Consumer Financial Protection Bureau Kicks Off Extensive Privacy Rulemaking Process
The CFPB took the first step last week to put into place a comprehensive privacy rule that would significantly impact how consumers can manage their financial data.
Just envision a world where you can take all of your transactional data, payment history and the like and transfer that information from one bank to another, so that you have a continuous stream of information available to you, but also available to your new bank. In this kind of world, banks would compete much more with each other to offer better customer service, and consumers can benefit from not having to “start all over again” each time they change financial institutions. The CFPB also believes this freedom to move data is something that will lead to even more innovation in the fintech space. Noting that as many as 100 million consumers have authorized fintech companies to access their accounts at financial institutions to drive a wide variety of services, such as improved savings, money management, new forms of payment and even lending programs, the CFPB seeks to ensure that this kind of sharing of data is protected, authorized and available to everyone. Entities that would need to comply with the rule would include any entity that met the applicable definitions for the following categories − data providers, data recipients or data aggregators.
An important aspect of this kind of comprehensive privacy rule is that it would apply broadly and would impact businesses of all sizes. In other words, whether the bank has millions of customers or thousands, this rule would apply to them. Accordingly, the CFPB is consulting with small businesses through a process that is compliant with the Small Business Regulatory Enforcement Fairness Act of 1996 (“SBREFA”). “The Dodd-Frank Act requires the CFPB to comply with SBREFA, which imposes additional procedural requirements for rulemakings, including [a] consultative process, when a rule is expected to have a significant economic impact on a substantial number of small entities.” In particular, small businesses of concern for the SBREFA process extend to a host of nondepository financial institutions and entities outside of the financial industry, such as entities that use consumer information to underwrite loans, to offer budget or personal financial management services, or facilitate payments, and would be impacted by the privacy rule. In addition, the CFPB identified all of the following types of entities as potentially being impacted as well: “those involved in NonDepository Credit Intermediation, Activities Related to Credit Intermediation, and Securities and Commodity Contracts Intermediation and Brokerage[, as well as . . . ] Software Publishers; Data Processing, Hosting, and Related Services; Payroll Services; Custom Computer Programming Services; and Credit Bureaus.”
One of the documents put forth by the CFPB explains the SBREFA process and includes an outline of what the comprehensive privacy rule would look like, so that the panels of small businesses being convened can provide initial input on the rule’s structure, even before the CFPB drafts a proposed rule. The outline includes 149 questions for the SBREFA panels to address and upon which to provide perspectives.
The proposed initial scope of the privacy rule would apply only to asset accounts (as defined in Regulation E and including consumer deposit accounts and prepaid cards) and credit card accounts (as defined in Regulation Z), and covered data providers would only be financial institutions that provide those accounts directly or indirectly. The initial limited scope is intended to give the greatest benefit to consumers as possible, as quickly as possible. The CFPB intends to expand the privacy rule scope in subsequent rulemaking processes. Operational considerations covered by the CFPB include defining proper authorization processes for consumers to allow the data to be moved, defining exactly what categories of data would be required to be made available to move by the data providers, and identifying secure methods for accomplishing the move of the data.
While the 71-page outline is intended to be utilized for the SBREFA process, the CFPB has identified that other interested stakeholders may provide feedback until January 25, 2023 to this email address: [email protected]. To facilitate comments from non-SBREFA interested parties, the CFPB prepared an alternate High Level Summary and Discussion Guide document that is focused solely on the privacy rule itself.