CBA Urges Greater Consumer Protections In Section 1033 Comment Letter

January 2, 2024

WASHINGTON, D.C. – The Consumer Bankers Association (CBA) last week submitted a comprehensive comment letter responding to a proposed rule seeking to implement Section 1033 of the Dodd-Frank Act that was released by the Consumer Financial Protection Bureau (CFPB) in October 2023. In the letter, CBA urged the Bureau to consider several revisions to better protect consumers and their personal financial data rights.

CBA supports the underlying principles of open banking and how it may enhance consumer experiences and has long called for greater consumer protections in the non-bank sector. Key issues – such as details about who among market participants are covered, what consumer data is transferred, and how data is transferred and protected – are critical matters that require thoughtful consideration by the Bureau in light of industry feedback on the proposal.

Under the CFPB’s current proposal, CBA is concerned by the general trend toward shifting many costs and responsibilities, including the monitoring of certain market participant behavior, onto data providers, including banks. As CBA outlines in the letter:

“The Bureau should undertake the responsibilities or distribute these costs and responsibilities more equitably across stakeholders in the open banking ecosystem the Bureau is creating. This approach is surprising given how other open banking jurisdictions have addressed these issues, such as the allocation of liability...CBA advises the Bureau to reexamine several of the technical details of the rulemaking – such as the scope of coverage, elements of the data to be shared, and expectations for third parties – to better achieve the Bureau’s stated goal of enhancing consumer access to their data.”

In the letter, CBA outlines these concerns and recommends the Bureau take the following actions:

  • Broaden Scope of Covered Data Providers: Adopt a broad scope of coverage for not just asset accounts, but also for credit products, like captive auto loan accounts, and non-bank credit alternatives, like Buy Now Pay Later Products and Electronic Benefit Transfer Cards.
  • Prohibit Screen Scraping: Expressly prohibit the use of screen scraping by third parties and data aggregators of any data made available through a developer interface, not just covered data. Shift the obligation away from banks and to the Bureau itself to supervise, assess, and pursue enforcement actions against third parties and data aggregators that improperly engage in screen scraping, or other violations of Federal consumer financial laws.
  • Revise Allocation of Liability: Require third parties and, if applicable, data aggregators, as part of the certification statement, certify they will accept liability in instances in which a consumer’s credentials are misused to initiate a fraudulent transaction by such party or are impermissibly acquired by another actor through a data breach the party experienced. Mandate third parties and data aggregators be adequately capitalized and carry sufficient indemnity insurance to satisfy liability obligations, and also obligate third parties to certify as part of the certification statement that they are adequately capitalized, have accepted their liability obligations, and are carrying sufficient indemnity insurance.
  • Increase Compliance Timeframes: Adopt a two-track compliance timeframe based on whether the Bureau has recognized a standard-setting body as an issuer of qualified industry standards. If the Bureau has recognized at least one standard-setting body, then the largest data providers should have a minimum of 12 months, but preferably 18 months, to come into compliance. If the Bureau has not recognized at least one standard-setting body, then the largest data providers should have a minimum of 24 months to come into compliance.

To read the comment letter in full, click HERE.

Background

In October 2023, the Bureau released its notice of proposed rulemaking, which follows the October 2022 Small Business Regulatory Enforcement Fairness Act (SBREFA) outline and SBREFA panel with small entity representatives to gauge potential effects on small entities from a proposed 1033 rule.

While the statutory language of Section 1033 is narrowly focused on ensuring consumers are able to access their own personal information held by their financial services provider, the Bureau in this rulemaking has broadly focused on a consumer’s ability to switch financial providers and third parties’ ability to access a consumer’s bank information.

CBA Advocacy

  • To read CBA’s statement in response to the notice of proposed rulemaking on Section 1033 from October 2023, click HERE.
  • To read CBA’s recommendations to the CFPB to strengthen its open banking rulemaking from January 2023, click HERE.
  • In a blog released earlier this year, CBA outlined how the Bureau’s anti-competitive approach to implement Section 1033 could put the safety of consumers and the security of the sensitive financial data at risk. To learn more, click HERE.
  • To read CBA’s comment letter responding to the Section 1033 SBREFA Outline, click HERE
  • Responding to the CFPB’s request for comment in February 2021, CBA advocated for the Bureau to approach Section 1033 cautiously by developing clear, transparent standards for both consumers and banks. To read the full letter, click HERE.
  • CBA and several other financial trade groups also submitted a petition to the CFPB in August 2022 urging the Bureau to examine all large data aggregators and users for compliance through the requirements outlined in the Section 1033 rulemaking. To read the full petition, click HERE.