Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes in data aggregation since the OCC first warned banks about aggregating consumer data in 2001: (i) “the range of actors involved has expanded greatly”; (ii) “the extent to which they are using aggregated data to provide new products and services to millions of American consumers has grown in scope and scale”; and (iii) “technologies that enable safer and more efficient consumer authorized data sharing continue to evolve and proliferate.” According to the CFPB’s press release, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Panel highlights include:
- Panel #1. The panelists considered potential benefits and risks for consumers around data access as well as the current landscape and benefits and risks of consumer-authorized data access. Panelists agreed that consumers should be given control over their data and also mentioned the need to educate consumers on data security. One panelist suggested that consumers need to understand not only the breadth of data that is accessible, but also what sensitive consumer data is being accessed, stored, and shared. She stressed that entities storing/accessing the data should be subject to the same supervision for cyber security standards as banks.
- Panel #2. The panel, which was comprised of experts in market developments and trends, including in the areas of cash flow underwriting and the business of securing consumer permission to access checking account data, discussed market developments in consumer-authorized data access. One panelist suggested that the U.S. is behind countries like Australia and Canada (where government intervention in the market clarified consumers’ legal right to access their financial data) because of a lack of connectivity and of data field availability in the U.S. Others discussed alternatives to the current screen scraping model—which does not advance transparency or traceability for consumers—such as a model based on an application program interface (API) (APIs can be used to combine data from various sources into one application). The panelists also discussed tokenized authentication as a possible middle phase when going from screen scraping to APIs. Panelists suggested that the market is making significant technological improvements, but lacks guidance from policymakers.
Panel #3. The third panel, focused on “where we are going and how we get there” or the “future of the market” and “considerations for policymakers on how to” ensure consumer data is safeguarded “while ensuring that consumers have continual access to their data.” Among other things, the panel discussed that regulatory intervention in this space has not been common. Many panelists also mentioned areas of uncertainty, including whether banks or consumers should decide the limitations of rights to consumer data. Regarding Section 1033, one panelist suggested that the bank view is that the CFPB does not need to regulate here and should not provide consumers and their agents with access to their information, however, any entities that have access to the data should be regulated. Others believed that banks and other financial institutions do not view Section 1033 correctly. Another area of uncertainty discussed was whether the consumer data right is an ownership right, and whether a bank can decide to whom it will or will not provide consumer data.
On November 6, the CFPB held a symposium covering small business lending and Section 1071 of the Dodd-Frank Act, which amends ECOA to require financial institutions to compile, maintain, and submit to the Bureau certain information concerning credit applications by women-owned, minority-owned, and small businesses, and also directs the Bureau to promulgate regulations to implement these requirements. In her opening remarks, Director Kraninger, noted that the symposium was being convened to assist the Bureau with information gathering for upcoming rulemaking and emphasized that the Bureau is focused on a rulemaking that would not impede small business access to credit by imposing unnecessary costs on financial institutions. The symposium consisted of two panels, with the first covering policy issues related to small business lending, while the second discussed specific aspects of the requirements of Section 1071. Highlights of the panels include:
- Panel #1. During the policy discussion, panelists focused on non-traditional lenders, namely fintech firms, that have entered the small business lending market, with most noting that these online alternative lenders have filled a necessary lending gap left by traditional banks and depository institutions. While concerns around bad actors in the online lending space were discussed, most panelists agreed that online financing may provide an opportunity for women and minority-owned businesses to avoid potential biases in underwriting, with one panelist noting that his company does not collect gender or race information in its online application.
- Panel #2. Panelists focused their discussion on specific implementation concerns of Section 1071, including compliance costs, definitions of small business and financial institutions, data elements to be reported, and privacy concerns. Among other things, panelists noted that the definition of “small business” should be limited to businesses under $1 million in revenue, which is a figure included in other regulations such as ECOA and the CRA. Panelists disagreed on whether the Bureau should exercise its exemptive authority under Section 1071 for the definition of “financial institution.” While some panelists believe that the broad definition included in the Act is necessary to hold all the players in the market accountable, others argued that large financial institutions that receive an “outstanding” CRA rating should be excluded from the reporting requirements. As for data elements, most agreed that the Bureau should only require the statutorily mandated elements and not include any others in the rulemaking, while one panelist suggested that APR must be included in order to ensure that approval rates for minority-owned small businesses are the result of actual innovation and effective business models and not just the charging of high rates. Moreover, panelists reminded the Bureau to be cognizant of the small business lending reporting requirements of the CRA and HMDA and cautioned the Bureau to keep Section 1071 data requirements compatible.
On June 25, the CFPB held its “Abusive Acts or Practices Symposium,” the first event in a symposia series covering a range of consumer financial services topics. The event had two panels of experts discussing unfair, deceptive, or abusive acts and practices (UDAAP)—the first was a policy discussion, moderated by Tom Pahl, CFPB’s Policy Associate Director, Research, Markets and Regulation; and the second, examined how the “abusive” standard has been used in practice in the field and was moderated by David Bleicken, CFPB Deputy Associate Director, Supervision, Enforcement and Fair Lending. Director Kraninger began the symposium noting that it will help to “inform the Bureau’s thinking as to whether the Bureau should use its rulemaking or other tools to provide clarity about the general meaning of abusiveness—and, if so, which principles should be applied to determine the scope of abusiveness.”
The policy panel focused on whether consumer harm was required for a practice to be considered abusive. One panelist noted that while the Dodd-Frank Act statutory definition of abusive does not specifically require proof of consumer harm, it would be surprising if consumer harm wasn’t a priority in weighing enforcement claims. As for what principles the Bureau should apply in determining the scope of abusive acts and practices, one panelist identified three: “fidelity, autonomy, and modesty,” meaning the Bureau should follow the statutory language, protect autonomy of consumer decision-making, and be careful not to tie its hands prematurely based on current market information.
The practitioners’ panel focused on whether there was even a need to clarify the abusive standard, as it is already statutorily defined. Most panelists agreed that a guidance document or policy statement would be an important first step for the Bureau in providing clarity to the industry. Specifically, the panelists noted that the industry has struggled with examples of how abusiveness is different from unfairness or deception, arguing the Bureau has been “inconsistent at times” in the application of the abusive standard. One panelist explained that the Bureau often brings abusive claims in connection with a claim of deception or unfairness, stating “while this may work for the Bureau’s litigation strategy the market looks to enforcement for guidance on the policy. Standalone abusiveness claims that show how abusiveness is different from deception and unfairness would provide direction to staff and industry.” Because the standard is unclear to industry, a panelist argued that many companies choose to limit products or offerings to avoid unknown compliance risks.
An archived copy of the webcast will be available on the Bureau’s website.
On June 11, the CFPB announced that its first symposium, regarding the meaning of “abusive acts or practices” under Section 1031 of the Dodd-Frank Act, will be held on June 25. As previously covered by InfoBytes, the CFPB announced a symposia series that will convene to discuss consumer protections in “today’s dynamic financial services marketplace.” The June 25 symposium will be a public forum with two panels of experts discussing unfair, deceptive, or abusive acts and practices (UDAAP). The first panel will be a policy discussion, moderated by Tom Pahl, CFPB’s Policy Associate Director, Research, Markets and Regulation. The second panel will examine how the “abusive” standard has been used in practice in the field and will be moderated by David Bleicken, CFPB Deputy Associate Director, Supervision, Enforcement and Fair Lending.
In addition to the June 25 symposium, the series will have future events discussing behavioral law and economics, small business loan data collection, disparate impact and the Equal Credit Opportunity Act, cost-benefit analysis, and consumer authorized financial data sharing.
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference