CFPB reports on Section 1033 rulemaking
The CFPB recently released a final report issued by the Small Business Review Panel (Panel), which examines the impact of the Bureau’s proposals to address consumers’ personal financial data rights. Section 1033 of Dodd-Frank generally provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act. The outline presents items under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” (Covered by InfoBytes here.)
While the Panel’s final report reflects its review of the Bureau’s proposals and the feedback received from small entity representatives that likely would be subject to the rule, it may not reflect updated findings uncovered during the process of producing a notice of proposed rulemaking because the report is drafted at the preliminary stage of the Bureau’s required rulemaking process.
The report includes an overview of proposals and alternatives under consideration for the use of two existing definitions to establish data provider coverage: “financial institution” as defined by Regulation E (i.e. “depository and nondepository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution”), and “card issuer” as defined by Regulation Z (i.e. “depository and nondepository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer”). Entities that meet the definition of a “card issuer” would include both the person that issues a credit card and the person’s agents with respect to the card.
The report analyzes numerous topics, including proposals covering asset accounts and credit card accounts, potential exemptions for certain covered data providers, the process for making information available to consumers and to third parties (including third-party commitments to data security, data accuracy and limitations, and disclosure compliance), record retention obligations, and the potential impact on small entities. The report includes a thorough breakdown of panel findings and recommendations.