The CFPB has a data privacy blind spot

The safety and security of your personal financial data is a top priority for America’s leading banks, and it should be for the Consumer Financial Protection Bureau (CFPB) too. Unfortunately, the CFPB tasked with protecting consumers and promoting fair competition may be missing the mark with its implementation of “Section 1033” – a little-known provision of the Dodd-Frank Act that could have sweeping implications for the financial services marketplace and consumers alike.

Passed into law more than a decade ago, Section 1033 was intended to ensure consumers were able to access their own personal information held by their financial services provider. But this language was written well before the fintech boom or rise in cyber security scares and has since raised many questions about who can access a consumer’s data, how that data is being protected and shared, what consent is needed, and which party is liable for a potential data breach.

Through this rulemaking, the CFPB could answer these pressing questions in a manner that promotes competition and innovation while still protecting consumers. Instead, the proposal as outlined would dramatically hinder competition and put the safety of consumers and the security of their sensitive financial data at risk. 

Over the past decade, the financial services ecosystem has rapidly evolved. Since the Dodd-Frank Act was passed in 2010, there has been a dramatic increase of non-bank third parties and data aggregators that increasingly utilize consumers’ personal financial information to conduct business. In fact, according to the New York Federal Reserve, non-bank lenders now issue nearly three-quarters of all personal loans — double their share from just five years ago and pushing balances to all-time highs. Unlike well-regulated financial institutions, these entities do not have any federal oversight and lack the same stringent federal standards as banks, depriving users of these providers the protections they expect and deserve.

Although consumers often consent to sharing their financial data as part of the terms of service they must agree to when using certain non-bank services, consumers are generally unaware of how that data may be used or shared. To access data, many aggregators rely on screen scraping, to obtain a consumer’s personal financial information. This process, which typically uses a consumer’s access credentials to pull sensitive user information from a bank’s online financial account management portal, is fundamentally unsafe and puts consumer data at risk.  

Because many consumers commonly mistake deleting a mobile phone or computer application with revoking consent, many non-bank third parties maintain continued, unfettered access to consumers’ personal information even after the relationship has seemingly been severed. In fact, a December 2021 consumer survey report on data privacy and financial app usage found that 80 percent of consumers were largely unaware that apps use third-party providers to gather users’ financial data, and only 24 percent knew data aggregators may sell their personal data to other parties for marketing, research, and other purposes. Despite these concerns, the CFPB has yet to indicate how the agency will supervise these entities for compliance with the final Section 1033 rule.

CFPB Director Rohit Chopra has stated this rule is intended to “empower people to break up with banks that provide bad service and unleash more market competition.” Not only does this sentiment stray from the plain language of Section 1033, it fails to account for the fact that the financial services ecosystem is among the most competitive and innovative in the world. 

The CFPB also indicated that the proposal will only allow consumers to access their information from banks and credit card companies, and not from other financial services providers that may also hold their data, including non-bank mortgage originators, captive auto lenders, fintech Buy Now Pay Later lenders, and other nonbank financial services providers. This approach to implementation would ironically hinder competition by creating an unlevel playing field between well-regulated financial institutions and non-banks, leaving millions of consumers without adequate protections. As the Consumer Bankers Association conveyed in a comment letter this week, by limiting new data-sharing requirements to only certain segments of the marketplace, the Bureau is failing to comply with the basic premise of this important law — to empower consumers with access to all their data.

In light of the growth and challenges that have arisen from the lack of data and consumer protection rules for non-bank third parties, the importance of delivering a final Section 1033 rule that promotes a safe, fair, and competitive financial services marketplace could not be greater. As it stands, the CFPB’s intended proposal implementing Section 1033 will expose the sensitive financial information of millions of consumers to unnecessary risks and fail to provide them with access required by Congress. To meaningfully deliver on their mission, policymakers must shift course before it is too late.

Dan Smith is Executive Vice President and Head of Regulatory Affairs at the Consumer Bankers Association.