The Dodd Frank Act was enacted in 2010 in response to the 2008 financial crisis. Among the protections that it sought to create was Section 1033, which provides consumers increased access to – and control of – the personal data held by financial institutions.[1] Specifically, 1033 requires that financial institutions provide consumers with copies of their data upon request. The Consumer Financial Protection Bureau (CFPB) started gathering stakeholder opinions on Section 1033 several years after its passage and, in November of 2020, issued an Advanced Notice of Proposed Rulemaking (ANPR).
FinTech companies and industry groups wrote comments in response to the ANPR in support of promulgating rules for Section 1033. They are eager for consumers to have the opportunity to pipe personal financial data from banks to their platforms. There are benefits to this system: with enhanced data portability, smaller companies have a greater chance of accessing the data they need to build innovative products that improve competition and are useful to the public. New toolscould aid in overdraft fee protection, credit score improvement, financial inclusivity, small business loans, fraud mitigation, and much more.
However, there are potentially negative privacy implications if the CFPB implements Section 1033 without thoughtful consumer protection. CapitalOne’s comment on the Section 1033 ANPR voices concerns about “lightly regulated non-bank companies, particularly Data Aggregators and Data Users” gaining access to data that would otherwise be subject to the banking industry’s heightened data-handling rules. CapitalOne recommends that, for example, third parties who gain access to consumer data under Section 1033 become subject to the Gramm-Leach Bliley Act, which governs the management of individuals’ data by financial institutions. CFPB Director Rohit Chopra has acknowledged that there is a risk of inadvertently removing protections for certain types of information if 1033 is not carefully implemented, stating “we also need to make sure that banks and nonbanks are operating under the same set of rules, that there’s not regulatory arbitrage.”
Concerns regarding the safety of consumer data in the hands of non-bank financial institutions have proven salient. In early November 2021, stock trading app RobinHood revealed that an intruder had gained access to millions of consumers’ names and email addresses. Smaller subsets of consumers had more sensitive data accessed. PayPal came under scrutiny in early 2020 when security researchers exposed worrying vulnerabilities – some of which were dismissed by PayPal against the advice of the researchers.
Even Plaid, a self-proclaimed data aggregator and one of the most important FinTech companies today, indicated in their comments on the ANPR that, “The Bureau should supervise data aggregators…Many data aggregators, including Plaid, have reached a size at which supervision would provide helpful oversight and assurances to the ecosystem.” Similarly, a coalition of 29 FinTech companies (including Plaid) acknowledge that “[c]onsumers want to feel more in-control over their data…the Bureau should establish strong guidelines for consumer transparency and control, including that consumers be aware of all parties involved in data sharing and have controls over which data they are sharing, with whom, and for what duration.”
Companies like Plaid have incentives to better safeguard data to prevent future hacks because their reputation with individual consumers is an important part of their business model. These companies are highly visible, and consumers can tell when they are electing to interact with these companies. However, some data aggregators do not use data to provide services distinct from data-handling. These aggregators act simply as data brokers. Brokers can serve a useful purpose by doing the work of locating, gathering, and organizing information so that the companies who purchase data from them can focus on using it to innovate. However, brokers also create unique challenges because many of them are unknown to consumers; thus, there is no direct economic mechanism holding brokers accountable to those individuals whose data they hold.
Given the goals of the Dodd Frank Act, the CFPB also needs to make sure that consumers truly do know what is happening with their data, and with whom it has been shared. This means that lumping Section 1033 consent into click-through privacy statements like those to which we have become accustomed is unlikely to be sufficient. A Pew research study found that about 22% of Americans “always” or “often” read privacy statements before agreeing to them. Among those who ever read privacy statements (60% of respondents), only 13% say that they understand “a great deal” of them. Thus, there is a substantial chance that consumers who give consent to having their data sent to various third parties will not understand what they have consented to if consent statements are tacked on to existing privacy notices. Due to the importance of the data that stands to be released if Section 1033 rules are promulgated, more care must be taken to ensure that consumers genuinely understand what they are authorizing.
Fortunately, there may be principles at the foundation of administrative law dictating that privacy must be treated with the utmost respect. The purpose of the Dodd Frank Act is “…[t]o promote the financial stability of the United States by improving accountability and transparency in the financial system,…to protect consumers from abusive financial services practices, and for other purposes.” If consumers lose control and visibility of sensitive data after the implementation of 1033, privacy advocates could argue that the agency is violating the purpose of Congress’s statutory mandate. Additionally, privacy advocates could argue that the CFPB acted arbitrarily and capriciously in promulgating a regulation which disregarded considerations at the heart of the statute.
With the proper privacy controls in place, rules promulgating Section 1033 of the Dodd Frank Act could help advance the statute’s original goals: to empower consumers relative to big banks – whether it means gaining a better understanding of what big banks know about us, or transferring our data to other institutions so that we can use new financial tools. However, this promulgation must be handled with care and regulators must ensure that any new rule does not erode the protections that presently safeguard financial information. Given the support from traditional big banks and the fintech industry alike for safeguards, there is reason to be optimistic that a Section 1033 promulgation’s positive effects outweigh its risks.
* Abigail Ulcej is an Associate Editor on the Michigan Technology Law Review.
[1]“… a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”