Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB issues guide on collecting small-biz data
The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.
FTC examines small business credit reporting
On March 16, the FTC launched an inquiry into the small business credit reporting industry, seeking information from firms on how information is collected and processed for business credit reports, how these reports are marketed, and firms’ approaches for addressing factual errors contained in the reports. Firms are also asked to provide information on the types of services provided to businesses for monitoring or enhancing their own credit reports. The FTC noted that currently there is no federal law that specifically outlines credit reporting processes and protections for small businesses, unlike individual consumer credit reports, which are governed by the FCRA.
CFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
Chopra previews Section 1033 rulemaking on consumers’ rights to data
On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).
Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.
FTC proposes TSR amendments to extend robocall protections
On April 28, the FTC proposed rulemakings to extend protections for small businesses against telemarketing business-to-business schemes and strengthen safeguards to protect consumers from other telemarking scams. Both the notice of proposed rulemaking (NPR) and advance notice of proposed rulemaking (ANPRM) stem from the FTC’s regulatory review of the Telemarketing Sales Rule (TSR) and address public comments received as part of the review.
The NPR proposes to amend TSR recordkeeping requirements to require telemarketers to retain seven new categories of information related to their telemarketing activities, including records concerning each unique prerecorded message, records sufficient to show the established business relationship between a seller and a consumer, records of the service providers used by a telemarketer to deliver outbound calls, and records of the FTC’s Do Not Call Registry that were used to ensure compliance with this rule. Additionally, the NPR seeks comments on whether the FTC should amend the TSR to prohibit material misrepresentations and false or misleading statements in business-to-business telemarketing transactions to prevent harm caused by deceptive telemarketing, and proposes adding a definition of “previous donor” related to charitable donation solicitations.
The ANPRM seeks comments on a range of issues related to whether calls related to tech-support scams should be covered by the TSR, whether telemarketers should be required to provide consumers with a simple click-to-cancel process when they sign up for subscription plans, and whether the TSR should stop treating telemarketing calls made to businesses differently from those made to consumers. According to the FTC, robocalls made to businesses are generally exempt from certain TSR provisions.
Comments on both proposed rulemakings are due 60 days after publication in the Federal Register.
CFPB releases comment letter on FTC enforcement action
On February 18, the CFPB released a comment letter in response to the FTC’s request for comments on its proposed order with a business credit reporting agency alleging that the respondent engaged in deceptive and unfair practices. (Covered by InfoBytes here). In commending the FTC, the CFPB noted that “there are troubling conflicts of interest when the purveyor of credit reports also sells ancillary services.” The CFPB also discussed that the FCRA “may not have contemplated the serious challenges that small businesses face with respect to business credit reports and associated services such as the provision of credit scores,” and that small business “may not benefit” from the FCRA. The Bureau noted that “[b]usiness credit reporting companies should not be able to unfairly harm a small business’s and their owner’s or operator’s financing opportunities.” In supporting “greater remedial authorities for the FTC to be more in line with other civil law enforcement agencies,” the comment letter argued that “[s]tronger authorities for the FTC may help to remediate this full range of harms,” and that the Bureau “stands ready to work with the FTC and other federal and state law enforcement partners to examine whether there are other unlawful practices related to small business credit reporting by other providers.” According to the CFPB, the Bureau will be working with the FTC “to ensure that small businesses are treated fairly when it comes to accessing loans.” The CFPB also noted that it is “working on a rule to shine more light on small business lending, by gathering more data about whether and how small businesses are able to access credit,” and will provide regulators the opportunity “to understand the landscape of credit availability to small businesses that for too long have had to rely on opaque business credit reporting agencies as gatekeepers of financing,” according to the comment letter.
FDIC joins Operation HOPE to promote financial education
On January 24, the FDIC announced a collaboration with Operation HOPE, Inc. to promote financial education. The collaboration will utilize the FDIC’s Money Smart curriculum and other resources to help educate minority- and/or women-owned businesses on how to do business with the agency. According to the FDIC, in 2001, the agency recognized “the importance of financial education, particularly for persons with little or no banking experience,” and created Money Smart. According to the FDIC and Operation Hope Collaboration Arrangement, the FDIC, among other things, will provide training for Operation Hope’s staff on how to teach the Money Smart curriculum and will help the nonprofit identify outreach initiatives to educate minority- and women-owned businesses on how to conduct business with the FDIC. According to FDIC Chairman Jelena McWilliams, the organization and the FDIC “share a common purpose to help every person belong to our nation’s financial system,” and together, “make certain our nation’s economy works for everyone.”
SBA rolls out small business cybersecurity pilot program
On January 21, the SBA announced $3 million in funding for the agency’s Cybersecurity for Small Business Pilot Program. The funding is intended to help state governments assist emerging small businesses develop their cybersecurity infrastructures to combat increasing and evolving threats. Applications will be accepted from January 26 through March 3. “Throughout the COVID-19 pandemic, small businesses have adopted technology at high rates to survive, operate, and grow their businesses. As a result, cybersecurity has become increasingly important as now, more than ever before, small business owners face cyber risks and challenges that could disrupt their operations and competitive advantages. As we seek to build a stronger and more inclusive entrepreneurial ecosystem, we must innovate and provide resources to meet the evolving needs of the growing number of small businesses. With this new funding opportunity, the SBA intends on leveraging the strengths across our state governments, territories, and tribal governments to provide services to help small businesses get cyber ready and, in the process, fortify our nation’s supply chains,” SBA Administrator Isabella Casillas Guzman said in the announcement.
New York to make $3 billion available to assist renters and small businesses
On May 25, New York’s Governor Cuomo announced that up to $2.7 billion in emergency rental assistance and $800 million in small business recovery grants will be available to New Yorkers impacted by Covid-19. The rental assistance program will prioritize the unemployed, those with income at or below 50% of the area median income, and other vulnerable populations for the first 30 days and then be open to other applicants so long as funds remain available.
California announces additional small business grants as part of its broader California Comeback Plan
On May 13, California’s Governor Gavin Newsom announced a new small business relief program, consisting of both business grants and tax credits, as a part of the broader “California Comeback Plan.” The program adds an additional $1.5 billion in grants to the already announced $2.5 billion, and provides $6.2 billion in tax credits available to small businesses.