Word on the Street | ABC Legal Blog

Proposed Rulemaking on Consumer Access to Financial Records

Written by ABC Legal Services | Dec 3, 2020 6:22:37 PM

On October 22nd, 2020, the Consumer Financial Protection Bureau (CFPB) released an advance notice of proposed rulemaking (ANPR) to solicit feedback for creating rules governing consumer access to financial records. The CFPB felt it was important to finally take action to implement rules as required under the Dodd-Frank Act due to the rapid increase in financial institutions and financial technology companies seeking to access and aggregate consumer financial data to provide new services for consumers. Services that help consumers organize their financial data in one place, known as aggregators, are becoming increasingly popular with consumers and ambiguity is limiting their ability to grow. Traditional financial institutions are not always clear about what protocols to use, impeding the ability of aggregators to innovate and compete. That’s why creating rules to address this new development in consumer access to financial records is so important. The Bureau is inviting comments on all aspects of the ANPR from industry, consumers and advocacy groups as a prelude to drafting and issuing their final rules.

The Dodd-Frank Act and the CFPB


The Dodd-Frank Act Wall Street Reform and Consumer Protection Act of 2010 created the CFPB as an independent agency within the Board of Governors of the Federal Reserve. The CFPB is tasked with regulating the offering and provision of consumer financial products and services to ensure that laws are enforced consistently so that consumers are protected from fraud and abuse, and so that markets are fair, transparent and competitive. Section 1033 of the Act provides for consumer access to financial records, including all forms of machine-readable data. The Bureau applauds the efforts of most market participants for maintaining secure and effective consumer access and control but is concerned about some emerging practices that may not reflect proper access as required under Section 1033. There is also regulatory uncertainty that the Bureau would like to address, including the interaction between other statutes. It’s important to note that Dodd-Frank exempts the production of algorithms used to determine credit scores and does not specify how long records must be maintained.

What Will The New Rules Be Addressing?

New rules are being proposed in the following nine areas related to consumer-authorized access:

  1. Costs and benefits of consumer data access;
  2. Data scope and usability;
  3. Control and informed consent;
  4. Authorizing payments;
  5. Security;
  6. Access transparency;
  7. Accuracy;
  8. Ability to dispute and resolve unauthorized access and
  9. Efficient and effective accountability mechanisms.

The challenge is to propose rules that provide the access that can benefit consumers and industry while maintaining a safe and secure data environment. There are overlapping concerns for remaining in compliance with the Gramm-Leach-Bliley Act and the Bureau’s Regulation P, which addresses providing consumers with notices of privacy practices and places limitations on disclosure of personal information to non-affiliated third parties, and on the disclosure and reuse of such information. The Fair Reporting Act, and its implementing Regulation V, governs the assembly, collection and use of consumer credit information, including its fairness and accuracy. The bureau is looking at ways to improve consumer access to their credit report beyond simply receiving a free report once a year.

What Are The Benefits For Consumers?

Consumers benefit from allowing third parties to access their financial data. For example, allowing a mortgage lender access to digital records to verify an applicant’s account assets spares them the burden of assembling this data on their own. This type of system can cut down the time it takes the lender to make a decision because of the greater assurance of the accuracy and veracity of the data when it’s presented in this form. There are concerns about whether financial services companies are being forthcoming about the ways consumer financial data is being used, stored and shared with others. Most consumer financial data is currently shared with digital banking credentials, making it easy for consumers to authorize transactions. Increasing concerns about security are prompting more use of the more secure “tokenized” form of access that would allow consumers to easily authorize access to data with increased security. Consumers also benefit from the ability to more frequently access their data in real-time through aggregators that facilitate access to their credit reports from multiple providers. These aggregators can also help consumers by providing customized recommendations for useful services such as short-term credit options that compete with checking overdraft functionality and pricing.

What Position Is The Industry Taking?

The financial technology firms are known as “fintech” are optimistic that the new rules that more actively support consumer access to financial data will help their businesses grow. The emphasis on assisting consumers with their right to access their data for use by third parties will help to provide competitive financial products and will help consumers feel more comfortable utilizing a wide range of groundbreaking financial technology services. John Pitts, head of the data aggregation company Plaid, believes that fintech is becoming more essential to people’s financial lives and the ANPR foreshadows the future of financial services. There is a conflict between some aggregators like Finnicity and Plaid that use the so-called “screen scraping” technique to collect information from user’s bank accounts and some traditional data holders. This “screen scraping” helps them easily connect peer to peer payment accounts such as robo advisor betterment and Venmo, making their services more swift and comprehensive. Some banks allege that these practices are unsafe and lack transparency for the consumer. Chase and PNC have gone as far as locking out aggregators from accessing passwords that would allow data to be used by aggregators. The big banks claim these moves are solely due to security concerns, with the aggregators alleging that they are trying to deter competition. For example, non-banks like Greenlight offer debit cards for kids that require financial data from the parent’s bank. These accounts are very user friendly and customized to their purpose of providing an allowance to children, taking business away from the less fully featured child’s debit cards offered by major banks.

What Are The Stakeholder Comments?

The Bureau received comments from many different stakeholders including large and small data holders, and their trade associations, data aggregators, account data users, individual consumers and consumer groups. As a practical matter, the data holders ecosystem is primarily banks, credit unions and other providers of core transactional accounts. Data users can also be banks and other traditional financial services companies as well as non-bank “fintech” companies that offer consumers financial products that aggregate their data. The “fintechs” are concerned that consumers are not able to authorize access as fully as what’s mandated by Section 1033. They report that some types of data such as “costs and charges” are sometimes withheld and that data holders are too narrowly defining “use cases” in order to limit the data they allow the consumer to authorize. Most stakeholders share concerns about ambiguity about who is liable for unauthorized access under the Electronic Fund Transfer and Regulation E and the Fair Credit and Reporting Act. Consumer groups support increasing the consumer’s ability to authorize access to third parties because it will increase competition for financial services which will benefit consumers with more choices and lower prices. They also believe it’s important to put in place additional safeguards to protect consumers from unauthorized use of their data and from unexpected charges.

About ABC Legal Services

ABC Legal is the nation’s leading service of process and court filing company and is the official process server to the U.S. Department of Justice. Docketly is a subsidiary of ABC Legal, providing appearance counsel on a digital, custom-built platform that smoothly integrates with our applications and services. ABC Legal’s applications are cloud-based and compatible for use on desktop, browser and smartphones. Our solutions and digital approach ensure process server partners, law firm customers and their clients save valuable time and resources when serving legal notices safely and with maximum compliance, control and transparency. ABC Legal is based in Seattle, WA, with more than 2,000 process servers throughout the U.S., as well as internationally in more than 75 countries. To learn more about ABC Legal, our solutions and subsidiary company Docketly visit www.abclegal.com.