enable access to retirement savings or investments and help consumers shop for auto or mortgage loans, for example. The absence of these accounts from the framework that the CFPB will soon create under its Section 1033 rulemaking risks creating a two-tiered financial system under which holders of some accounts are provided with certain rights and protections while other accounts aren’t afforded the same treatment. The CFPB heard from a wide range of stakeholders during its public comment period, including banks, advocates, fintechs and others, each of whom advocated for a more expansive set of covered accounts. The bureau should heed that call.
The CFPB should also revise its proposed limitations on secondary data usage, focusing on the crucial distinction between consumer-identifiable data and de-identified data. The restrictions proposed under the rule would inadvertently stifle existing use cases with significant consumer and economic benefits including product enhancements, credit model improvements and vital economic and policy research. Allowing de-identified data to continue to be used for these important use cases would not only align with the treatment of de-identified data in other contexts, such as HIPAA, current FTC data privacy guidance and state data privacy laws, it would also continue to support the myriad benefits that the usage of this data has facilitated for years. In doing so, the CFPB would not only adhere to its core objectives but also support a framework where consumer rights and innovative progress go hand in hand, ensuring that the benefits of technological advancements are realized fully by consumers, without compromising their privacy or security.
Additionally, the CFPB should, in concert with the prudential bank regulators, clearly provide that bilateral data access agreements between financial institutions and third-party tools will not be necessary to enable consumer-permissioned data access for covered data once the Section 1033 rule is finalized. As proposed, the rule would empower financial institutions to restrict consumer-permissioned data access requests on third-party risk management grounds. In practice, some financial institutions have articulated their interpretation of regulatory guidance to mean an ongoing requirement that the thousands of financial institutions across the country must each have bespoke data access agreements executed with every third party a consumer chooses to utilize. Such an approach, of course, is neither scalable nor practical, and would undermine the market competition and consumer centricity intentions of the CFPB’s rule. Clear guidance from the regulators that unambiguously provides that bilateral data access agreements are not necessary to facilitate consumer-permissioned, third-party data access requests for covered data under a final Section 1033 rule is necessary.
The proposed rule on personal financial data rights is not merely a regulatory update; it is a visionary step toward creating a financial ecosystem that is inclusive, innovative and competitive. By addressing these key areas, the CFPB can help build a future where financial services are deeply aligned with consumer needs in a vibrant and competitive marketplace, ensuring that the rights to personal financial data are not only recognized but also actively protected.