press release

White House Highlights Section 1033 Rulemaking Set To Be Issued In October

BILLY RIELLY
img

The White House this week marked the second anniversary of President Biden’s Executive Order on Promoting Competition in the American Economy by highlighting some of the initiatives taken by the Administration to lower costs for consumers. These items included the forthcoming rulemaking by the Consumer Financial Protection Bureau (CFPB) to implement Section 1033 of the Dodd-Frank Act, raising the prominence of a proposal set to radically transform the consumer finance ecosystem when issued this fall. 

What’s Happening

Section 1033 of the Dodd Frank Act mandates that consumers have the ability to access personal information held by their financial services provider. Last year, more than a decade after that legislation was first enacted, the CFPB took a major step in the formal rulemaking process to implement Section 1033 by releasing a Small Business Regulatory Enforcement Fairness Act (SBREFA) outline – providing key insights into what a proposed rule may look like, including proposals for how both consumers and third parties, which are predominantly non-banks and data aggregators, can access a consumer’s personal financial information. CFPB Director Chopra has indicated the agency will release a Notice of Proposed Rulemaking in October. 

Why It Matters 

While the original language of Section 1033 in the Dodd-Frank Act is narrowly focused on ensuring consumers are able to access their own personal information held by their financial services provider, the Bureau and the Administration have re-imagined its intent and purpose to broadly focus on a consumer’s ability to switch financial providers. 

  • The plain statutory language of Section 1033 is fundamentally centered on a consumer’s right to control their own information, and not the ability “for individuals to fire, or walk away from, their financial provider for whatever reasons,” as suggested by Director Chopra.

What We’re Saying 

In order to effectuate the statutory purpose of Section 1033, the rule must apply to all financial services providers. In the Bureau’s SBREFA outline, the agency indicated the obligations for “data providers” under a Section 1033 rule would apply only to entities that are either “financial institutions” as defined by Regulation E and “card issuers” as defined by Regulation Z.  

  • Under the Bureau’s definition, many entities operating in the massive markets of consumer financial products, which are provided by an increasingly large number of nonbank providers — such as auto loans, mortgages, and alternative loans like Buy-Now-Pay-Later, among others — would not be subject to the obligations for “data providers” under the rule. Limiting the entities from which consumers can access their information is contrary to the clearly defined intent of Section 1033: empowering consumers with access to all their data.

Based on the comment letters the CFPB received in response to the SBREFA outline, it is clear there is broad support amongst industry and consumer advocates that a rule implementing Section 1033 must reflect the broad applicability of the statutory text and apply equally to all banks and nonbanks that hold consumer accounts. 

In a comment letter responding the Section 1033 SBREFA outline, CBA highlighted other key considerations that must be included in any proposed or final rule:

  • Create a level playing field by mandating Bureau supervision of data aggregators through the Section 1033 rule or a larger participant rule. 
  • Ensure that all participants in the data access ecosystem holding or processing consumer financial data are held to the same, or materially comparable, standards as those provided under the Gramm-Leach-Bliley Act.  Many nonbank third parties and data aggregators are not subject to the same data security and privacy standards as banks, including normal course of business examinations by a Federal agency, which leaves consumer data exposed to potential bad actors when it leaves a regulated and supervised financial institution.
  • Require nonbank third parties and data aggregators provide consumers with disclosures that explicitly communicate to consumers about any secondary or downstream uses of their data and how consumers can revoke consent to use their data. Consumers should have full awareness and control over how their data is shared and used. Currently, when consumers share their data with nonbank third parties for a specific purpose, they do not know if or how their data is used beyond that intended purpose. 
  • Establish a clear liability standard for all parties in the data access ecosystem.  Liability for consumer recourse should be imposed on the party that was in control of the consumer’s data at the time of the breach or action.

Dive Deeper

CBA also warned that “moving away from [standards developed by industry-standard setting bodies] and instead granting the [CFPB] the primary role in defining standards will hamper innovation and likely result in standards that are impractical to implement or lock the industry into legacy technology and standards that fail to address needs in the evolving market.” 

  • Fortunately, the CFPB has acknowledged that the details for implementing a Section 1033 rulemaking must “be handled through standard-setting outside of [the CFPB]” and that these standards can allow the ecosystem “to evolve as new technologies emerge, new products develop, and new data security challenges arise.”  Industry-standard setting bodies, such as FDX and Akoya, should continue to play a central role in developing common technical standards that are able to respond to the quickly evolving technological landscape. 

In the letter, CBA also urged the Bureau to expand its supervisory authority by adding the data aggregation market to the larger participant rule, a course of action which the U.S. Department of Treasury has previously recommended to the Bureau. Absent a larger participant rule, in the context of the three-way relationship between a data provider, data aggregator, and data user, only data providers like banks would be subject to supervision and examination by the Bureau, depriving consumers of the complete data security and protections they deserve. 

CBA Advocacy 

  • To read CBA’s comment letter responding to the Section 1033 SBREFA Outline, click HERE
  • To read CBA’s joint letter with other financial services trades urging the CFPB to adopt a principles-based approach in its Section 1033 rulemaking, click HERE.
  • CBA and several other financial trade groups also submitted a petition to the CFPB in August 2022 urging the Bureau to examine all large data aggregators and users for compliance through the requirements outlined in the Section 1033 rulemaking. To read the full petition, click HERE.

 

 

Related Resources

img
ICYMI: CBA Convenes Thought Leaders for Formative Discussions at Its Washington Forum
Read all
img
CBA Statement on CFPB’s Larger Participant Rule
Read all
img
CBA Statement On CFPB’s Section 1033 Notice of Proposed Rulemaking
Read all
See More

Stay
Connected

    Sign up to receive our press releases and blogs.