Building Momentum: The CFPB Kicks Off the 1033 SBREFA Process

In October, the Consumer Financial Protection Bureau (the CFPB) released a flurry of materials announcing the kickoff of a rulemaking process to implement the consumer information access obligations of Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). Specifically, the CFPB began the required Small Business Regulatory Enforcement Fairness Act (SBREFA) consultation process in anticipation of its proposed Personal Financial Data Rights Rulemaking (the “Proposal”),[1] a next step in the rulemaking process that has been anticipated since October 2020 and is required under Section 1033.[2]

According to the CFPB, the intent of the Proposal is to empower consumers to “break up” with financial institutions that provide bad service and to facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping. Ultimately, the Proposal has the potential to substantially impact the way financial institutions process consumer financial data and create significant opportunity in the marketplace for fintechs providing alternatives to traditional financial services. As we stand on the cusp of this potentially groundbreaking rulemaking, it is important to understand both the SBREFA process and the Proposal the CFPB is considering.

I. Overview of the SBREFA Process

Section 1033 of the Dodd-Frank Act requires entities that provide consumer financial products to offer consumers access to “information related to any transaction, or series of transactions, to [their] account including costs, charges, and usage data.” The Dodd-Frank Act charges the CFPB with issuing rules to implement the requirement. Although it took 12 years from enactment of the Dodd-Frank Act, the CFPB has now taken a significant step towards issuing a Personal Financial Data Rights rule by starting the required SBREFA consultation.[3]

The SBREFA consultation is a collaborative process requiring the convening of a Small Business Review Panel (the “Panel”) with representatives from the CFPB, the Small Business Administration (SBA), and the Office of Information and Regulatory Affairs in the Office of Management and Budget. The Panel obtains input from small entities or their representatives, taking into account the impact that the Proposal would have on them.[4]

Highlighting the significance of the Proposal, this will be only the tenth time that the CFPB has initiated the SBREFA process.[5] The CFPB has released a detailed, 72-page Outline of Proposals (the “Outline”) and a condensed High-Level Summary and Discussion Guide of the Outline (the “Guide”). Together, the documents provide an in-depth review of the Proposal and list questions for small entities that are intended to prompt discussion and collect input on the Proposal.

It is important to note that, during the SBREFA process,  the Panel will only accept input from small entities that will be affected by the Proposal. The definition of a “small entity” is tied to SBA’s size standards for which the CFPB has listed industry-specific revenue limitations in its Outline.[6] Moreover, the CFPB has clarified that “affected” small entities will be those that fall into one of three categories:

1. Covered data providers – This category refers collectively to “financial institutions” (as defined under Regulation E) and “card issuers” (as defined under Regulation Z).[7]
2. Data recipients – This category would include a third party that uses consumer-authorized information to provide (1) products or services to the authorizing consumer; or (2) services used by covered entities.
3. Data aggregators – This category would include entities that support data recipients and data providers in enabling consumer-authorized information access.

Following the SBREFA process, the Panel must complete a report on the comments received during the process for the CFPB to consider as it prepares a proposed rule. Once any proposed rule is ultimately published, the CFPB must place the Panel Report in the public rulemaking record. Following the publication of any proposed rule, the “standard” public comment period will begin.

Historically, the CFPB timeline from Panel convention to publication of final rule has varied significantly, with some rules being published in less than a year and others taking nearly four years.[8] Of note, at Money 20/20, CFPB Director Rohit Chopra made remarks about the rulemaking indicating his expectation that the Panel Report will be issued in the first quarter of 2023.[9] Following the issuance of the Report, Director Chopra stated that he expected to issue a proposed rule to be released in 2023 and to “finalize the rule in 2024.”

Considering the significant impact that the eventual rulemaking could have, stakeholders across the ecosystem, not just small entities, should consider the opportunities presented to shape the eventual rulemaking by the SBREFA process.

II. CFPB Proposal

The Outline organizes the Proposal into seven different topics relevant to consumer data access. The following provides a brief overview of each topic and highlights some of the aspects that the CFPB is seeking input on:

A. Covered data providers and covered accounts

As envisioned by the Proposal, the Section 1033 rule and its requirements for making consumer financial information available to consumers and authorized third parties would apply to all “data providers” (i.e., Regulation E “financial institutions” and Regulation Z “card issuers”), irrespective of size.

The CFPB, however, has limited its contemplated scope of relevant consumer data. In this regard, under the Proposal, “covered data,” or data that would need to be made available to consumers, would be information that pertains to an “‘account’ as defined in Regulation E § 1005.2(b) or information that pertains to a ‘credit card account under an open-end (not home-secured) consumer credit plan’ as defined in Regulation Z § 1026.2(a)(15)(ii).” Collectively, the Outline refers to these as “covered accounts.” Such covered accounts would include any checking, savings, consumer asset, or prepaid account held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes, as well as credit card accounts. Importantly, commercial or business accounts fall outside the scope of the Proposal, as do open-end credit accounts that are not credit cards as well as closed-end loan accounts.

These parameters provide some insight into who may be required to comply with the data access rights under the rule and with respect to what data. The CFPB, however, is requesting input from small entities on developing exemptions for the covered data providers definition and what alternative approaches the CFPB should consider, including whether to expand the definition of covered data provider.

B. Recipients of information and third-party authorization

The Proposal calls for covered data providers to provide two types of access to covered data: (1) direct access in which information is provided directly to a consumer, and (2) third-party access where information is provided to a third party authorized by the consumer to whom the data relates. The Proposal suggests a method for standardizing the authorization of third-party access.

Third parties would need to follow a procedure for authorization that includes: (1) the provision of an authorization disclosure to inform the consumer close in time to when the third party would need the information; (2) the consumer’s informed, express consent (received “either electronically or through the mail”); and (3) certification by the third party that it will abide by requirements related to collection, use, and retention of the information. It can be inferred that requirement (1) would entail the provision of a notice to the consumer that would include the “identity of intended data recipients (including any downstream parties and data aggregators to whom the information may be disclosed), and the purpose for accessing the information.” Pursuant to requirement (3), the third party would then need to obtain the consumer’s express consent related to the disclosure.

In addition to requesting input on the cost these provisions may impose on small entities, the CFPB invites comment on specific aspects of authorization, including whether the CFPB should provide model clauses for the authorization disclosure and, if a data recipient relies on a data aggregator to access consumer data from the covered data provider, whether the data recipient or the data aggregator is responsible for providing the authorization disclosure.

C. The types of information that would need to be made available

The Proposal sets out the following six categories of consumer data that covered data providers would need to make available with respect to covered accounts:

1. Periodic statement information regarding transactions and deposits that have settled;
2. Information regarding prior transactions and deposits that have not yet settled;
3. Information about prior transactions not typically shown on periodic statements or online financial account management portals;
4. Online banking transactions that the consumer has set up but that have not yet occurred;
5. Account identity information; and
6. Other information, including consumer reports obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer, fees that the covered data provider assesses on its consumer accounts, bonuses, rewards, discounts, or other incentives that the covered data provider gives to consumers, and information about security breaches that exposed a consumer’s identity or financial information.

Importantly, Section 1033(b) of the Dodd-Frank Act specifically lists four exceptions to the requirement for making information available. The CFPB mentions each exemption in the Outline and has requested comments from small entities as to how it should interpret the exemptions. For example, Section 1033(b)(1) exempts “any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors.” For this exemption, the CFPB is considering whether to propose an interpretation of the phrase “confidential commercial information,” identify specific examples of what constitutes commercial information, or both. This exemption could be significant as the definition of confidential commercial information has the potential to encompass data that would otherwise fall into the “other information” category.

D. How and when information would need to be made available

Under the Outline, if a covered provider receives an access request from a consumer and has enough information to reasonably authenticate the consumer’s identity, the covered provider would be required to provide the covered information through an online financial account management portal and allow the consumer the option to export the data in both human and machine-readable formats. Of particular note, those covered data providers that do not have an online financial account management portal would be required to create one.

For third-party access, the CFPB is also considering requiring covered data providers “to establish and maintain a third-party access portal that does not require the authorized third party to possess or retain consumer credentials.” The Proposal indicates that a covered provider could be determined to not be in compliance with an eventual rule if its third-party access portal fails to meet certain requirements related to quality, timeliness, and usability of the information, including uptime, error responses, and limitations on fulfilling a call from an authorized third party when data is otherwise available.

The CFPB seems to acknowledge that having an online financial account management portal allowing third parties to access user data without requiring consumer credentials would be a significant lift for covered data providers. In this regard, the CFPB poses a series of questions regarding whether the CFPB should allow data providers to charge consumers or third parties for access requests, how to limit the burden of third-party requests, and what the timeline and cost for the creation of the online financial account management portal may be.

E. Third-party obligations

The CFPB is considering limiting third parties’ collection of consumer information to what is reasonably necessary to provide the product or service the consumer has requested. This would include maximum duration and frequency limitations. Prior to exceeding such limitations, the third party would need to seek reauthorization for continued access. The Proposal indicates that third parties will have to provide consumers with a simple way to revoke authorization at any point in a manner consistent with the way in which consent was obtained.

In addition, the CFPB is seeking contributions from small entities on how to limit third parties’ secondary use of consumer information and the retention periods. The most stringent optioned offered by the CFPB in this regard would prohibit all secondary uses of consumer data and require the deletion of consumer information that is no longer reasonably necessary to provide the consumer’s requested product or service. However, the CFPB also identified less stringent possibilities that are available to comment on, such as prohibiting certain high-risk secondary uses.

Lastly, the CFPB is proposing to require authorized third parties to implement data security standards, which could include incorporating the GLBA’s Safeguards Rule or Guidelines into the Personal Financial Data Rights rule.

F. Record retention obligations

The Proposal indicates that record retention requirements will be imposed on covered data providers and authorized third parties. Such parties would need to maintain records to demonstrate compliance with any eventual rule.

G. Implementation period

The Outline describes the CFPB’s intent to “ensure that consumers have the benefit of a final rule within a short timeframe, while also ensuring that covered data providers and authorized third parties have sufficient time to implement the rule.” Thus, the CFPB is seeking feedback on whether additional time will be needed for certain requirements related to the Proposal, including additional time needed to build a compliant third-party access portal.

Take Aways

The 1033 rulemaking will invite significant feedback and discussion from data providers, data aggregators, data recipients, and consumer groups. Thus far, some major data providers and data aggregators have entered into bilateral agreements governing data access and use. In addition, industry participants have sought, through organizations such as the Financial Data Exchange, to set technical standards for user-permissioned data access. We expect the 1033 rulemaking process to conclude in formally mandating many aspects of relationships between these industry participants that have already been in place through negotiation and standards setting. But there will also be some rule aspects and regulatory commentary or interpretations that could have significant course departure implications for certain industry participants. Covered data providers should be preparing for the technical, operational, and compliance oversight responsibilities they will likely have following the rulemaking process. Data recipients and aggregators should consider preparing for new data access limitations and restrictions on certain use cases. All participants with a stake in the data-sharing ecosystem will need to be actively engaged in the CFPB’s rulemaking process in an effort to help ensure a final rule that is both fair to all participants and operationally practical. Please contact any of the Morrison Foerster attorneys listed for questions or assistance in navigating the Section 1033 rulemaking process.

[1] See High-Level Summary and Discussion Guide of Outline of Proposals and Alternatives Under Consideration for SBREFA: Required Rulemaking on Personal Financial Data Rights, October 27, 2022; see also Outline of Proposals and Alternatives Under Consideration for the Personal Financial Data Rights Rulemaking, October 27, 2022; CFPB Press Release: CFPB Kicks Off Personal Financial Data Rights Rulemaking, October 27, 2022.

[2] See Notice of Proposed Rulemaking, Dodd-Frank Act Section 1033 – Consumer Access to Financial Records, October 20, 2022.

[3] See 5 U.S.C. 609(b). This consultation process requires that an agency like the CFPB follow additional procedural requirements where a contemplated proposed rule is expected to have a significant economic impact on a substantial number of small entities.

[4] U.S. Small Business Administration, SBREFA, https://advocacy.sba.gov/resources/reference-library/sbrefa/.

[5] Id.

[6] See Outline at pg. 52–53; see also CFPB, Fact Sheet: Small Business Review Panel Process.

[7] While a card issuer is limited to a “person that issues a credit card or that person’s agent with respect to the card,” the term “financial institution” is broader, covering “bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services.

[8] U.S. Small Business Administration, SBREFA, https://advocacy.sba.gov/resources/reference-library/sbrefa/.

[9] Director Chopra’s Prepared Remarks at Money 20/20, October 25, 2022.