The CFPB’s Proposed Financial Data Rights Rule

What the Section 1033 SBREFA process is about & why it’s important

In October, the Consumer Financial Protection Bureau (CFPB) initiated a rulemaking outline mandated by Section 1033 of Dodd-Frank Wall Street Reform and Consumer Protection Act.   To further its proposed Personal Financial Data Rights Rulemaking, the CFPB started their essential Small Business Regulatory Enforcement Fairness Act (SBREFA) consultation process as required by Section 1033, which must undergo review by a mandated Small Business Review Panel before it is issued as an official proposed rule.

The Dodd-Frank Act, specifically Section 1033, requires any entities that offer consumer financial products to provide consumers with details about their transactions and account such as the cost, charges and usage data. The CFPB is responsible for issuing rules so this requirement can be enforced effectively.  Section 1033 regulates that consumers have access to their financial data such as payment histories and transactions records electronically, while providing guidelines for how this should be implemented. Furthermore, it stipulates a set of rules prescribed by the Bureau in order to ensure safe utilization of these rights.

In addition to the consumer’s own asset account holders, individuals who provide an access device and agree with the consumer on electronic fund transfers (e.g., mobile wallets or digital payment products), depository institutions that issue credit cards, and non-depositories categorized as card issuers under Regulation Z are all included in this definition.  The outline inquires as to whether certain data providers should be absolved from the requirements of Section 1033, depending on a comparison between benefits and burdens imposed upon consumers and covered data providers—especially smaller ones. To that end, exemption criteria have been suggested by the CFPB which hinge on thresholds such as an institution’s asset size or activity levels (for instance, accounts held).

For data providers, the information that consumers may soon be legally required to provide upon request includes periodic statement information for settled transactions and deposits; other transaction-related facts that are usually not shown on periodical statements or portals; online banking arrangements set up by the consumer even if they have yet to take place; as well as account identity particulars.  The CFPB recognizes that although such data may be beneficial to consumers in certain situations, there is a potential for it to increase privacy concerns. As such, the bureau maintains that an individual’s information should not be shared with third-party financial services providers without prior consent and authorization. To protect consumer rights while allowing access to this type of data, they have proposed requiring all third-parties seeking entry provide customers with an “authorization disclosure” outlining key details of the arrangement before granting any privileges.

Additionally, to ensure full accountability and compliance they must secure a customer’s deliberate agreement to all vital conditions in the authorization disclosure; as well as guarantee that particular requirements for managing their data responsibly – such as gathering, using and storing it – will be followed.

Consumers must have the right to choose and manage how their data is utilized.

Given the influx of market participants accessing consumer financial data, we are cognizant that consumers are now presented with greater access to more enriched options and quality services.  Consumers already count on intermediaries to help them access their data, with the likes of consent management dashboards and one-press data removal providing further control. Nevertheless, there may be concerning issues such as privacy infringements, cyber threats, liability matters and risks posed towards financial stability which must be addressed.  Consumers must have the right to choose and manage how their data is utilized and consumer protection should not have to be sacrificed in order for us to reap the benefits of innovation.

When it comes to financial data and information, consumer confidence is a big part of the equation. People need to feel secure that their finances are in good hands and being handled responsibly. They also should be able to trust that any financial details they provide will only be used for necessary purposes, kept up-to-date and accurate at all times.  To keep pace with the industry’s shift towards credential-less access, it is crucial that the CFPB establish principles-based guidelines for industry standards to ensure adaptability and convenience across all stakeholders. This will also help guarantee consumer satisfaction as technological advances continue to occur.

The initiation of the 1033 rulemaking has sparked substantial dialogue between data providers, aggregators, users and consumer groups. On completion of the 1033 rulemaking process, our anticipation is that it will dictate many facets of relationships among these market participants which have already been established through negotiation and standard setting.


At Global Legal Law Firm, our lawyers are familiar with the rapidly changing nature of electronic payments processing, and the ever changing regulations involved, with decades of expertise in ISOs, processors, commercial collections, credit card brands, and other forms of electronic payment processing litigation. Let us guide you through this new and volatile environment, rather than attempting to navigate it on your own.

Recommended Posts