CBA Outlines Recommendations To Strengthen CFPB’s Open Banking Rulemaking

In a new letter sent today to the Consumer Financial Protection Bureau (CFPB), the Consumer Bankers Association (CBA) outlined specific recommendations to deliver a well-founded, durable Section 1033 rule that promotes competition and bolsters the safety and security of consumers’ personal financial data. The letter was sent after the Bureau released an outline of proposals to implement Section 1033 of the Dodd-Frank Act in October.

The plain statutory language of Section 1033 is fundamentally centered on a consumer’s right to control their own information, regardless of which financial services provider or entity holds that data. In the letter, CBA notes that by limiting the scope of the rule to only include certain segments of the market – in this case, depository institutions and credit card companies – the Bureau is failing to comply with the basic premise of this important law, depriving consumers of the ability to control all their data and putting the safety and security of that data at risk:

“The language of Section 1033 is not narrowly focused on just the ability ‘for individuals to fire, or walk away from, their financial provider for whatever reasons’ in connection with only deposit accounts or credit card accounts. It is vital that a rule implementing Section 1033 reflects the broad applicability of the statutory text to apply equally to banks and nonbanks that hold consumer accounts.”

What We’re Saying

Banks fully support the intent of Section 1033 and remain committed to ensuring every consumer – regardless of where they go to meet their needs – has access to their personal financial data and knowledge of how it may be used. To further this shared objective, CBA urged the Bureau in the letter to consider the following principles as they develop a final Section 1033 rule:

• Level Playing Field: The Bureau lacks supervisory and enforcement authority over non-bank providers, even though they compose a significant, continuously growing segment of the market for consumer financial products and services. It is therefore vital for data aggregators to be supervised and examined by the Bureau to ensure consumers’ data is appropriately protected.
• Data Security: To facilitate both innovation and interoperability, all participants in the data access ecosystem who hold or process consumer financial data must be held to the same, or a materially comparable, standard contained in the Gramm-Leach-Bliley Act.
• Privacy: To promote control of their data security and privacy, non-bank third parties and data aggregators must provide consumers disclosures that explicitly communicate any secondary or downstream use of their data as well as instruction on how they can revoke consent.
• Clear Liability: All parties in the data access ecosystem must have clear liability that should be imposed on the party who was in control of the consumer’s data at the time of the breach or action.

To read the full comment letter, click HERE.

CBA Advocacy

• In a blog released last week, CBA outlined how the Bureau’s anti-competitive approach to implement Section 1033 could put the safety of consumers and the security of the sensitive financial data at risk. To learn more, click HERE.
• Responding to the CFPB’s request for comment in February 2021, CBA advocated for the Bureau to approach Section 1033 cautiously by developing clear, transparent standards for both consumers and banks. To read the full letter, click HERE.
• CBA and several other financial trade groups also submitted a petition to the CFPB in August 2022 urging the Bureau to examine all large data aggregators and users for compliance through the requirements outlined in the Section 1033 rulemaking. To read the full petition, click HERE.