Ashley Taylor is joined by Kim Phan and Kristen Eastman to discuss the Consumer Financial Protection Bureau's 1033 proposed rule, also known as the Personal Financial Digital Rights rule.
In this special crossover episode with Regulatory Oversight podcast, Ashley Taylor is joined by Kim Phan and Kristen Eastman to discuss the Consumer Financial Protection Bureau's (CFPB) 1033 proposed rule, also known as the Personal Financial Digital Rights rule. This rule, part of the Dodd-Frank Act, aims to place limits on the ability to access consumer data as well as any subsequent uses of such data. It focuses on entities subject to the Truth in Lending Act (TILA) and Regulation Z, such as depository institutions, credit card companies, and payment processors. The proposed rule requires these entities to make financial records available both to consumers and their authorized third parties.
The group discusses the proposed rule's lack of specificity regarding the "qualified industry standard" that companies must meet. They also discuss the potential of state attorneys general and plaintiffs' lawyers using the proposed rule for enforcement actions and litigation.
The CFPB has not yet issued guidance on the proposed rule's enforcement, and the group anticipates that the proposed rule could be finalized as early as next year. However, they also note that the proposed rule's timeline could be affected by litigation surrounding the CFPB's authority and funding.
The Consumer Finance Podcast:
Exploring the Future of Open Banking: A Discussion on CFPB's 1033 Proposed Rule - Crossover Episode With Regulatory Oversight Podcast
Hosts: Ashley Taylor and Chris Willis
Guests: Kim Phan and Kristen Eastman
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Practice. And I’m really glad you’ve joined us today for a special crossover episode with our sister podcast Regulatory Oversight, where we’re going to be talking about the CFPB’s open banking rule, also called the 1033 Rule.
But before we go over to that recording, let me remind you to visit and subscribe to our blogs, ConsumerFinancialServicesLawMonitor.com and TroutmanPepperFinancialServices.com. And don’t forget about our other podcasts – we have lots of them. We have the FCRA Focus, all about credit reporting; Unauthorized Access, which is our privacy and data security podcast; The Crypto Exchange, which is all about crypto; and our newest podcast, Payments Pros, which is all about the payments industry. And all of those are available on all popular podcast platforms. And speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and let us know how we're doing.
And if you like listening to and reading our thought leadership content, why don’t you check out our nifty mobile app. It’s available on both iOS and Android. Just search for “Troutman Pepper” in your app store and you’ll find our mobile app that gives you access to all of our blogs, all of our podcasts right there on the app, a directory of all of our Financial Services lawyers, and even a handle calendar that shows you what conferences we’ll be attending and speaking at. So check it out, it’s available for both operating systems and it’s under “Troutman Pepper.”
Now as I said, today, we’re airing an episode that was originally recorded for our Regulatory Oversight podcast, which is put on by our Regulatory Investigations, Strategy + Enforcement (or RISE) Practice Group who we work very closely with. You’ll hear Kim Phan, who’s a very frequent guest on this podcast, and Kristen Eastman talking about the CFPB’s 1033 Rule. Obviously, it was recorded by the RISE Group, but you’ll know by the virtue of the subject matter that whatever the CFPB’s doing in open banking is critical to listeners of this podcast as well. So listen on and I hope you enjoy the episode.
Ashley Taylor:
Welcome to another episode of Regulatory Oversight, a podcast that focuses on providing expert perspective on trends that drive regulatory enforcement activity. I'm Ashley Taylor, one of the hosts of the podcast and the co-leader of the firm's State Attorneys General practice.
This podcast features insights from members of our practice group, including its nationally ranked state attorney general's practice, as well as commentary from business leaders, regulatory experts, and current and former government officials. We cover a wide range of topics affecting businesses operating in highly regulated areas.
Before we get started today, I wanted to remind all of our listeners to visit and subscribe to our blog at regulatoryoversight.com so you can stay up to date on developments and changes in the regulatory landscape. Today I'm joined by my colleagues Kim Phan and Kristen Eastman to discuss the CFPB's data rights rule that aims to restrict the sale or misuse of consumer data. We will discuss the intricacies of this proposed rule and how the rule may implicate state AG actions as well as how active we anticipate the state AGs will enforce the proposed rule.
Kim and Kristen, and I am looking forward to today's discussion. It probably makes sense for us to start with a general overview of proposed Rule 1033. Where should we start?
Kristen Eastman:
I think the best place to start is kind of what this rule is seeking to do. The CFPB's intention in implementing this proposed Rule 1033, which is officially called the Personal Financial Digital Rights rule, is to implement section 1033 of the Dodd-Frank fact. The Dodd-Frank fact was enacted 13 years ago, and the section is relatively brief, basically saying that covered persons must make a consumer's information available to that consumer. The proposed rule is about 300 double-spaced pages in length with only the last 30-ish pages containing the text of the actual rule. Other than that, the CFPB discusses in this rule its policy objectives and processes for developing the rule. The period of public comments for this ends on December 29th, so it is a relatively short time compared to other comment periods we've seen in the past.
Kim Phan:
One of the things I think is really important about this particular rulemaking is unlike some of the other mandatory rulemakings that the CFPB was required to promulgate, such as the mortgage rules, this is one of their voluntary rules. They are expected to issue regs with regard to providing consumers access to their financial records. But it's interesting that the CFPB has taken a very specific and narrow focus on how they have decided to implement that particular mandate within the Dodd-Frank Act. This is about providing not just consumers because they don't really touch very much on direct consumer access to financial records.
The vast majority of this particular proposed rule is focused on the requirement for covered entities. And when we say covered entities, it's only certain covered entities. We're really only talking about very specific types of entities subject to TILA, entities that are subject to Reg Z and other payments like depository accounts, credit card companies, payment processors. But they have been very clear, the CFPB has said that they're going to get back around to other types of entities like mortgage providers, healthcare providers, other types of financial products and services. And the focus has really very much been how do those companies have to make financial records available not just to consumers, but to authorized third parties that the consumer designates and how do those authorized third parties access these financial records. So it is a very narrow, very specific interpretation of the access to financial records mandate in section 1033 of the Dodd-Frank Act.
Kristen Eastman:
One of the interesting things like Kim mentioned is that this focuses more on certain product types, so your Regulation E accounts and your Regulation Z credit cards versus other data privacy roles we've seen in other states that focus on all data as a whole. It focuses on certain product types and certain types of data rather than all data. So certain data covered entities don't have to provide it such as commercial algorithms and things like that.
So it's kind of interesting that this is more product-focused rather than an overall data-focused approach. Kind of how we got to this role in the history of open banking or the consumer ability to access their financial information through technology is that early technology in this regard, especially through your third parties, involve something called screen scraping. Screen scraping was a concern for a few reasons, and the CFPB kind of addresses these. And the first is that there was no industry standard on how consumers could allow third parties to access their data. So you're creating these individual contracts with third parties and there was no set standard. A consumer is giving affirmative consent to a third party to access their information with the promise that that information is going to be safe and protected.
There was no cohesive set of rules for how consumers interacted with fintechs, although UDAAP has always been in play, but it is imprecise and doesn't really provide the kind of data protection that this seeks to provide. Consumers were handing this information over to third parties. And then the third parties were accessing these financial institutions websites only to grab a handful of data. So there was some concern on behalf of the financial institutions that it was an inefficient and insecure way to obtain a consumer's data.
In early 2023, February 2023, the Consumer Financial Protection Bureau called us a brief of panel, which is the Small Business Regulatory Enforcement Fairness Act panel, and in April they released a report about their findings regarding open banking. One of the things that the CFPB has emphasized is that they're looking, and this kind of resonates out from the Dodd-Frank Act, for the legal right for consumers to share data, the legal right for you to obtain your own data, and moving away from these concerning data practices where there was just no cohesive set of rules to implement them.
Kim Phan:
One thing I would note is that this rule has been a long time coming. They initiated this rule way back in 2016, so it has been a seven-year process before they actually released these draft rules. One of the things that I find a little surprising is much of the focus over the past seven years has been very narrowly tailored to the data aggregator industry. This is a relatively new industry where these entities known as data aggregators. Essentially data middlemen facilitate the transfer of consumers financial transactional history between different financial institutions for various purposes. And these data aggregators, the CFPB acknowledged, for years have provided great benefits, being able to utilize alternative data, making transactions faster, easier, more efficient for consumers to reach different populations that might otherwise have been left out of the traditional credit markets and other products and services that are available to say prime consumers.
So the reality is in the draft rules, data aggregators are only very briefly mentioned. There are three types of entities laid out in the proposed rules. There are data providers, those financial institutions who have to make their customer records available. There are authorized third parties who consumers are permitting to access the records made available by the data providers. And then there's a very brief discussion about data aggregators who are characterized as service providers to the authorized third parties to make it possible for those authorized third parties to obtain the records more easily and more efficiently from the data providers. But the actual discussion about data aggregators is actually very brief, which I found very surprising because again, the hearings the CFPB has held over the years, the principles that they released, I think this is 2017 on customer record access, these have all been very focused on the benefits and the risks created by data aggregators. And when they finally got down to actually writing the rules, that was not a major part of the focus, though some of the risks were made and those again continue to be unaddressed.
For example, Christa mentioned that screen scraping posed lots of issues. The reality is that when a screen scraping entity gets a consumer's username and password, they go to that financial institution's website, a huge drain on the resources and capabilities of that website, pull data off. And they're doing this for hundreds of different financial institutions for lots of different data formats, right? So if they misaligned or if a financial institution changes the formatting on their website, they've got to make sure that they're changing and updating their field capture to ensure accuracy. So there's accuracy issues. There are security issues. If one of these data aggregators screen scrapes data with the consumer's permission, but without the financial institution's knowledge, what does the financial institution's responsibility if that data is ultimately hacked? Their own customer records taken by a third-party screen scraper have now been compromised. No fault of their own, but yet they're still going to be held responsible to a certain extent.
There were a lot of open issues and questions that I think have been raised over the years that I'm not sure the CFPB has adequately addressed in the draft rules because there's still a lot of risk and there's still no clear question of where the liability lies if that information should be obtained by a malicious actor or is otherwise compromised in some way. So while I think this is a huge step forward, there's going to be a lot of cost and expense to financial institutions that have to build out, developer APIs, application, programming interfaces to make this data available. There's going to be a lot of the benefits of screen scraping i.e., the speed by which this can be achieved will be slowed down by some of the authorization processes that the CFPB is proposing. And so a lot of the benefits I think are potentially reduced while not addressing some of the risks. Those are some of the key problems that I see with the current proposal as written that could potentially lead to litigation or delays in implementation.
Ashley Taylor:
Does the rule in its current form open itself up for expansion to other products and institutions?
Kim Phan:
It does. The CFPB is even very clear that, again, right now it's very narrowly focused toward depository institutions, credit card companies and other types of payments platforms. But the CFPB has stated very clearly its intent to issue supplemental rulemaking. That's how they characterize it, supplemental rulemaking to cover mortgage, auto loans, student loans, and other types of consumer financial products or services.
Ashley Taylor:
Have they set a standard so that companies have some guidance early on in this process or is that still something that is to be developed?
Kristen Eastman:
One of the things the CFPB says in the proposed rule is that one of the things they're concerned about is if they set a standard, so some sort of data standard that already exists, that it will be outdated as soon as the final rule is published. What they use instead is something they've dubbed a qualified industry standard. And it seems to me that their hope is that an industry standard does emerge from this, if not some sort of self-regulating body. But as far as setting something to start with to say, "It has to be this," not so much other than saying what a covered entity has to provide. But as far as some sort of data standard, I don't think so.
Kim Phan:
Keep in mind, the CFPB is working on this for seven years. So it is a little surprising that they're not ready at this stage to put forth specifics. They mentioned multiple times throughout the proposed rules that there may be exemptions, there may be liability shields, there may be protections for entities that comply with, as Kristen mentioned, a qualified industry standard. They don't mention what standard that is. They don't even mention what entity in the industry would be establishing this qualified industry standard. They look to instead a standard setting body that the CFPB has not yet identified, but asks for public comments on what the procedure should be for the CFPB to recognize such standard setting body. So it's a lot of ifs, ands, and buts at this stage.
The CFPB is relying on some unknown standard setting body that they have not yet determined how they will recognize to develop a qualified industry standard without providing specific guidance on what data format or other requirements or expectations they have for that qualified industry standard. And that companies that will be subject to this rule can potentially rely on this at some point in the future when the CFPB decides. So there's a lot of uncertainty still to be had around these draft rules with regard to how companies will comply.
Ashley Taylor:
So I hear no safe harbor pointing to an unspecified qualified industry standard to be named later. It seems less than firm guidance so far. But the CFPB, they regularly issue circulars interpreting federal consumer protection laws to guide state AGs in particular with respect to the enforcement actions. Have they done so here as yet?
Kim Phan:
They have not yet. And actually, Ashley, I turn this back to you. The CFPB has been famous for essentially deputizing the state AGs to bring enforcement actions and their different rules that they have promulgated over the years. Do you anticipate something similar happening with this section 1033 rulemaking?
Ashley Taylor:
I would for a number of reasons, and Kim, you mention there's the historical relationship between the CFPB and state AGs. Some of our listeners may not recall this, but the first director of the CFPB was General Cordray, who was the former attorney general of Ohio. And at one of the first meetings after he was appointed director, he spoke to the National Association of Attorneys General and they worked on a memorandum designed for them to facilitate cooperation and joint enforcement action.
So the CFPB began its existence reaching out to AGs and working together with them, and they've done so since their beginning. I would expect them to do so here in part because this rule touches on a couple of areas where the states have also been active. Obviously, the states have been active in the data privacy context now for a number of years. Not only do you have state notification laws that create a patchwork for a company that is dealing with the data incident, but you have every state AG enforcing its consumer protection statute such that in the event of a breach, they're launching investigations focusing on the security standards of the company and whether those standards met industry standards and the AG's expectations.
That's why Kim and Kristen, when you all were discussing the "qualified industry standard," that's a conversation that we have a lot in Enforcement Matters where our position is often that the company meets those qualified standards as they were known at the time. The danger that I hear in the structure that the CFPB has set up, and it's unfortunate it's a danger that we have seen in enforcement actions, is that regulators come in with hindsight bias. If an incident occurs in 2020 and you are judging that incident in 2023, given the change of technology, they invariably apply 2023 standards to a 2020 incident. And the expectation from our perspective is that regulators often want companies to anticipate what hackers and others are doing who may try to access your information. So I see a real concern here leaving this open-ended standard enforced by regulators that again traditionally have taken hindsight bias and applied it to their investigations.
The other thing I would note is that the AG's and the CFPB have worked cooperatively and in coordination. So what does that mean? That means a company may find themselves producing documents to one or more states. Those documents could be shared with the CFPB, or the reverse could be true as well. And we know from our experience that the CFPB and the states coordinate. We've had a number of instances where we have seen the CFPB advance what we deem possible claims. Let's say it's claims 3 and 4, and we see state AG's advancing claims 1 and 2. So we know there's a level of both coordination and cooperation with the state AGs, and I would expect that to continue here since privacy is an area of interest to the states.
Unfortunately, the language in most state law regarding unfair, deceptive and abusive acts and practices is left open to wide interpretation, and that wide interpretation is complicated by language such as qualified industry standard. It's an unfortunate situation for most companies to be in. So what have we been advising companies in that regard? You have to, from our perspective, understand that in many cases, the enforcement actions and the related settlement agreements will actually create the industry standard.
Practice tip for folks listening to this podcast and a way to mitigate the likelihood that you'll need any of our services to defend you in an enforcement action, read other settlement agreements. Read them closely. The standards are set out in those settlement agreements. And if you put settlement agreements side by side, you can actually see the regulatory structure in most cases being created through settlements. So that's what I would encourage our listeners to do, particularly on the state AG side since, again, historically state AGs have cooperated in the context of multistates. So you're not getting simply one state's perspective from most significant multistate actions. You're getting a collection of states working together in a cooperative way, again, oftentimes in coordination with the CFPB. And from that, you should be able to create a reasonably robust compliance process to at least put yourself in a position to argue that you've identified the qualified industry standard.
Kim Phan:
Ashley, one thing that makes it even harder for companies to comply with this is that the target is pretty much written on their backs, because the CFPB has contemplated under this proposed rule, one, having a directory of those data providers that are required to comply so that they can make clear how to access their systems to make available the consumer's public records. And then on the back end for authorized third parties, the CFPB is exploring and encouraging stakeholders in the system to develop an accreditation system so that those authorized third parties would be certified to certain minimal standards and requirements when accessing customer records. So for both sets of parties, data providers and authorized third parties, you're basically being served up on a platter for state AGs, for plaintiffs attorneys, and others to keep an eye on compliance and bring their own enforcement in the event that the CFPB is not, let's say, robustly pursuing enforcement actions on a federal level.
Ashley Taylor:
Kim, your comments highlighted for me something that companies really should be thinking about. Whenever you have a requirement to maintain documents or you're expected to comply with something, it makes it very easy for state AGs to issue a CID asking for the documents demonstrating compliance. Now, why would they do that? They could do that for a couple of reasons. Some benign, some not so benign, right? So you have had many cases where state AGs have issued CIDs to understand what's going on in the industry. They just want to understand industry practices, understand what companies are doing, and so they can either issue a CID or send you an informal letter. Ask them, "Well, show us how you're complying" so they get a sense of what's happening in the industry. And that's really the only way for them to really know what's going on.
Unlike the CFPB, which has these advisory panels where they bring people and have conversations, state AGs don't have such a statutorily mandated or created structure to facilitate that type of information. They get that information when they issue a CID or a letter asking for documents and information. So we always want our clients to have the type of relationship, or at least for us to be in a position to say, "Regulator, if you want information about an industry, let us anonymize it and provide the information that provides the client with some buffer, but it also allows the client to educate the regulator." Many of the cases that we handle involve the regulator's misunderstanding of an industry practice rather than something actually being done wrong. We can try to cut that off by communicating with the regulator to educate the regulator on industry standards going forward. So that's something I think will be important here to follow over the next year or two.
Kim Phan:
And there are very clear record-keeping requirements laid down in the rule, compliance records of how data providers are responding to requests either from consumers or authorized third parties, including what data fields were made available, what data fields were not available at the time or the basis for denying those requests. And all of those records have to be maintained under the draft rules for a minimum of three years to demonstrate compliance. If that's something the state AGs might be interested in for a CID, it's certainly something that will be available to them under these new rules.
Ashley Taylor:
We've talked about the CFPB, we've talked about state AGs. There is a third actor in this play, plaintiffs lawyers. So is there a private cause of action reflected in this rule?
Kim Phan:
I wouldn't say that it is clear that there's a private cause of action. I'm sure that there will be plaintiffs attorneys who are looking for different ways to bootstrap a private right of action out of pretty much any sort of CFPB endeavor. I don't know, Kristen, if you see something that I missed, but I think that it'll be the most typical UDAAP claims, other types of state consumer protection law claims that if there's a violation of an administrative requirement like the certification requirement or some other issue, it would be a negligence claim or something along those lines. Are you seeing anything different?
Kristen Eastman:
No. No, I'm not. I agree.
Ashley Taylor:
Do you all see the challenge to the CFPB, its funding, its structure and a litigation surrounding the CFPB's authority impacting the timeline of this rule at all?
Kim Phan:
I don't. We have seen different litigation of that type over the years, and certainly it hasn't made it all the way to the Supreme Court yet, but I don't see anything making the CFPB go away. They're not going to shut their doors. If they get a different funding stream, they'll continue their mission under that different funding stream. While this could slow things down, I think potentially the bigger impact would be if President Biden is not reelected and there is a Republican in the White House and Director Chopra is replaced by someone else that slows the CFPB activities more. I think that would be more significant than any of the current case law, which is again, very focused on the funding structure and the constitutionality of the funding, not the constitutionality of the agency.
Ashley Taylor:
So I'm going to put you all on the spot and ask you all to give us your prediction. When will the rule be finalized?
Kim Phan:
Kristen mentioned at the beginning of the podcast that it is on somewhat of a shorter timeline that we've seen for some of the other CFPB significant rulemakings. The public comment period's a little bit shorter. But I think that is sort of a reflection of the reality that they have been working on this for a very long time, seven years since 2016.
I do expect to see at least some action on the rule next year. It could be a revised, updated notice of proposed rulemaking, or it could be the final as of next year. I would be surprised if the final was next year because some of the timelines for compliance are very short. For some of the largest banks that would be subject to this, their compliance deadline would be six months after the final rules are published. And as I noted, there are a number of still very open concerns that remain in the draft rules. So I would be hopeful that the CFPB is taking into account some of these industry concerns and be weighing these as they finalize the rules. That being said, I know there is some pressure for the CFPB to start rolling out some of these rules in advance of next year's election over the summer so that these can be campaign issues for Democrats and others. Could there be a final rule by next summer? Maybe. Do I think there will be, I hope not.
Ashley Taylor:
Kim and Kristen, we always want the regulatory oversight Podcast to be practical and provide our listeners with information they can use so I'm going to ask both of you all to share at least one. Certainly, feel free to share more, but at least one practice tip. I've shared my practice tip, and that is encouraging companies to really use the settlement agreements that they see in public to create a compliance protocol and understand that regulators speak through their enforcement actions. So I'm going to start with you, Kim. Can you give us your practice tip in relation to the rule in the CFPB? And then Kristen, I'm going to ask you to close us out with your practice tip.
Kim Phan:
I would note that 1033 is both a sword and a shield. There are ways to use this rule offensively and there's ways to be defensive in respect to this rule. To the extent that you're a financial institution that may want to become an authorized third party in order to access consumer transaction history from other financial institutions, you can go ahead and start moving forward with setting up some of those processes today without having to wait for some of the data provider standards to come out. To the extent that you can benefit from the 1033 rule, I think this is something you could be moving on right away.
As far as being defensive in nature, if you will be a data provider, if you're one of these covered entities that will be subject to the rule right away, you need to be thinking about setting aside the time, the resources, including technical staff to set up some of these developer interfaces. This is a more technical obligation than many of the CFPB rules have been, which have been very administrative nature, sending up policies and procedures, implementing training, that sort of thing. This will require actual technical development in order to comply. And you need to be thinking about that today for when you're going to have those resources available to build some of these things out.
Ashley Taylor:
Great. Kristen?
Kristen Eastman:
Yeah, and I'll just kind of echo what Kim said. The rule is very clear that for data providers, simply having a consumer website portal where they access their banking information is not going to be enough. If you're thinking that, "Well, the consumer interface, we have that. We have a place where consumers can go and log in and see their balance," it's clear that's not going to be enough because the information that a covered data provider would need to provide has to be immediate, number one. So it has to be information, even pending transactions and things like that. So it is going to be a big lift for, I think, almost everyone in the industry to comply with this. And like Kim said, it is going to be a very technical compliance versus rules or something that's not quite as technical to implement.
Ashley Taylor:
Well, Kristen and Kim, I want to thank you for this educational conversation today. I know that I enjoyed your candid remarks and your insights, and I'm sure our listeners did as well. I want to thank our audience for tuning in today. And please make sure to subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. And we look forward to having you join us next time. Thanks again.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.