CFPB unveils proposed data-sharing rules

The Consumer Financial Protection Bureau today outlined proposals under consideration that would require businesses to make a consumer’s financial information available to them or a third party at the consumer’s direction. The rules would implement Section 1033 of the Dodd-Frank Act, which also directs the agency to promote the development of standardized formats for information made available to consumers.

The CFPB is considering proposals that would allow consumers who want to switch providers to transfer their account history to a new company, so they do not have to start over if they are unsatisfied with the service provided by an incumbent firm, according to the agency. The bureau is also considering proposals that would include options around privacy for personal financial data authorized for third-party use, including limitations that would prevent third parties from reselling authorized data for other uses. Comments on the proposals must be submitted by Jan. 25, 2023.

CFPB is required by law to convene a small business review panel to consult with representatives of small entities likely to be affected by the regulations the agency is considering. The panel will prepare a report on the input received from the small entities, which the CFPB will consider as it develops a proposed rule.

The American Bankers Association and seven national trade associations petitioned CFPB in August to initiate a rulemaking to ensure that businesses that collect large amounts of consumer financial data are subject to the same oversight as financial institutions. ABA also has raised concerns in comment letters to the agency about the potential for data security and privacy problems.

“Today, banks, data aggregators and other technology companies are collaborating to build tools that move away from less secure methods of data sharing like screen scraping to more secure API-based standards that protect and empower consumers,” said ABA’s Brooke Ybarra. “As we stated in our recent petition to the CFPB, we firmly believe that other entities that are granted access to consumers’ data must be held to the same high standards and supervision related to data security, privacy and consumer protection that banks must meet today.”