Read on Twitter
BIG NEWS: More than 10 yrs since Dodd-Frank, the @CFPB has announced it is exploring “how it might most efficiently & effectively develop regulations to implement Section 1033, which provides for consumer rights to access financial records.”
https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-releases-advance-notice-proposed-rulemaking-consumer-access-financial-records/
Thread
https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-releases-advance-notice-proposed-rulemaking-consumer-access-financial-records/
Thread
During this past decade, financial services innovation has exploded.
Finance has moved from brick-and-mortar to digital, and fintech companies have led a revolution of experimentation: in user experience, distribution models, risk analysis, and financial infrastructure.
Finance has moved from brick-and-mortar to digital, and fintech companies have led a revolution of experimentation: in user experience, distribution models, risk analysis, and financial infrastructure.
This innovation has relied heavily on the access to financial services data.
Whether or not you agree it’s the “new oil,” the availability, uses, & value of financial data have increased dramatically since Dodd-Frank.
Regulation has not kept up.
Whether or not you agree it’s the “new oil,” the availability, uses, & value of financial data have increased dramatically since Dodd-Frank.
Regulation has not kept up.
The laws governing consumer financial data are complex with several regulators sharing sometimes overlapping jurisdiction.
The upcoming rule implementing Section 1033 provides us with a critical first opportunity to reimagine the U.S. regulatory framework for financial data.
The upcoming rule implementing Section 1033 provides us with a critical first opportunity to reimagine the U.S. regulatory framework for financial data.
The CFPB is seeking comment and information on nine topics - costs and benefits of consumer data access; competitive incentives; standard-setting; access scope; consumer control and privacy; data security; data accuracy; legal req’s other than section 1033; and other information.
Although the specific direction the proposed rule will go isn’t yet known, the CFPB’s commentary in the ANPR gives some promising signs about the approach the CFPB is taking.
I’ll walk through each of these topics below:
I’ll walk through each of these topics below:
Costs & Benefits of Consumer Data Access
The silver lining of waiting for 1033 is that we’ve had time to see the financial data ecosystem evolve.
We know a lot more now about both how data can be used for good and also what consumer protection risks we should look out for.
The silver lining of waiting for 1033 is that we’ve had time to see the financial data ecosystem evolve.
We know a lot more now about both how data can be used for good and also what consumer protection risks we should look out for.
The CFPB set the stage well by “recognizing that various market participants have helped authorized data access become more secure, effective, and subject to consumer control” and acknowledging the “evolution since section 1033 was enacted.”
Yet, at the same time, they noted that there are “indications that some emerging market practices may not reflect the access rights described in 1033.”
As with most regs, implementing 1033 requires a thoughtful balancing of the impacts on stakeholders in a complex ecosystem.
As with most regs, implementing 1033 requires a thoughtful balancing of the impacts on stakeholders in a complex ecosystem.
Competitive Incentives and Authorized Data Access
The CFPB’s questions here acknowledge the significant impact that financial data can have on competitive dynamics, especially as the lines between data holders, data aggregators, and data users continue to blur.
The CFPB’s questions here acknowledge the significant impact that financial data can have on competitive dynamics, especially as the lines between data holders, data aggregators, and data users continue to blur.
The ANPR articulates multiple priorities, including enabling “ongoing and efficient consumer-friendly market innovation,” “avoiding undue or unnecessary burden on industry,” and addressing “consumer protection risks.”
Getting this right will be a critical but difficult task.
Getting this right will be a critical but difficult task.
Standard-Setting
The ANPR notes the important contributions by “self-regulatory standard-setting work that a broad group of market participants has conducted and continues to conduct and other initiatives that may help to foster a safe consumer-authorized data sharing ecosystem”
The ANPR notes the important contributions by “self-regulatory standard-setting work that a broad group of market participants has conducted and continues to conduct and other initiatives that may help to foster a safe consumer-authorized data sharing ecosystem”
...while also seeking input about the extent to which this external standard-setting work will promote 1033’s objectives, how the regulation should interact with such efforts, and whether the CFPB should articulate specific standards itself.
This discussion in particular provides a fascinating case study on the interplay of regulators, market participants, consumers, and advocates in creating safe yet innovative markets in the digital age...
And potentially a blueprint for data regimes in other industries.
And potentially a blueprint for data regimes in other industries.
Access Scope
This topic covers questions at the heart of Section 1033, including the:
WHO - whether and which kinds of third parties should be able to access data on a consumer’s behalf;
This topic covers questions at the heart of Section 1033, including the:
WHO - whether and which kinds of third parties should be able to access data on a consumer’s behalf;
WHAT - which data types data holders need to share and which should be exempt from access (e.g., confidential commercial info; info not retrievable in ordinary course);
WHEN - whether certain time periods should be exempt from consumer access or frequency of requests limited;
WHEN - whether certain time periods should be exempt from consumer access or frequency of requests limited;
And, last but not least:
HOW - how should data be accessed in a way that is operationally reliable and such that access isn’t constrained to only certain technologies.
HOW - how should data be accessed in a way that is operationally reliable and such that access isn’t constrained to only certain technologies.
Consumer Control & Privacy
This topic addresses what happens to consumer financial data once it’s been obtained by a third party and hits on a number of hot button topics:
This topic addresses what happens to consumer financial data once it’s been obtained by a third party and hits on a number of hot button topics:
DATA USES - The distinction between data uses reflecting consumer’s primary purpose in authorizing access (primary) and all other data uses (secondary).
ANONYMIZATION - Whether ability to anonymize data should impact analysis and, if so, how such data was disassociated.
ANONYMIZATION - Whether ability to anonymize data should impact analysis and, if so, how such data was disassociated.
DATA MINIMIZATION - Whether access and uses should be limited to data necessary to effect the consumer’s purpose in authorizing.
DATA RETENTION & SHARING - What should happen to data after it has been provided to the authorized party authorized & whether it can be shared again.
DATA RETENTION & SHARING - What should happen to data after it has been provided to the authorized party authorized & whether it can be shared again.
DISCLOSURE & UNDERSTANDING - Extent to which consumers actually understand what’s happening with their data once access has been granted, and whether disclosures are helpful in understanding and aligning expectations.
Kaitlin Asrow at the @sffed has an excellent piece exploring this issue among others: https://www.frbsf.org/banking/publications/fintech-edge/2020/june/role-individuals-data-ecosystem/
Legal Requirements Other Than Section 1033
1033 is a cornerstone of the U.S. legal regime governing financial data, but it exists in a fragmented and complex patchwork of other federal and state laws and regulations solving specific policy issues.
1033 is a cornerstone of the U.S. legal regime governing financial data, but it exists in a fragmented and complex patchwork of other federal and state laws and regulations solving specific policy issues.
Describing the current state of play here in the U.S. at the federal level was the main focus of a recent paper I co-authored with my colleagues at Mitchell Sandler, @finhealthnet, @FlourishVC, and @FinRegLab .
http://www.mitchellsandler.com/Financial%20Data%20White%20Paper%20V2.pdf
http://www.mitchellsandler.com/Financial%20Data%20White%20Paper%20V2.pdf
This topic in the ANPR explores:
- Whether similarities & conflicts exist between 1033 access rights and other statutes and regs;
- Where there is regulatory uncertainty with these other laws and, if so, how to address;
- What changes could the CFPB make to better harmonize.
- Whether similarities & conflicts exist between 1033 access rights and other statutes and regs;
- Where there is regulatory uncertainty with these other laws and, if so, how to address;
- What changes could the CFPB make to better harmonize.
Data Security & Accuracy
In these 2 topics, the CFPB requests input on whether existing laws effectively mitigate security risks or what additional steps should be taken by CFPB to improve them & to better align market incentives toward ensuring that accessed data stays secure.
In these 2 topics, the CFPB requests input on whether existing laws effectively mitigate security risks or what additional steps should be taken by CFPB to improve them & to better align market incentives toward ensuring that accessed data stays secure.
And...
Whether consumers are harmed by inaccuracies in accessed data, whether current market incentives and legal requirements are sufficient to promote accuracy, and what steps the CFPB should take, if any, to address any deficiencies.
Whether consumers are harmed by inaccuracies in accessed data, whether current market incentives and legal requirements are sufficient to promote accuracy, and what steps the CFPB should take, if any, to address any deficiencies.
The @CFPB has a challenge on its hands with this rulemaking. A lot has changed in the period since the initial requirement was passed.
But the task is critically important. How 1033 is implemented will have a significant impact on the direction of U.S. financial data policy.
But the task is critically important. How 1033 is implemented will have a significant impact on the direction of U.S. financial data policy.
The CFPB’s ANPR represents a thoughtful approach to collecting vital info to inform policy.
Now we need to ensure a diversity of voices are heard -consumers, industry, advocates, academics - to ensure a result that balances the sometimes competing interests of stakeholders.
Now we need to ensure a diversity of voices are heard -consumers, industry, advocates, academics - to ensure a result that balances the sometimes competing interests of stakeholders.
