by Abigail Ulcej | Nov 23, 2021 | Commentary |
The Dodd Frank Act was enacted in 2010 in response to the 2008 financial crisis. Among the protections that it sought to create was Section 1033, which provides consumers increased access to – and control of – the personal data held by financial institutions.[1] Specifically, 1033 requires that financial institutions provide consumers with copies of their data upon request. The Consumer Financial Protection Bureau (CFPB) started gathering stakeholder opinions on Section 1033 several years after its passage and, in November of 2020, issued an Advanced Notice of Proposed Rulemaking (ANPR). FinTech companies and industry groups wrote comments in response to the ANPR in support of promulgating rules for Section 1033. They are eager for consumers to have the opportunity to pipe personal financial data from banks to their platforms. There are benefits to this system: with enhanced data portability, smaller companies have a greater chance of accessing the data they need to build innovative products that improve competition and are useful to the public. New toolscould aid in overdraft fee protection, credit score improvement, financial inclusivity, small business loans, fraud mitigation, and much more. However, there are potentially negative privacy implications if the CFPB implements Section 1033 without thoughtful consumer protection. CapitalOne’s comment on the Section 1033 ANPR voices concerns about “lightly regulated non-bank companies, particularly Data Aggregators and Data Users” gaining access to data that would otherwise be subject to the banking industry’s heightened data-handling rules. CapitalOne recommends that, for example, third parties who gain access to consumer data under Section 1033 become subject to the Gramm-Leach Bliley Act, which governs the management of individuals’ data by financial...
