Re: Outline of Proposals and Alternatives Under Consideration for Required Rulemaking on Personal Financial Data Rights
The Honorable Rohit Chopra
Director
Consumer Financial Protection Bureau
1700 G St. NW Washington, DC 20552
Dear Director Chopra,
The American Bankers Association (ABA) appreciates the opportunity to comment on the Consumer Financial Protection Bureau's (CFPB or Bureau) Outline of Proposals and Alternatives Under Consideration for Required Rulemaking on Personal Financial Data Rights (Outline). The CFPB published the Outline in compliance with the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), which requires the Bureau to consider the impact on small entities of proposals under consideration in connection with implementation of Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Section 1033).
Regardless of the specific path taken, the CFPB's actions will have profound implications on the future of the data sharing universe. The CFPB may foster innovation and improve the lives of consumers, or it may instead introduce impractical requirements that stifle further development and endanger the privacy and security of consumers' personal financial data. ABA urges the CFPB to tread carefully, adhering to the letter and spirit of the Section 1033 text, while being mindful that future rules do not undermine the good work that has been achieved organically by a cross-industry group of financial institutions, fintechs, and data aggregators. Even now, Application Programming Interfaces (APIs) are not uncommon; as of Fall 2022, over 42 million accounts were connected to APIs using standards developed by one consortium. Thus, while the Outline seems to characterize APIs as a fixture of the future, it would be more accurate to describe them as a part of the present. Nonetheless, it would be fair to say that many of these APIs are available at larger institutions, according to publicly available press releases. Additionally, it is noteworthy that the proliferation of APIs occurred under the auspices of the CFPB's "Consumer Protection Principles" released in 2017 that articulate regulatory expectations regarding data access, scope, control, payment authorization, security, transparency, accuracy, disputes, and accountability (2017 Principles). Accordingly, any proposed rule should be consistent with that document.
With that said, ABA is aware that there are some gaps that only rulemaking can address, particularly with regard to risks presented by the monetization of personal information, data security, and fraud. In addition, we believe rulemaking is necessary to assign liability among market participants and to ensure that all parties are subject to comparable supervision and examination.
ABA has long supported consumers’ ability to access and share their financial data in a secure, transparent manner that gives them control, and we look forward to providing constructive feedback in all phases of the rulemaking process.
Since the CFPB published the Outline on October 27, 2022, ABA has met regularly with members to discuss the proposals under consideration. These discussions have highlighted three issues that are either unaddressed or inadequately treated by the Outline. We urge the CFPB to consider their critical importance as it prepares its proposed rule.
First, as noted in our Petition for Rulemaking Defining Larger Participants of the Aggregation Services Market, the CFPB must cultivate a level playing field among all businesses operating in the personal financial data sharing ecosystem. Currently, only highly regulated financial institutions such as banks and credit unions are examined regularly by the CFPB and/or the prudential regulators for compliance with regulations and agency guidance, leaving it to depository institutions to maintain oversight and assess any potential risks to consumers by data aggregators and data recipients. This supervisory imbalance creates an unsustainable model as the aggregation services market grows, increasing the risk that the laws applicable to the activities of nonbank participants in this market will be enforced inconsistently. These risks, in turn, raise the prospect that potential consumer harm associated with the activities of third parties will not be timely identified and remedied. Therefore, ABA believes the highest priority, and a necessary precondition to finalizing data sharing standards, is ensuring that data aggregators and data recipients that are larger participants in the aggregation services market are examined for compliance with applicable federal consumer financial law. We reiterate our call for the CFPB to initiate a larger participant rulemaking. Without regular and ongoing supervision of larger data aggregators and data recipients, implementation of Section 1033 will increase the risk of harm to consumers and competition. ABA members expressed surprise and disappointment that neither the Outline nor the CFPB's Fall 2022 Unified Regulatory Agenda mention this critical step necessary for the development of a secure and responsible data sharing ecosystem.
Second, members expressed concern that the Outline fails to adequately address data security, fraud, and liability—issues that will have a significant impact on the ecosystem and consumer. The information that data aggregators are able to collect —which includes not just information from a single account of the consumer but potentially all of the consumer's financial accounts—makes data aggregators an attractive target for bad actors as well as potential channel for criminals to obtain and use sensitive information. They could obtain the data by hacking a data aggregator or by spoofing one to bait consumers. In addition, bad actors could establish themselves as a data aggregator and obtain the consumer's permission to access personal financial information, which might be countered by an industry-maintained registration or certification system. It appears that under the Outline, the data provider would have no discretion to deny the request (although this is sorely needed, as addressed below). Once fraudsters have this rich data, they could sell it, use it, or engage in social engineering to trick consumers into providing account access information or induce them into sending money to fraudsters. ABA urges the CFPB to address these topics when it issues a proposed rule by allowing for situations in which data providers may refrain from fulfilling a request for access notwithstanding consumer consent, and having regulatory obligations flow with the data throughout the ecosystem (as opposed to it residing statically with the data provider).
Third, during discussions with our members, it became clear that many small and mid-size banks are unaware of the impact this rule will have once implemented. The default state of personal financial data sharing primarily relies on screen scraping technology, which to a certain extent can operate in the background. As a result, many small and mid-size banks may not be fully aware of the volume of this activity, or the potential impact of this rulemaking. The CFPB itself may likewise be unaware of how intensive many of the proposals in the Outline would be on entities with limited resources.
We are concerned, therefore, by the CFPB's engagement to date with small entities that will be affected by the rule. Instead of announcing initiation of the SBREFA review process when the CFPB released the Outline and prioritizing hearing feedback from small entity representatives (SERs) – as required by the Dodd-Frank Act – the CFPB has invited comment from all stakeholders first. It has only recently identified the SERs that will participate in the small entity review process and scheduled the convening meeting that initiates the SBREFA review process. As a result, this comment letter was written without the benefit of those discussions, which would surely have raised perspectives from smaller entities that would have added value.
Download the comment letter to read the full text.