Joint Statement in Support of CFPB 1033 Rulemaking 

Consumers’ ability to share their data held at their banks has become necessary to access many financial services. NCRC’s Just Economy Pledge includes a commitment to ensure that individuals own their personal data, control who has access to it, and are treated fairly by anyone who does.[1] The scope of consumers’ rights regarding the sharing of this data will enable, or limit, consumer access to financial services, consumer privacy, competition between financial services providers, and the development of better-quality and more inclusive financial products.

The NCRC Innovation Council is a group of for-profit fintech companies and nonprofit civil rights and community organizations engaged in dialogue on enhancing financial inclusion. We appreciate the CFPB’s work to publish rules under Dodd-Frank Section 1033 to address consumer data rights.

As a group, we have found agreement that the proposed Section 1033 rulemaking has the potential to improve the quality of financial services available to consumers, including low-income and underserved consumers, if consumer privacy and data control rights are sufficiently protected. To that end, we offer three areas of consensus that we identified, for CFPB’s consideration.

First, we applaud the proposed rule’s inclusion of pricing data, such as the APY of deposit accounts and the APR of credit cards. Consumers’ ability to share the prices they are paying with other financial services providers will encourage price competition. In addition to appropriately encouraging companies to provide competitive prices on the products they offer, it may also encourage investment in innovations that enable further price improvements.

Second, to achieve the intended consumer benefits of this rulemaking, we encourage the CFPB to permit “secondary uses” where the consumer data are appropriately de-identified, and in some circumstances where a consumer opts-in to request these secondary uses. The priority of a consumer data rights rulemaking must be the rights of the consumers. Consumer data should not be used in ways consumers do not agree to. We also believe that the rule’s implied restrictions on de-identified data, which under other regulatory frameworks is not considered consumer data, may be unnecessary and potentially counterproductive.

The rulemaking will not achieve the stated goals of producing improvements in existing products and the creation of new and better products if it prevents data from being used for these purposes.[2] As proposed, the rule would allow use of data accessed from banks through data aggregators only for a “primary use,” which is the provision of the specific product or service the consumer has requested. Use of that data to also improve the requested product, or develop a new and better product, would seem to fall out of the permitted scope of use. This prohibition may also curtail the current practices of financial services providers to improve and develop products using data that has been accessed through aggregators and then de-identified by removing personal information. This may be a step backward rather than forward.

Incumbent banks already have the data considered by the Section 1033 rulemaking. These companies are not bound by the limitations established by the rule for accessing this data because they already have the consumer’s data. It contravenes key goals of this rulemaking—benefiting consumers by activating competition and pro-consumer innovation—to restrict data use by newer and smaller firms while permitting those same uses by incumbent banks. We are concerned the “primary use” restriction in its current form could enshrine a permanent advantage for incumbents rather than catalyzing competition, innovation, and consumer benefit.

We encourage the CFPB to allow the use of data to improve and develop products in a way that is consistent with consumer privacy, such as by enabling the use of data that is de-identified pursuant to appropriate standards.[3] Additionally, we believe that in many cases consumers could benefit from an opt-in mechanism establishing consumer choice over secondary uses, rather than an outright prohibition on secondary uses. This opt-in framework may require a prohibition of specific categories of high-risk secondary uses, as the CFPB has raised, including secondary uses that are unrelated to the primary use.

Third, we appreciate the question raised by the CFPB about whether data use rights and rules should be defined for additional products. We believe they should. As the 1033 proposal currently stands, there is less benefit for consumers that rely on government benefits, live paycheck-to-paycheck, are unbanked, or are credit invisible. Covering EBT accounts would benefit lower-income consumers.[4] Payroll data is another example where consumers that do not have bank accounts or credit cards would benefit from defined data rights and the ability to share this data to access better financial services. And if Section 1033 were able to cover small business accounts as well, this could produce tremendous benefits in economic opportunity for small business owners and local economies. We encourage the CFPB to proceed to addressing other account types as well, as quickly as is practicable. In addition to defining data rights for additional products, we encourage the CFPB to consider ways that it can achieve price transparency for the greatest range of products as possible.

We appreciate the CFPB’s consideration in its effort to define consumers’ rights to their banking data, to enhance the quality, safety, and inclusiveness of financial services.


 

[1] NCRC, “Just Economy Pledge,” https://www.justpledge.org/

[2] The CFPB’s Outline of Proposals and Alternatives regarding personal financial data rights explains that the three central goals for the rulemaking are the following: “[i] improvements to existing products and services, [ii] fostering competition for existing products and services, and [iii] enabling the development of new types of products and services.” See CFPB, “Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights,” Oct 27, 2022, p.g. 4. Small Business Advisory Review Panel for Consumer-Permissioned Sharing of Consumer Financial Data Rulemaking Outline of Proposals and Alternatives Under Consideration (consumerfinance.gov)

[3] Standards for de-identified data might draw on HMDA, Section 1071, and other federal government precedents such as the National Institute of Standards and Technology. Data that may be re-identified should remain subject to the same restrictions as personal data.

[4] See e.g., Comment by Prosperity Now, Center for Law and Social Policy, https://www.regulations.gov/comment/CFPB-2023-0052-0648. As described in the comment to the CFPB by FinRegLab, alternative approaches to enabling the consumer benefits of secondary uses while protecting consumer privacy include pseudonymization protocols, contract restrictions on the use and reidentification of data, and other privacy enhancing technologies and mechanisms. See Comment by FinRegLAb, https://www.regulations.gov/comment/CFPB-2023-0052-0971

Scroll to Top