Outline of proposals to implement section 1033 of the Dodd-Frank Act
October 2022
KPMG Insight: Amidst heightened regulatory attention on data – including its collection and use alongside consumer privacy and data security concerns – the CFPB has released its long-anticipated outline of proposals to implement section 1033 of the Dodd-Frank Act, which provides consumers with more choices and direction over their own financial data. The Bureau considers this a step toward “open banking” in the United States, adding that the plan to start with transaction accounts, such as deposit accounts and credit cards, is a point “where industry infrastructure for consumer-authorized financial data sharing has already begun to take shape.” Financial institutions and credit issuers subject to the Bureau’s future rulemaking on financial data rights and should anticipate increased supervisory activities relating to collection, use, and retention of consumer information as well as heightened consumer awareness of and attention to policies and practices impacting their personal financial data.
The Consumer Financial Protection Bureau (CFPB) released an outline of proposals and alternatives under consideration for a rulemaking to implement section 1033 of the Dodd-Frank Act, which provides consumers rights to access their own financial data. The outline is provided for review to a panel of small entities (e.g., banks, financial companies, data aggregators) likely to be directly affected by the regulations, if finalized. CFPB expects to release a notice of proposed rulemaking incorporating comments received from this panel as well as other interested parties in the first quarter of 2023. Public comments on the outline may be provided to the CFPB through January 25, 2023.
The CFPB is considering proposing applicable rules in the following areas:
Data providers subject to the proposals under consideration. If finalized, the CFPB’s proposed rules would apply to Regulation E financial institutions (including non-depository and depository financial institutions that provide consumer funds holding accounts) and Regulation Z card issuers—together “covered data providers”. Such entities would be required to make available to consumers (or authorized third parties) data that relates to asset accounts (e.g., deposit accounts and other transaction accounts) and credit card accounts. The CFPB intends on covering more products over time under section 1033.
Recipients of information. Under the CFPB’s proposal, covered data providers will be obligated to make information directly available to consumers and authorized third parties that request account data. According to the CFPB, it is not considering any proposal that would affect current requirements of covered data providers under consumer financial laws such as the Electronic Fund Transfer Act (EFTA), the Truth in Savings Act (TISA), and the Truth in Lending Act (TILA).
Types of information made available by a covered data provider. Pursuant to section 1033(a) of the Dodd-Frank Act, the CFPB is considering requiring data providers to make available information that is in their possession concerning consumer financial products or services that were obtained from the data provider. Categories of information that may be required with respect to covered accounts include:
Availability of information. Covered data providers may be required by the CFPB to make information available in response to requests for direct access through online financial account management portals. Furthermore, data providers will be required to make information available to authorized third parties requesting information on behalf of a consumer.
Third party obligations regarding collection, use, and retention of consumer information. Under the CFPB’s considerations, third parties acting on behalf of an individual consumer and accessing consumer information would be subject to requirements including:
Small Entity Representatives (SERs), data providers and third parties are invited by the CFPB to provide feedback on questions listed throughout the proposal and should support their answers with quantitative information and feedback on costs and benefits of the proposals and alternatives.
Relevant KPMG Though Leadership:
KPMG Regulatory Alert | Data Retention and Deletion: Increasing Regulatory Expectations
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.