The Honorable Rohit Chopra
Director
Consumer Financial Protection Bureau
1700 G Street, NW Washington, DC 20552
Re: Proposed Required Rulemaking on Personal Financial Data Rights CFPB-2023-0052
Dear Director Chopra,
On behalf of The American Fintech Council (AFC), I am submitting this comment letter in response to the Consumer Financial Protection Bureau’s (CFPB or the Bureau) Proposed Required Rulemaking on Personal Financial Data Rights (Proposed Rulemaking) implementing Section 1033 of the Consumer Financial Protection Act of 2010 (Dodd-Frank Act).
AFC is the premier trade association representing the largest financial technology (Fintech) companies and the innovative banks that power them. Our mission is to promote a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies. Our members are lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable products.
AFC has publicly advocated for standards or clear and consistent regulatory frameworks for innovative financial services and products that avoid duplicative or diverging requirements and accurately reflects the nuances of the innovative service. Further, AFC consistently advocates for a strong, unified approach to regulation that properly balances consumer protections with innovation that ensures regulators protect against actual, not perceived, harms to consumers.
The principles of consumer access and increased competition, which underpin the Proposed Rulemaking, are crucial to establishing an effective open banking ecosystem. In principle, AFC supports the goals of the Proposed Rulemaking to codify consumers’ rights to access and control their financial data, as well as advance competition through a broader range of markets due to the availability and transferability of this data by consumers. AFC, and its members strongly support consumers’ rights to make their own choices regarding their data and to grant access to data providers that they deem beneficial. Specifically, AFC agrees with the Bureau’s stance regarding the prohibition of fees that could limit consumers’, or third parties on consumers’ behalf, access to their financial data. Many of our members established their companies on the premise of providing consumers with improved services by leveraging innovations powered by consumers’ data. Further, over the eight years that the CFPB has been engaged on the issue of its Required Rulemaking on Personal Financial Data Rights, our members have used consumer-provided and permissioned data to successfully improve access to financial services, particularly to those that have been historically underserved, and increase competition in the financial services industry.
However, the provisions, as written, in the Proposed Rulemaking draw concern that the CFPB could fall short of its goals if the Proposed Rulemaking is finalized without amendment. Specifically, as detailed further below, AFC has significant concerns regarding the 1) scope and coverage of the Proposed Rulemaking; 2) limitations imposed on data providers and third parties regarding the acceptable use of consumer data; 3) framework for establishing and recognizing standard setting bodies as issuers of qualified industry standards for consumer data; and 4) reauthorization requirements.
Thus, AFC has provided the below recommendations for the Bureau’s due consideration as it finalizes its Required Rulemaking on Personal Financial Data Rights.
I. AFC Recommends Changes to the Proposed Rulemaking’s Scope and Definitions to Improve Clarity and Efficacy of the Proposed Rulemaking’s Sec. 1033.101 and 1033.111
AFC consistently advocates for the development of a unified regulatory approach that provides clear supervisory expectations for innovative financial institutions and fintech companies. In accordance with these principles, we explain our concerns related to the scope and definitions in the Proposed Rulemaking, and respectfully provide our recommendations on how the Bureau should remedy these issues.
a. Broadening the Scope of the Proposed Rulemaking would Assist Consumers in Providing Data on their Full Financial Lives
The CFPB has pursued a broad scope regarding the data that would be required to be made available by data providers under the proposed rulemaking by covering asset accounts that fall under Regulation E, credit card accounts under Regulation Z, and “products or services that facilitate payments from a Regulation E account or Regulation Z credit card.” The breadth of this scope, while helpful for achieving the goals underpinning the Proposed Rulemaking, could be better served by including additional consumer data that exists in the financial services industry.
As noted in the Proposed Rulemaking, the Bureau received comments on the importance of expanding the coverage of the rulemaking to include data associated with electronic benefit transfer (EBT) cards and consumers’ investment portfolios in response to the agency’s Small Business Regulatory Enforcement Fairness Act (SBREFA) Outline preceding the Proposed Rulemaking. In general, AFC agrees with the commenters that including these consumer financial products and services, and the consumer data associated with them, under the scope of the Proposed Rulemaking can greatly improve a consumer’s access and ability to provide their data to the Data Providers and third parties of their choice. In addition to the EBT and securities data, payroll and employment data provides another space where consumers are able to provide important information about their financial lives.
Ultimately, AFC believes that the ability for consumers to share their full financial lives with the entities they chose will provide significant benefits to their access to financial services and increase competition within the financial services industry. It is with this in mind that AFC supports the expansion of the Proposed Rulemaking’s scope in this manner, and therefore recommends that the Bureau consider expanding its proposed coverage in the final rulemaking or pursuing concurrent rulemaking that would capture additional consumer data variables that are not captured in the current scope of the rulemaking or pursuing an outright expansion of the Proposed Rulemaking’s scope.
Therefore, AFC recommends that the Bureau should carefully consider the consumer data ecosystem and either expand the scope of the current rulemaking to ensure that consumers have access to the aforementioned EBT, securities, and payroll data to make it available to third parties and other Data Providers as they see fit. In lieu of expanding the scope of the current Proposed Rulemaking, AFC recommends that the Bureau pursue subsequent rulemaking to include the aforementioned consumer financial data prior to the first compliance effective date of this Proposed Rulemaking. By either expanding the scope of the current Proposed Rulemaking or ensuring that subsequent rulemaking follows at an appropriate, though expedited rate, after the finalization of the Proposed Rulemaking, CFPB will be able to ensure that it is creating a unified and comprehensive open banking environment that will benefit consumers by enabling the free flow of data related to their full financial lives.
b. Clarifying the definition of “Data Provider” would Avoid Conflicting and Confusing Requirements
Under the Proposed Rulemaking “data providers”, as defined, presents concerns due to a lack of clarity within definition. While AFC believes that the Bureau provided sufficiently clear parameters within the first two provisions in its definition of “data provider”, its proposed provision in 1033.111(c)(3) lacks sufficient clarity to determine the specific covered entities under the definition. Further, when considered in the broader context of a “data provider”-“third party” relationship, there seems to be some significant overlap between the definitions that could leave covered entities confused about their standing as a “data provider” or “third party” and the applicability of requirements therein proscribed by the Proposed Rulemaking.
Ultimately, the aforementioned lack of clarity within the “data provider”, as well as the significant overlap between the “data provider” and “third party” definitions could result in significant confusion regarding compliance requirements for each entity. For example, under the Proposed Rulemaking’s definitions, a fintech company that partners with a bank could be reasonably construed as a “data provider” but could also function as a “third party” depending on the facts and circumstances of a given financial product or service. To that end, both the bank and fintech company, acting in a responsible, compliance-first manner, could create conflicting compliance deadlines for their products and services that confuse the industry participants and introduce unnecessary compliance and reputation risks into the financial institution’s third-party risk management practices. By introducing these unnecessary compliance and reputation risks, financial institutions could terminate their partnership in order to mitigate third-party risk management concerns from their prudential regulator. In turn, this could undercut the competition principle that underpins the Bureau’s Proposed Rulemaking by creating confusion between partnered banks and fintech companies that results in the termination of business activities that increase the competitiveness of both the financial institution and the fintech company, for the benefit of the consumer.
In addition, the term “control”, holds significant importance in defining and characterizing an entity’s involvement with consumer data. In other data-related regulations, such as the European Union’s General Data Protection Regulation, the regulatory body has specifically defined relevant terminology related to the control of consumer data in the context of the regulation. In the absence of a definition, the term would fall to a common law meaning of the term. Given the relation of the term to an emerging issue that has not had the benefit of substantial interpretation via common law proceedings, it seems in the best interest of the Bureau to construct an explicit definition of “control” for the purposes of this rulemaking.
Therefore, AFC recommends that the Bureau should
II. AFC Recommends the Bureau Adequately Provide for the Responsible Secondary Use of Data under the Proposed Rulemaking’s Secs. 1033.421
The original congressional intent of the CFPB was “to ensure that: 1. consumers have, understand, and can use the information they need to make responsible decisions about consumer financial products or services; 2. consumers are protected from abuse, unfairness, deception, and discrimination; 3. markets for consumer financial products or services operate fairly and efficiently with ample room for sustainable growth and innovation; and 4. traditionally underserved consumers and communities have access to financial services.” AFC, and its members consistently have engaged with Bureau leadership to explain emerging innovative financial products and services in order to accurately describe the benefits and risks associated with a given product or service, and help to develop a pragmatic regulatory framework that allows for the development of responsible innovation for the benefit of consumers. AFC recognizes that the CFPB has consistently worked to accomplish the intended purposes Congress imbued in the agency and protect consumers from actual harm that befall them.
Under the Proposed Rulemaking, the CFPB has drafted provisions that significantly limit the use of consumer data for legitimate business purposes that would stymie the ability for financial products and services to sustainably grow and innovate. Further, the provisions, as written, ultimately limit the ability for consumers to make responsible decisions about the consumer financial products and services they chose to use, particularly in areas that have been traditionally underserved. AFC agrees with the importance of creating a robust disclosure regime to ensure that consumers remain aware of how the data they provide to financial services providers is being used and stored. However, AFC believes that the Bureau has proposed a regulatory regime that could severely inhibit innovation and competition in the financial services industry, ultimately to the detriment of consumers.
As AFC noted in its comment letter regarding the CFPB’s Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights Outline, the Bureau should effectively balance consumer choice with legitimate business needs. In the Proposed Rulemaking, CFPB explicitly prohibits targeted advertising, cross-selling of other products or services, or the sale of covered data, from activities that are “reasonably necessary to provide” a consumer with a requested product or service. While AFC understands the Bureau’s rationale for pursuing such strong prohibition on the aforementioned activities, we recognize that targeted advertising and cross-selling of products may not always fit the nefarious or deceptive qualities from which the Bureau is seeking to protect consumers. In fact, at times, targeted advertising and cross-selling can result in related products and services being offered to a consumer. Unfortunately, based on the limitations discussed in the Proposed Rulemaking, consumers would no longer be able to receive offers for financial products and services that would help them in their financial journey, because these products and services would not be “reasonably necessary to provide the consumer’s requested product or service”.
In the context of modern data collection and usage practices, customers are offered significant benefits, such as the ability to access affordable loans and other banking services not previously available to them. Innovative fintech companies are able to offer these products responsibly to consumers by leveraging the consumer-provided data collected on the fintech company’s platform. As evidenced in multiple government, industry, and academic reports these activities have provided significant consumer benefits to consumers, particularly those in traditionally underserved areas, such as low- and moderate-income communities, embodying many of the aforementioned principles imbued in CFPB by the U.S. Congress.
AFC is cognizant that some consumers may feel uncomfortable with the fact that companies collect, retain, and use their data to provide innovative products and services. However, it would be contrary to CFPB’s established policy to engage in any investigatory or enforcement activities based on the perception of harm or emotional distress stemming from companies’ data practices. Further and most importantly, actual consumer and competitive harm, such as the inability to offer innovative credit products in a responsible manner, would result from strict prohibition of targeted advertising and cross-selling. This actual consumer and competitive harm would dramatically undercut the original congressional intent for the establishment of the CFPB, as well as the competition principle underpinning the Proposed Rulemaking.
The CFPB’s implementation of Section 1033 of the Dodd-Frank Act represents the most significant and comprehensive step towards creating an “open banking” ecosystem for the benefit of consumers. Again, AFC supports the Bureau in this endeavor. However, existing laws and regulations, such as the Gramm-Leach-Bliley Act and Fair Credit Reporting Act, established frameworks for disclosure of data sharing and the ability for consumers to opt out of this activity. State laws, such as the California Consumer Privacy Act (CCPA), also allow the collection and use of consumer data for a “business purpose”, which includes the use of consumer data where it is “reasonably necessary and proportionate to achieve the operational purpose for which it was collected or processed, or for another operational purpose that is compatible with the context in which it was collected”.12 Further, within its definition of “business purpose”, the CCPA allowed consumer data to be used for providing some types of advertising and marketing services, “undertaking internal research for technological development and demonstration”, and undertaking activities to verify or maintain the quality or safety of, or upgrade or enhance, a business’ service or device.
Moreover, the limitations expressed in the Proposed Rulemaking regarding the use of anonymized data by covered entities could stymie much of the innovation that has led to increased financial inclusion. Neither GLBA nor CCPA have defined covered personal data to include de-identified, aggregated, or anonymized consumer data. AFC members leverage anonymized consumer data to help develop and train algorithms that more accurately underwrite consumers than traditional models. In virtue of the increased accuracy found in these models, these companies are able to provide much needed loans at responsible rates to individuals that have been traditionally excluded from access to financial services due to the inefficient and ineffective modeling techniques of the past. Ultimately, this could lead to negative outcomes for both innovative financial services products, as well as consumers in general. For example, a consumer may permit the use of their data to determine their eligibility for a personal loan. In addition, limiting the use of anonymized data as explained in the Proposed Rulemaking would greatly limit the ability for the innovative and accurate models described to continue operating in the financial services industry.
In response to these frameworks and the settled expectations derived from them, the financial services industry, including innovative providers engaged in responsible bank-fintech partnerships has developed clear and conspicuous disclosures for consumers that, in turn, afford the financial service providers to offer innovative products and services for the benefit of consumers. AFC has consistently advocated for the avoidance of duplicative or diverging regulatory requirements. With this in mind, AFC respectfully requests that the Bureau further clarify the extent that the Proposed Rulemaking will duplicate, overlap, or conflict with relevant federal rules in relation to GLBA, FCRA, and other relevant frameworks and ensure due consideration of the settled industry expectations and innovative, consumer-focused business models developed under these frameworks.
To remedy the aforementioned issues and avoid any incongruous or conflicting requirements, AFC recommends that the Bureau adequately provide for the responsible secondary use of consumer data by modifying its language in Sec. 1033.421(c)(1) from “uses that are specifically required under other provisions of law, including to comply with a properly authorized subpoena or summons or to respond to a judicial process or government regulatory authority” [emphasis added] to “uses that are required, allowable, or exempted under other provisions of law…” [emphasis added]. In addition, AFC recommends that the Bureau provide consumers additional choice regarding the manner in which data providers and third parties are allowed to use their data by requiring clear and conspicuous disclosures that allow consumers the ability to opt-in to services that could be regarded as “targeted advertising” and “cross-selling” when it would benefit the consumer.
III. AFC Recommends Leveraging CFPB’s Office of Competition and Innovation and Additional Regulatory Flexibilities to Create an Effective and Equitable Open Banking System under the Proposed Rulemaking’s Secs. 1033.131, 1033.141, and 1033.421
AFC has consistently advocated for the development of clear guidance that adequately explains the expectations of financial regulators. In addition, we have also worked to develop a modern regulatory framework that aligns incentives for fintech companies and innovative banks for the benefit of consumers. To that end, AFC agrees with the enumerated principles that the CFPB has proposed regarding the establishment and recognition of standard setting bodies for the creation of data standards, as well as the Bureau’s focus on promoting a competitive data access framework that should “reflect a full range of relevant interests”.
a. Additional Opportunities for Small and Innovative Entities in the Establishment of a Standard Setting Body will Ensure an Equitable Open Banking Ecosystem
Given the heterogeneity of the financial services data ecosystem, AFC recognizes that there is an inherent difficulty to ensuring all voices are heard in the establishment of a standard setting body and subsequent industry standards. While the enumerated principles provide a beneficial framework for ensuring a fair and equitable open banking ecosystem, in practice, the work conducted by industry participants may result in an open banking ecosystem that does not adequately meet the needs of smaller entities.
AFC believes that the Bureau has sufficient tools available to mitigate these concerns through the use of its Office of Competition and Innovation. Reconstituted in March 2022 from its previous iteration as the Bureau’s Office of Innovation, part of the mission of the Office of Competition and Innovation is to “understand how bigger players can gain advantage over smaller players” and identify ways to address common obstacles to the success of innovators. With this in mind, AFC recommends that the Bureau provide additional opportunities for small and innovative entities to engage effectively in the development of the standard setting bodies through the development of specific standard setting body development criteria and programs designed to incentivize the engagement of innovative small entities that might face resource or network constraints that would make it challenging to effectively engage in the establishment of a standard setting body as detailed under the Proposed Rulemaking, such as an innovative small entity standard setting body advisory board.
b. Providing Regulatory Flexibilities for Efforts Put Forth in the Absence of a Standard Setting Body will Help Ensure an Equitable Open Banking System
While AFC agrees with the establishment and recognition of a standard setting body, as detailed in the Proposed Rulemaking, in theory; in practice, AFC recognizes the challenges that this endeavor presents. Specifically, in the absence of an established and recognized standards setting body, which will likely be the case shortly after finalization of the Proposed Rulemaking, data providers and third parties will pursue full compliance with the newly established requirements. Pursuant to the final rulemaking, AFC members will devote significant resources to creating such developer interfaces. In the absence of an established and recognized standard setting body that is able to provide authoritative stances on the final rulemaking’s provisions and broader standardization within the industry, data providers and third parties may reasonably develop data interfaces that are ultimately deemed insufficient or invalidated by the standard setting body recognized by CFPB, at a much later date than the data providers completed their developer and consumer interfaces, but that were in compliance with the rulemaking at the time that the interfaces were established. To avoid this issue, the CFPB’s final rulemaking should make clear that any processes implemented prior to a standard setting organization becoming qualified, and that were consistent with the rule’s requirements at the time before the qualified standard setter, meets the requirements of the CFPB rule even if different than the ultimate standard developed. Otherwise, these industry participants will experience an undue cost burden predicated on the reasonable interpretation of the Bureau’s rulemaking but deemed insufficient or invalid ex post facto at potentially significant financial cost to the industry participant and confusion to the consumer.
To remedy the aforementioned implementation concerns, AFC recommends CFPB provide due regulatory flexibility for processes, procedures, and interfaces developed and implemented by Data Providers and third parties pursuant to reasonable interpretations of the requirements set forth in the finalized rulemaking, but prior to the establishment and recognition of a standard setting body. Providing regulatory flexibility in the manner described is especially important for innovative community banks and credit unions—many of whom are AFC members—who purposefully deploy their limited capital to pursue strategic initiatives to improve their product and service offerings for the benefit of consumers. These institutions would face an undue financial burden from shifting requirements and subsequent modifications of their processes, procedures, and interfaces if they are not afforded due regulatory flexibility. As noted above, the perspectives and activities of innovative community banks are crucial to ensuring a fair and equitable open banking ecosystem that allows competition to flourish. This consideration is especially important when considering how the implementation of the Proposed Rulemaking will be conducted in practice.
IV. AFC Recommends the Bureau Provide Additional Nuance to its Reauthorization Requirements under the Proposed Rulemaking’s Sec. 1033.421
AFC agrees with CFPB on the importance of clear and conspicuous disclosure of the collection, use, and retention of consumer data by data providers and third parties. In general, AFC agrees with the Bureau regarding the specific standards, practices, and performance requirements within the Proposed Rulemaking. While AFC recognizes the importance that activities, such as “screen scraping” have had on the development of the open banking ecosystem prior to the promulgation of the Proposed Rulemaking, we believe that for the benefit of consumers, all entities in the data ecosystem must rapidly move to safer and more secure methods of collecting data, such as through secure application program interfaces.
However, the proposed provisions in the Bureau’s rulemaking regarding the maximum duration and reauthorization requirements present the need for additional nuance in order to ensure the most effective outcome for consumers and the usability of the financial products and services with which they engage. The Proposed Rule’s provision of a 12-month mandatory reauthorization window partially achieves adequate consumer protection without introducing undue friction into the user journey, but AFC recommends that the Bureau should clearly provide that any instance in which a consumer refreshes their data, including a refresh authorized by the consumer as part of an active membership or ongoing service that specifically contemplates a recurring refresh (e.g. self-contributing tradelines to a credit file), or facilitates a payment with an authorized third party constitutes a new authorization for the purpose of restarting the 12-month reauthorization window. Also, AFC recommends that the Bureau provide additional clarity regarding the Proposed Rulemaking’s limitations on allowable data collection frequency.
In addition, some covered financial products and services may use data solely for the purpose of benefiting consumers. For example, services that solely pull positive data from a Data Provider in order to improve a person’s credit score or provide additional positive information on their credit reports. In practice, these services should and do require a consumer to initially opt-into the service. Further, once consumers are enrolled, they receive periodic updates about the benefits they are receiving from receiving the services. Consumers enrolled in these types of services can “set and forget” their participation in the service, and still benefit from it. If a consumer opts into this type of service, then it seems that requiring a 12-month mandatory reauthorization through affirmative engagement with the consumer seems to introduce unnecessary frictions that could ultimately expel consumers from this beneficial service without their knowledge. To this end, AFC recommends that the Bureau consider developing an exemption for the mandatory reauthorization provisions in the Proposed Rulemaking for data collected for use in products or services that are solely for the purpose of benefiting consumers.
* * *
AFC appreciates the opportunity to comment on CFPB’s Proposed Required Rulemaking on Personal Financial Data Rights. AFC and its members seek to ensure a competitive, consumer protected open banking ecosystem. CFPB, through its Proposed Rulemaking, has the opportunity to ensure that the U.S. open banking ecosystem effectively meets its underlying goals of ensuring consumer access to their data and improving competition in the financial services industry, while also continuing to meet the agency’s mission as designated under the Dodd-Frank Act. It is with this in mind that we urge the Bureau to carefully consider the above concerns and recommendations related to the Proposed Rulemaking.
Sincerely,
Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council
About the American Fintech Council: The mission of the American Fintech Council is to promote an innovative, responsible, inclusive, customer-centric financial system. You can learn more at www.fintechcouncil.org.