Advocacy Submits Comments on CFPB’s NPRM on Personal Financial Data Rights

On December 21, 2023, the Office of Advocacy submitted comments on the Consumer Financial Protection Bureau’s (CFPB) proposed rule on Personal Financial Data Rights (PDF, 226 KB).

The proposed rule would require depository and nondepository entities to make available to consumers and authorized third parties data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data; provide basic standards for data access; and promote fair, open, and inclusive industry standards.

The CFPB identified several categories of small entities that may be subject to the proposals under consideration. Within the financial industry, these include depository institutions (such as commercial banks, savings associations, and credit unions), credit card issuing nondepositories, sales financing companies, consumer lending companies, real estate credit companies, firms that engage in financial transactions processing, reserve, and clearinghouse activities, firms that engage in other activities related to credit intermediation, investment banking and securities dealing companies, securities brokerage companies, and commodities contracts brokerage companies. Outside of the financial industry, potentially affected small entities include software publishers, firms that provide data processing and hosting services, firms that provide payroll services, firms that provide custom computer programming services, and credit bureaus.

Advocacy recommends that the CFPB  provide additional information about what the qualified industry standards should be and start the compliance process after the standards are completed. Advocacy encourages the CFPB to clarify who bears responsibility if a third party misuses the data or violates the requirements of the rule. Advocacy further recommends that the CFPB adopt a safe harbor of 12 months of transaction data for small entities. Advocacy encourages the CFPB to analyze the impact if small entities decide to exit the market rather than comply with the rule. Advocacy further encourages the CFPB to work with small entities to determine if there are other possible exemptions for small data providers. Advocacy recommends that the CFPB consider developing a system that would allow small entities to charge an appropriate fee to cover any expenses incurred in fulfilling the requirements of the rule. Advocacy recommends that the CFPB work with small entity data providers and third parties to determine if there are possible exemptions to the proposed rule that will not compromise data security and privacy.

For more information, please contact Jennifer A. Smith, Assistant Chief Counsel, at Jennifer.Smith@sba.gov.