RegFi Episode 49: CFPB’s 1033 Rule: Where to From Here?
30 min listen
Orrick Partner John Coleman joins the RegFi podcast for a conversation about what lies ahead for the CFPB’s finalized 1033 rule, including uncertainties created by litigation challenges, election results and the need for additional policy guidance and technical standards. The discussion also highlights key changes from the proposed rule, including extended compliance deadlines, threshold exemptions for smaller depository institutions, secondary use of consumer data and the role of standard-setting organizations (SSOs).
Additional 1033 Coverage:
- The CFPB’s Final Rule on Personal Financial Data Rights: What Financial Institutions Should Know (Orrick Insight)
- RegFi Ep. 22: Data Sharing and the 1033 Rule: An Industry Perspective with Ramon Gomez
- RegFi Ep. 5: The CFPB’s 1033 Rule in a Nutshell
Links:
-
Jerry Buckley:
Hello, this is Jerry Buckley, and I am here with my Orrick partners, Sasha Leonhardt, Sherry Safchuk, and John Coleman. Today we are going to be discussing the CFPB’s recently released finalized version of its Personal Financial Data Rights Rule, sometimes referred to as the Open Banking Rule, which implements the provisions of Section 1033 of the Dodd-Frank Act.
In a prior podcast, we discussed the principal provisions of this rule when it was proposed. It is not our intention here to review all the provisions of the rule again, but rather first, to review the overall objectives of the rule, then to note briefly the principal changes to the rule that emerged in the final rule, and then to turn to the questions that are on all of our minds, particularly where to from here, in light of the litigation and electoral uncertainties that surround the rule.
So, let’s begin by asking Sasha to set the table by reminding our listeners of the policy objectives that led Congress to enact Section 1033 of the Dodd-Frank Act, and to briefly describe the approach the Bureau took to its rulemaking. Sasha?Sasha Leonhardt: Thanks, Jerry. I’m happy to talk about this. At its core, the 1033 rule is about open banking. That is, the ability of consumers to access their financial information through technological means. Now, consumers have always had the right to get their information with respect to their accounts. But 1033 of the Dodd-Frank Act focuses on the ability to get that information in what’s going to be a standardized electronic format. Let me take you back to before the Dodd-Frank Act and shortly after its passage, when a lot of open banking was powered by screen scraping technology. And while that technology certainly opened up a lot of consumer data to help customers and third parties better understand financial information, it also created privacy and data security concerns, since screen scraping involved consumers entrusting a third party with their online access credentials. Not to mention that screen scraping also put a strain on the websites and systems for financial institutions as they dealt with these sorts of technologies accessing their sites on a near-continuous basis.
So, under 1033, this was meant to standardize the process, formalize consumer rights, and address some of these data concerns. Although it was passed as part of the Dodd-Frank Act, it laid dormant for over a decade. After some public research and comments and convening a small business review panel, last year the CFPB released a proposed rule that you referenced above, Jerry. And on October 22 of this year, bright and early at 5 a.m. Eastern, I know I woke up to it, the CFPB released its final version of the 1033 rule.
Now, we’re going to get to the exact provisions of that shortly and spend much of the rest of this podcast talking about it. But just to put that a little more in context, later that day on the 22nd, Director Chopra was speaking at the Federal Reserve Bank of Philadelphia and discussed the rule in some detail that he’d just issued at the CFPB. He said that the goal of the 1033 rule was to make it easier to cancel or switch products or services so as to improve competition and innovation.
He also referred to how open banking can improve access to credit for people with thin or no credit reports, since the ability for a potential creditor to gain a direct feed to someone’s financial data can improve underwriting outcomes. And he said that this is just part of a larger set of rules to advance open banking. Now we’ll see where that goes, but the director certainly left us with a cliffhanger here.Jerry: Well, Sasha, also, could you briefly review the state of play right now? What are the most significant changes that the Bureau made in the rule compared to its proposed form? And maybe, I know you can’t cover it all, but is there a way you can reference the changes that were requested that were not made that are controversial? Sasha: Certainly. So ,there were absolutely some changes made, but by and large, I think the assessment of most looking at this is that most of the proposed rule came through largely intact into the final rule. Nevertheless, some of these changes were significant. First and foremost, the Bureau extended the compliance dates under the final rule. Under the new rule that — or I should say under the final rule that’s been proposed — for the largest institutions, the first compliance date is April 1, 2026. And they’re staggered out on a year-over-year basis until April 2030 for the smallest institutions. There are threshold exemptions from coverage utilizing the small business administration standards. That is, small depository institutions with under $850 million in assets, as determined by the SBA standards, would not have to comply with the rule. The CFPB was leaning on a standard-setting organization in originally promulgating the rule and expanded on that more and more. And just to level set here, for many of the technical and data-focused items in the rule, rather than setting its own specific rules and standards around the data, the CFPB developed a detailed process for a standard-setting body to apply for CFPB recognition.
Once recognized by the Bureau, these data providers can provide their information consistent with the rule set forth by the standard-setting organization, and they’ll be deemed to be in compliance with the 1033 rule. And the recognition will last five years, after which an SSO can apply to have their recognition renewed. But the Bureau leaned even more into using SSOs, removed a handful of the technical elements in the original rule, and replaced them with language saying compliance with an SSO’s rules is deemed compliance with the rule. One other item I think that’s worth noting is anti-evasion language was added to the rule, particularly focused on data providers. The language was broadly written, and there’s not a lot of clarity around what the Bureau was focused on. But it did call out the idea that it does not want data providers to interfere with consumers’ or third parties’ ability to request data. And it doesn’t want data providers to offer information in a form or manner that may render the data unusable.
But the Bureau was quick to note in its commentary that this is not an exhaustive list and that they have, quote, “the flexibility to address future data provider conduct taken to evade Part 1033.” So, we’ll see how that evolves in the future. But that is a notable addition there that was missing from the original rule. Now, you also asked about changes that were asked for, but didn’t make it into the final rule. There were a number of comments on this. We certainly can’t go through all of them, but two stuck out to my mind. The first was secondary use of data, and the second was liability for data providers. Under the original rule, there was a limited ability to use consumer data. It can only be used as required under other provisions of law, such as responding to subpoenas, used to prevent against actual or potential fraud, and then obviously used to process or provide the transaction that the consumer requested. In the final rule, they added one new item that said that data could be used to develop the product or service provided to the consumer.
But notably, this limitation was rather tight here. Sherry’s going to touch on privacy shortly, and this kind of butts right up against those privacy questions. But I know that the Bureau’s commentary explicitly said that data obtained under 1033 cannot be used to advertise for cross-selling of other products or services, or for data sales, and the CFPB was also dismissive of the ability to use de-identified data or ask consumers to opt in to secondary uses. So again, I’m sure there’ll be more on that, but wanted to note that as one area where further requests for the ability to use data in other ways was not granted. The other one I want to touch on is liability here. One concern that we saw from data providers in their response to the proposed rule in the official registry was that it would put consumer data at risk. And some of that risk and liability could fall on the data providers, whose job it is to secure consumers’ data. Specifically, in the comments, there were concerns that banks are responsible for holding and keeping secure the consumer data, and if a third party purports to request data on behalf of a consumer but doesn’t actually have permission, that could create liability for the data provider.
The CFPB did not address this issue at all, even though there were a number of questions around this. It did not insulate data providers from liability for providing data in good faith, for example. Now, it did retain language from the proposed rule allowing data providers to ask the consumer to confirm that a third party had authorizations. So, there is a way for a data provider to go out and ask a consumer to make sure that they’re not giving information improperly to a third party. But in the final rule, the Bureau added an example tying in the anti-evasion provision here. It said that the data provider cannot use as its mode of confirmation communication a channel that the customer is not used to using or that will take a long time to get a response.
And those steps were deemed potentially to be evasion. So, I guess the long and short of it is there have been a few changes, but the rule largely remains intact. And I, for one, am watching closely to see what other guidance we may get from the Bureau in the coming months and how the industry responds.Jerry: Thank you, Sasha. And John, now turning to you, could you help our listeners understand the question that we think is at the core of this podcast, which is, where to from here?
The rule is already challenged in litigation, and we have a close election coming up. And there’s a long timeline, as Sasha just referenced, for implementation where further guidance might be provided by the Bureau. You have described this as like playing three-dimensional chess. It would be great if you could help our listeners understand the state of play regarding what is perhaps the most complex and consequential rulemaking that the financial services industry has encountered in many years. And I might add, for the benefit of our listeners who may not know John, that he was at the CFPB practically from its founding and left as deputy general counsel to join us in private practice three years ago. I can think of no one who is closer to or a more knowledgeable observer of the CFPB’s regulatory strategies. So, John, take it away.John Coleman: Sure. Thank you, Jerry. And thanks for the kind introduction. You know, just by way of background — and Sasha’s touched on this — this has been, this rulemaking has been a long time coming. Even in the earliest days of the agency, folks were thinking about it. The official actions the agency took span back to 2016, during the Cordray administration of the CFPB into the sort of latter part of his administration, when the Bureau released a statement of principles. The Trump administration then picked up the baton, conducted a symposium, and issued an advance notice of proposed rulemaking. And then, as we’ve discussed, the CFPB under Director Chopra issued the proposed rule last October, which was finalized just this week. And so I think one thing to notice is just the amount of time, and I assure you, the amount of energy and skill and expertise that has been poured into this rulemaking by the staff and leadership of the CFPB, as well as by folks across the industry who have submitted comments in response to every opportunity given by the– and really, a lot of great thought has been put into it to get to where we were on Tuesday.
And, you know, one thing that is fascinating is that while the rule did not diverge significantly from the proposal, and while the CFPB issued a 600-page notice with a preamble explaining some of its decisions and providing helpful clarification, in any rule of this size and significance, there are going to be interpretive questions that remain to be resolved by the agency, by the industry. And we’ve seen this, for example, in the early days of the CFPB, when the agency issued a number of mortgage-related rulemakings that really remade the compliance architecture around residential mortgage loans. There was a need for a tremendous amount of guidance by the agency, feedback from the regulated community to raise issues that the agency had not contemplated in its initial rulemakings, and then a number of amendments to those rules to resolve issues that had not been anticipated in the first final rule. And I raise all this to say that even there, where you had consistent leadership of the agency during the entire relevant time period, there was a lot of uncertainty about compliance obligations and a lot of give-and-take between the industry and the agency.
You would expect that to be the case here. I think there are still a lot of open questions that are going to have to be resolved, assuming this rule remains the law of the land and assuming consistent leadership. But of course, the circumstances in which we find ourselves are quite different right now. As, of course, all our listeners are aware, there is an election — a very important election — in less than two weeks that could change not just the trajectory of the country, but the policy priorities of the CFPB. And it is, of course, the prerogative of any director of the CFPB to determine whether to revisit a rule or how to respond to requests for further guidance. And so that’s a significant source of uncertainty for regulated institutions who are reading through this rule as we speak and trying to understand what their obligations are going to be. Perhaps a more significant source of uncertainty, however, is the lawsuit that was filed literally hours after the rule was issued by the Bank Policy Institute, a trade association representing the country’s largest banks, the Kentucky Bankers Association, and an individual bank located in the state of Kentucky.
And this lawsuit has a number of claims, but its lead claim, its sort of core argument, is that the Bureau has transgressed its statutory authority, exceeded its statutory authority, by interpreting the term consumer too broadly in Section 1033 to include not just those in a fiduciary or quasi-fiduciary relationship with an individual — the deposit account holder or the credit card account holder — but also third parties who are in contractual privity with that consumer. And the bank’s argument is that Congress did not intend for the Bureau to take the mandate that a consumer shall have access to the consumer’s financial information and turn that into an obligation on the part of banks to provide information to third parties who they compete with and who are at most in a contractual relationship with their customers. Now, I don’t want to handicap the likelihood of success on this claim, but I do think it’s important to point out that it is brought in the context of a regime that is post-Chevron deference.
And so, a year ago, if this case had been brought, the district court would be asked sort of at step one of Chevron, whether the statute, and in this case, it’s the defined term, “consumer,” is ambiguous. And if so, whether the CFPB’s resolution of that ambiguity pursuant to its rulemaking authority was reasonable. I think there’s a likelihood that if that regime still existed, the Bureau would prevail. At least it would have much better odds of prevailing in this litigation if the Chevron deference regime still existed. But in a post-Loper Bright world, we’ve got a situation where a district judge in Kentucky, the chief judge, Danny Reeves, very well respected, is going to be asked what he thinks is the best interpretation of this statute. And if he doesn’t agree with the Bureau, which he well might, but if he doesn’t, then the entire rule is in peril.
And this is significant in two respects. One, it’s a significant source of uncertainty, I think, for the industry. And I hope, for everyone involved, that that gets resolved sooner rather than later. And also, it’s got to be pretty demoralizing for the agency, who has fairly tried to do its level best to implement this statute over the years. And of course, I think people can reasonably disagree with a lot of the judgments it’s made. But I am nonetheless sympathetic to the folks who spend a lot of time working on this who might see their work thrown out. And so I think, you know, if you’re in a financial institution who has compliance obligations, data provider, authorized third party, or as a data aggregator, it’s not just sort of where we would be in the normal course of a rulemaking, which is reading the rule and trying to understand your compliance obligations, identifying sources of ambiguity, seeking guidance regarding those as appropriate. You’ve got these other sources of uncertainty that you’ve got to navigate as well. And so I, think that just makes it particularly difficult for the industry.
And we will see over the next several weeks and months whether some of that uncertainty dissipates. But I think that’s sort of where we are right now, Jerry.Jerry: Thank you, John. You know, Sherry, you pretty closely follow state and federal data rights and privacy policy. And the 1033 rule has as its underlying theme the right of consumers to control their data and to limit its distribution, as was referenced previously. And there is a dark patterns theme as well. That is, making sure that consumers don’t, without full understanding, authorize the use of data for purposes that they may not realize. Could you briefly review this and what’s at stake here? Sherry Safchuk: Thank you, Jerry. That’s a great question. The 1033 rule and the concept of dark patterns or deceptive practices are indeed critical topics in the realm of data rights and privacy policies. Two that I want to highlight: consumer control over their data and the two themes of access and portability. First, I wanted to flag that the CFPB noted that the 1033 rule is fundamentally about, and I would like to quote them, "empowering consumers to access account data controlled by providers of certain consumer financial products or services in a safe, secure, reliable, and competitive manner.” And how I view this is more specifically that the CFPA Section 1033 is really intended to provide consumers with a right to access their account information and authorize third parties acting on their behalf to access that information. And embedded in this consumer control concept is the idea of portability, which is allowing consumers to transfer their data from one service provider to another easily. And these are not new concepts.
We have been seeing these concepts incorporated in state comprehensive privacy laws for the past few years. And to give you an example, in the California Consumer Privacy Act, the right to access and the right to portability are some of the first rights identified in the law. But with more control comes more risk. And if the ability to transfer data between parties becomes easier, so does the risk of bad actors being able to access the data just as easily. The other thing I want to talk about is consent and authorization. The 1033 rule emphasizes the concept of informed consent by a third party accessing covered data. And this concept weaves in elements of dark patterns or deceptive practices, which does not have one definition but has been described as design choices in user interfaces that trick or manipulate users into making decisions that they may not otherwise make. I think this is really important because of the idea of dark patterns we’ve seen in the past, enforcement and regulatory guidance provided by federal regulatory agencies, and so this is just one more step in that direction.
And then subpart D of the rule, which focuses on authorized third parties, has several provisions emphasizing the requirements of express informed consent. Specifically, several provisions are devoted to describing what the authorization disclosure should look like and what information should be included in the authorization. While the preamble and the final rule only mention deceptive practices twice, it looks like the intent of the rule appears to be to limit dark patterns with respect to sharing of covered data with third parties.
Jerry, you also asked what is at stake with this rule, and I think there are three things at stake. Number one, consumer trust. So, depending on how the rule is implemented, consumer trust may be enhanced because they have more control over and insights to the types of data collected or shared, or it may be fractured, particularly if bad actors can easily access personal data in a portable format.
The other piece of it is regulatory compliance. How will companies be able to implement the rule in the timeframe provided? And what will implementation look like, especially in light of what John just mentioned with all of the uncertainty around the rule? And with how fast technology is moving, I’m curious as to how well standard-setting organizations will adapt to these changes.
And then the last area that I want to highlight is data security. And I can’t emphasize this enough; it needs to be paramount when implementing the rule. If it’s easier for consumers to move their covered data, then it’s easier for bad actors as well.Jerry: Very useful observations. Thank you. And if I could just pursue one brief other point with you, do you see any tension between the state laws that are proliferating, and of course had their origins in California, and the provisions of the statute, or are they pretty much in sync? Sherry: So, there’s not so much as a tension between the two laws as there is the fact that the state privacy laws generally carve out information obtained for financial products and services, whereas the Rule 1033 expressly covers those types of products that would otherwise not be covered under state privacy laws. So, I don’t think it’s a tension necessarily, but more of an overlap. Jerry: Interesting. Thank you. John, turning back to you, in any area where there is dynamic change, and no one can deny that in financial services data there is a lot of dynamic change going on, and particularly where there’s technology change taking place, it’s hard to engage in rulemaking because the environment for which the rules are written is always changing. Rules that are too specific or prescriptive run the risk of holding back progress. Do you have any observations on this from your long experience? John: Well, I mean, I agree. I think most folks would agree that the rulemaking process, which is so important and provides really critical protections to folks who are regulated, has become very burdensome for agencies and takes a long, long time for them to carry out. This is a perfect illustration of that, this particular rulemaking. You know, the political environment in which we operate, where policy priorities shift with electoral politics at these regulatory agencies, adds to the delay as different administrations will have to take things in different directions and then switch back. And so, I think that also can add to the delay in engaging in rulemaking. I think this particular rule, I think there was an acknowledgement of the pace of innovation in this particular area. And the way that the agency attempted to deal with that was to, in effect, they might quibble with the declaration, but in effect to delegate to standard-setting bodies some of the obligation to sort of set the rules of the road, which the industry are going to follow.
And this is one of the aspects of the rule that has been criticized in the lawsuit that was brought on Tuesday. But I think it is fair to at least acknowledge that the intention here was not to be too prescriptive in this rule but to allow an industry standard-setting body to really be sort of the lead on technical specifications and the like. Notwithstanding that intention, I think there’s always going to be aspects of the rule that don’t keep up with the market or with technological innovation. And I think one other way this agency does address that is through the expanded use of guidance, which of course can be done far more quickly but also comes with far less protection and sometimes comes without the protection and the process that the law requires. So, these are the tensions that agencies operate under. And I think they do their best to try and navigate it. But I think it’s a particular risk in this area, just given how fast everything is changing and the possibility that rules that take years and years to get done can be hung up even longer in litigation.Jerry: You know, John, as you and I have witnessed over the years, there is a general principle of tech neutrality, which has been a part of the E-Sign Act. And even going back to the UCC, the statutes that are most durable are those that are tech neutral, that don’t pick winners and losers, that don’t allow for regulatory capture. And it’s going to be interesting to see how, as this rule moves forward, how the rule setting that’s being delegated is actually implemented. It’s a major challenge to those that are involved in that standard-setting organization. I think it’s a good approach, but it bears a lot of monitoring and watching in my personal view.
Anyway, we are running out of time, unfortunately. I’m so glad you joined us, John, and thank you, Sasha and Sherry, for helping give our listeners an opportunity to sort of look ahead and think about where we’re going. There’s a lot of excitement about the rule as it came out, but understanding where it’s going is the key. So, thanks for all of you joining in this discussion.John: Thanks for having us, Jerry.