Keypoint: As leadership at the CFPB shifts, responses to the CFPB’s Notice of Proposed Rulemaking to implement Section 1033 of the Dodd Frank Act looms.
More than a decade ago, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB) and gave it authority to promulgate rules implementing Section 1033 of the Act. Under Section 1033, upon request, a financial services provider “shall make available to a consumer information in its control or possession concerning the product or service that the consumer has obtained, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.” The Dodd Frank Act defines consumer incredibly broadly to include a consumer’s agent or representative acting on behalf of the consumer, which would seem to include, for example, entities such as data aggregators. Although there is very little legislative history on Section 1033, one drafter of the Section, Professor Michael S. Barr, confirms that “the scope of the provision was intended to be broad – providing a framework for customer access that would encourage competition and innovation, including through the use of third-party providers and aggregators.” Consumer Autonomy and Pathways to Portability in Banking and Financial Services, University of Michigan Center on Finance, Law & Policy Working Paper. In short, pursuant to Section 1033, with a consumer’s authorization, a financial services provider could be required to provide all of the consumer’s information in its possession to a third-party (e.g. data aggregator).
The CFPB acted with no haste to promulgate rules to implement Section 1033. Indeed, it was just last fall that the Bureau under Director Kathleen Kraninger finally took the first official step towards such rules and issued an Advanced Notice of Proposed Rulemaking (ANPR) consisting of 46 questions. Topics in the lengthy ANPR include data access, data security, and regulatory uncertainty that may arise with the interplay of any Section 1033 rules and other applicable laws. Responses to the lengthy ANPR are due February 4.
Section 1033 presents a significant tension between tailored and competitive services and products from the market, on the one hand, and the protection and security of such personal and sensitive information, on the other hand.
Rather than Kraninger’s Bureau moving the ball down the field, the longtime ally of the CFPB’s visionary Senator Elizabeth Warren, Rohit Chopra, is poised to be appointed by President Biden as the chief of the agency and will now grapple with this tension. Chopra was the CFPB’s student loan ombudsman at the then-nascent Bureau under Director Richard Cordray. He subsequently joined the Consumer Federation of America and, in 2017, he was appointed by President Trump to serve on the Federal Trade Commission.
While it is impossible to predict how things will unfold, in fall of 2018, Chopra made statements in an International Association of Privacy Professionals (IAPP) podcast episode expressly recognizing the tension between consumer control of and access to their data to foster competition, on the one hand, and data privacy and security, on the other hand. He expressed concern that those entities first to collect the data should not be able to box out the competition, commenting that “[w]e have got to think hard about this to make sure that the internet was supposed to democratize content and enterprise. And if it is not doing that, that’s got to be fixed.” In the same episode, Chopra emphasized that there must be data security in order for there to be data privacy and that consumers should be able to control their data and understand the benefits that their data provides to companies: “I think where I want to see things go is, you can’t really have privacy without security and I think the reverse goes the same way . . . . [W]e need to think more holistically about what is the control that we have over our data. Do we get to license our data to people for funds or for the uses of services? What’s our ability to take that back? You see how California, many other states, jurisdictions across the globe are sort of running down certain paths, but I want the U.S. to really lead in this conversation about . . . how can we make sure that we have not lost control of that data. And that includes securing it, but it also includes making sure people know what they’re giving up.”
Now that the ball is in Chopra’s court, it is only a matter of time until we see where that conversation leads.