Federal: Joint Trades Letter to CFPB Regarding Compliance Materials for Personal Financial Data Rights

The Honorable Rohit Chopra

Director

Consumer Financial Protection Bureau

1700 G St. NW                                                                                                                
Washington, DC 20552

‍

Via electronic mail

Re: Docket No.CFPB-2023-0052; Joint trades letter regarding compliance materials for Personal Financial Data Rights [RIN3170-AA78]

Dear Director Chopra,  

The American Bankers Association (ABA),^[1]the American Fintech Council (AFC),^[2]and the Community Development Bankers Association (CDBA)^[3] appreciate the Consumer Financial Protection Bureau’s (CFPB or Bureau) efforts in building a framework for safe and secure consumer-permissioned data sharing, as evidenced by its Proposed Rule on Personal Financial Data Rights^[4](Proposed Rule). We are writing to you on behalf of our members to request that the Bureau takes all reasonable steps to put the entities we represent in a position to succeed.

Our organizations all have the privilege of representing small and emerging entities operating in the open banking ecosystem; these include traditional depository institutions as well as nonbanks such as fintechs, and they may function indifferent capacities depending on the situation (i.e., as a data provider or data recipient). But while there may be differences in the constitution of our members, they have much in common: a desire to assist consumers in meeting their financial goals, offering uninterrupted financial services, and the requirement to comply with the rules and expectations of agencies (although there are nuances with respect to supervision). However, this latter issue may prove difficult to effectuate in certain instances, such as the instant case of a novel regulation or with concurrent, overlapping rulemaking such as potential changes to Regulation V.

The technical complexity of Section 1033 operationalization, the need to understand the context of the ecosystem’s historical development, and the tangled spiderweb of overlapping laws and existing entity-specific solutions renders the challenge especially arduous. This was made clear by conversations of the undersigned associations with their members, during which a material number demonstrated unfamiliarity with some of the core concepts in consumer-permissioned data sharing as well as uncertainty in how to implement some of the Bureau’s contemplated obligations. In addition, several sections of the Proposed Rule are unclear and inconsistent in the abstract and would benefit from practical implementation advice. While it is probable that the CFPB will incorporate stakeholder feedback as it finalizes the rule to reduce the ambiguity, additional steps are necessary to ensure an effective rollout that limits disruptions to consumers.

The Small Business Regulatory Enforcement Act (SBREFA), as amended by the Small Business and Work Opportunity Act of 2007, requires that “agencies prepare compliance guides for any rule for which they must prepare a final regulatory flexibility analysis. Agencies are required to publish the guides not later than the effective date of the requirements, post them to websites, distribute them to industry contacts, and report annually to Congress.”^[5] SBREFA prescribes that the guide “explain the actions a small entity is required to take to comply…” including a “description of actions needed to meet the requirements of a rule, to enable a small entity to know when such requirements are met[.]”^[6]

The Bureau may choose to include a “description of possible procedures…that may assist a small entity in meeting such requirements”^[7]—and it should pursue that step here. However, such described procedures must neither create nor diminish requirements of the rule.^[8] Itis imperative that the CFPB have consistent expectations for the ecosystem and not establish a bifurcated compliance regime for substantive provisions of the rule that are applicable to both small and large entities.  

Importantly, the list of examples should encompass both illustrations of what the Bureau considers compliance as well as non-compliance. Below is a non-exhaustive list of areas that should be covered by the materials:

·      Examples of terms such as “digital wallet provider[s],”“consumer interface,” “scope of the data,” and “machine-readable” formatting;

• Guidance on how crossing an asset or revenue threshold after the final rule’s issuance impacts the entity’s compliance dates;
• Examples of acceptable and unacceptable uses of the exceptions;
• Examples of acceptable and unacceptable denials related to risk management, including addressing international third parties (however, such examples should     not be interpreted to constrain data providers from conducting reasonable, holistic risk management or otherwise complying with prudential requirements);
• Examples of reasonable written policies and procedures for data providers and third parties;
• Examples of acceptable and prohibited usage of data under the “reasonably necessary” standard, including illustrating the concept of the “stand-alone” product or service mentioned in footnote 130; and
• Examples of responses to the “keeping consumers informed” requirement of third parties^.[9]

There is also the question of timing. SBREFA requires that the guide be published, posted, and distributed on the same date as publication of the final rule (or as soon as possible after that date), and “not later than the date on which the requirements of the rule become effective.”^[10]The Proposed Rule notes an effective date of 60 days after publication in the Federal Register, distinguishable from the tiered compliance dates.[11]Although small entities have a long runway, much work will have to be commenced immediately. In addition, the first tranche of entities would also benefit from the CFPB’s insights, as they have a mere 6 months to update their systems under the Proposed Rule.^[12]Therefore, the undersigned believe that the materials should be issued no later than contemporaneously with the final rule.

Beyond the formal Small Entity Compliance Guide, SBREFA allows for informal guidance“[w]henever appropriate.”^[13]This includes “answer[ing] inquiries by small entities concerning information on, and advice about, compliance with such statutes and regulations, interpreting and applying the law to specific sets of facts supplied by the small entity.”^[14] The undersigned believe that providing such informal Section 1033 guidance to both small entities providing data and small entities receiving data is indeed appropriate. This might be structured as a sort of “hotline” which would allow stakeholders to ask specific questions and receive consistent answers in an expeditious manner.

We recognize that the production of this Small Entity Compliance Guide and proffering of informal advice will require significant time and resources on the part of the Bureau, but for all the above reasons the effort would be more than justified; indeed, it is an essential element for small entities operating in good faith to be able to meet the CFPB’s regulatory expectations.

Thank you for your kind attention to this matter.

Respectfully submitted,

American Bankers Association (ABA)

American Fintech Council (AFC)

Community Development Bankers Association (CDBA)

‍

‍

^[1] The American Bankers Association is the voice of the nation’s $24 trillion banking industry, which is composed of small, regional and large banks that together employ approximately 2.1 million people, safeguard $19 trillion in deposits and extend $12.4 trillion in loans.

^[2] The American Fintech Council (AFC) is the premier trade association representing the largest financial technology (Fintech) companies and innovative BaaS banks. Our mission is to promote a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies.

^[3] CDBA is the national trade association of banks and thrifts with a primary mission of promoting community development. The majority of our members are US Treasury-designated Community Development Financial Institutions (CDFIs), which means that they target at least 60% of their total lending and activities to Low- and Moderate-Income (LMI) communities and customers that are underserved by traditional financial service providers. Many of our members are also Minority Depository Institutions (MDIs). CDBA members work in impoverished urban, rural, minority, and Native American communities to narrow the wealth gap and create real economic opportunity.  

^[4] Consumer Financial Protection Bureau, “Required Rulemaking on Personal Financial Data Rights, Proposed

Rule and Request for Public Comment;” available at  https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights#sectno-reference-1033.121.

^[5] U.S. Small Business Administration—Office of Advocacy, “A Guide for Government Agencies: How to Comply with the Regulatory Flexibility Act,” page 2; available at https://advocacy.sba.gov/wp-content/uploads/2019/06/How-to-Comply-with-the-RFA.pdf.

^[6] 5 U.S.C. § 601 note at § 212 (Small Business Regulatory Enforcement Fairness Act).

^[7]Id.

^[8]Id.

^[9] See Proposed Rule, supra note 4.

^[10] See Small Business Regulatory Enforcement Fairness Act at § 212, supra note 6.

^[11] See Proposed Rule, supra note 4 at preamble.

^[12] Id. at 1033.121.

^[13] 5 U.S.C. § 601 note at § 213 (Small Business Regulatory Enforcement Fairness Act).

^[14]Id.

‍