InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
CFPB issues guidance on “junk fees”
On October 26, President Biden discussed guidance issued by the CFPB to help banks avoid charging illegal “junk fees” on deposit accounts. The Bureau’s Circular 2022-06 noted that overdraft fees can be considered an “unfair” practice and violate the Consumer Financial Protection Act (CFPA) even if such fees are in compliance with other laws and regulations. Specifically, the Circular noted that “overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair.” The guidance further stated that unanticipated overdraft fees are likely to impose substantial injury on consumers that they cannot reasonably avoid and that are not outweighed by countervailing benefits to consumers or competition. The Bureau’s compliance bulletin on surprise depositor fees explained that a returned deposited item is a check that a consumer deposits into their checking account that is returned to the consumer because the check could not be processed against the check originator’s account. The bulletin stated that “blanket policies of charging returned deposited item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account are likely unfair under the [CFPA].” The Bureau further explained that indiscriminately charging depositor fees, regardless of circumstances, are likely illegal and noted that the bulletin is intended to put regulated entities on notice regarding how the agency plans to exercise its enforcement and supervisory authorities in the context of deposit fees. The bulletin urged financial institutions to charge depositor fees only in situations where a depositor could have avoided the fee, such as when a depositor repeatedly deposits bad checks from the same originator. The Bureau emphasized the guidance as part of its Junk Fee Initiative, noting that since it launched the initiative in January 2022, the CFPB has taken action to constrain “pay-to-pay” fees (covered by InfoBytes here), and has announced an advance notice of proposed rulemaking soliciting information from credit card issuers, consumer groups, and the public regarding late payments, credit card late fees, and card issuers’ revenue and expenses (covered by InfoBytes here).
Chopra previews Section 1033 rulemaking on consumers’ rights to data
On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).
Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.
FRBs to adopt new Fedwire format in 2025
On October 24, the Federal Reserve Board published a notice in the Federal Register announcing that the International Organization for Standardization’s (ISO) 20022 message format for the Fedwire Funds Service will be adopted on a single day, March 10, 2025. The Fedwire Funds Service is a real-time gross settlement system owned and operated by the Federal Reserve Banks that enables businesses and financial institutions to quickly and securely transfer funds using either balances held at the Reserve Banks or intraday credit provided by the Reserve Banks. A single-day implementation strategy is preferable to a three-phased implementation approach, the Fed said, explaining it is both simpler and more efficient and is likely to reduce users’ overall costs related to software development, testing, and training. The Fed also announced a revised testing strategy and backout strategy, as well as other details concerning ISO 20022’s implementation.
FTC to issue rulemaking on junk fees and fake reviews
On October 20, the FTC voted 3-1 at an open meeting to publish two rules for comments: the Advance Notice of Proposed Rulemaking (ANPRM) on Junk Fees (see here) and the ANPRM on Fake Reviews and Endorsements (see here). The first ANPRM addresses junk fees that are charged for goods or services that have little or no added value to the consumer. The ANPRM seeks comments on the prevalence of junk fees and the consumer harms arising from junk fee practices, among other topics. The second APNRM initiates a rulemaking proceeding addressing fake reviews and other endorsements, which can cheat consumers and honest businesses alike. The ANPRM seeks comment on the prevalence of fake and deceptive reviews and the consumer harms arising from them, among other things.
At the start of the meeting, members of the public provided feedback on the Commission’s work with some members of the public expressing concerns about how junk fees are harming consumers and businesses. Others also expressed consumers’ frustration with hidden fees that are added to bills that were not advertised up front. Regarding fake advertisements, some emphasized how consumers rely on reviews and how fake reviews can harm consumers and sellers. Commissioner Wilson, the sole ‘no’ vote on both measures, noted that the APNRM on junk fees “is sweeping in its breadth,” and said the APNRM potentially contradicts existing laws and rules, among other things. Chair Kahn, Commissioner Slaughter, and Commissioner Bedoya all voted yes for both measures. Regarding the junk fees ANPR, Commissioner Slaughter mentioned that she does not consider this to be “obscure” and expressed her support for the ANPRM, emphasizing that markets cannot function effectively with junk fees. Commissioner Wilson noted that she agrees that “fake and deceptive reviews are unlawful,” but does not believe public comment should be sought for this proposal because “the Commission already has a multi-pronged strategy in place to combat this issue,” such as FTC-published endorsement guides. Additionally, in October 2021, the Commission issued a notice of penalty offenses, which is explained in the ANPRM, and may enable the Commission to obtain civil penalties from marketers that use fake reviews.
FHA seeks comment on LIBOR transition
On October 19, FHA published a proposed rule in the Federal Register seeking public comment on transitioning existing FHA-insured forward and home equity conversion mortgage (HECM) adjustable rate mortgages (ARMs) from LIBOR to a spread-adjusted Secured Overnight Financing Rate (SOFR) index, after the one-year and one-month LIBOR indices cease to be published on June 30, 2023. The proposed rule also mentioned removing LIBOR and adding SOFR as an approved index for newly originated forward ARMs. According to the proposed rule, this change was made for HECM ARMs in Mortgagee Letter 2021- 08 and added to this proposed rule. As previously covered by InfoBytes, in March 2021, FHA issued ML 2021-08 announcing changes for adjustable interest rate HECMs as the market transitions away from LIBOR. Comments are due by November 18.
CFPB opines on junk data in credit reports
On October 20, the CFPB issued an advisory opinion, Fair Credit Reporting; Facially False Data, as part of a series of actions being taken by the Bureau to ensure consumer reporting companies comply with consumer financial protection laws. The advisory opinion emphasizes, among other things, that “a consumer reporting agency that does not implement reasonable internal controls to prevent the inclusion of facially false data, including logically inconsistent information, in consumer reports it prepares is not using reasonable procedures to assure maximum possible accuracy under section 607(b) of the [FCRA].” According to the Bureau, consumer reporting companies are legally required to follow reasonable procedures to assure maximum possible accuracy of information that they collect and report. As part of that requirement, companies must implement policies and procedures to screen for and eliminate junk data, including being able to detect and remove inconsistent account information and information that cannot be accurate. Additionally, companies’ internal controls must also be able to identify and prevent reporting of illegitimate credit transactions for a minor.
For more details on the CFPB’s advisory opinion program, please see InfoBytes coverage here.
Treasury releases CFIUS Enforcement and Penalty Guidelines
On October 20, the U.S. Treasury Department released CFIUS Enforcement and Penalty Guidelines to provide the public with information on how the Committee on Foreign Investments in the United States (CFIUS) assesses violations of laws and regulations on transaction parties. The guidelines inform the public about how CFIUS—which is tasked with identifying and mitigating certain national security risks related to foreign investments—assesses whether to impose a penalty or take other enforcement action for a violation of a party’s obligation, as well as factors that CFIUS considers when making such a determination. “The vast majority of those who come before CFIUS abide by their legal obligations and work collaboratively with the Committee to mitigate any national security risks arising from the transaction; however, those who fail to comply with CFIUS mitigation agreements or other legal obligations will be held accountable,” Assistant Secretary of the Treasury for Investment Security Paul Rosen stressed. “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”
FDIC proposes amendments to its guide on supervisory appeals process
On October 18, the FDIC Board of Directors announced it is soliciting further public comments on proposed amendments to its Guidelines for Appeals of Material Supervisory Determinations. The notice follows an action taken by the Board earlier in May, which restored the Supervision Appeals Review Committee (SARC) as the final level of review in the agency’s supervisory appeals process (covered by InfoBytes here). While the revised guidelines took effect immediately, the FDIC solicited comments on the changes. In response to comments received, the proposed amendments would add the agency’s ombudsman to the SARC as a non-voting member, and the ombudsman would be responsible for monitoring the supervision process after a financial institution submits an appeal. The proposed amendments would also require that materials considered by the SARC be shared with both parties to the appeal (subject to applicable legal limitations on disclosure), and allow financial institutions to request a stay of material supervisory determination while an appeal is pending. Additionally, the division director would be given the discretion to grant a stay or grant a stay subject to certain conditions. Comments on the proposed amendments are due within 30 days of publication in the Federal Register.
FDIC raises deposit insurance assessment rates
On October 18, the FDIC Board of Directors approved the adoption of a final rule to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points beginning with the first quarterly assessment period of 2023. (See also FDIC fact sheet here.) The FDIC said that after considering comments and updated analysis and projections, the increase in assessment rates was adopted without change from when it was proposed in June (covered by InfoBytes here). The FDIC emphasized that the increased assessment revenue is intended to increase the likelihood that the reserve ratio of the Deposit Insurance Fund (DIF) reaches the statutory minimum of 1.35 percent by the mandated deadline of September 30, 2028, while also reducing the likelihood that the FDIC would need to consider a potentially pro-cyclical assessment rate increase where it raises assessments when banking and economic conditions may be less favorable. This increase “is projected to have an insignificant effect on institutions’ capital levels, is estimated to reduce income slightly by annual average of 1.2 percent, and should not impact lending or credit availability in any meaningful way,” the FDIC said. Concurrently, the FDIC maintained the Designated Reserve Ratio for the DIF at two percent for 2023.
Acting Chairman Martin J. Gruenberg stressed that it “is better to take prudent but modest action earlier in the statutory 8-year period to reach the minimum reserve ratio, than to delay and potentially have to consider a pro-cyclical assessment increase.” CFPB Director and FDIC Board Member Rohit Chopra also chimed in, saying that while he voted in favor of finalizing the deposit insurance rate increase, there are a number of changes that must be made over the long term to deposit insurance assessment policies. These include (i) finding ways for banks that pose the most risk to the DIF “to pay more, relative to smaller institutions where the likelihood of large losses to the Fund are tiny”; (ii) building a framework to ensure assessment rate changes are countercyclical where premiums are adjusted “upward and downward based on economic conditions, recent industry profits, and other appropriate indicators”; and (iii) developing “a framework that relies less on ad-hoc adjustments and more on a systematized formula” based on specific quantitative factors.