Cindy Warner’s Post

A new Consumer Financial Protection Bureau (CFPB) rule that gives consumers more choice over financial products and services includes significant privacy protections safeguarding individual’s data, the agency announced Tuesday. The rule will require that banks and other institutions only use personal financial data for purposes consumers request, CFPB said. It also blocks third parties from using consumer data to benefit themselves. Additionally, the new rule will push the financial industry to stop “screen scraping,” a practice in which a consumer provides their login credentials to a third party, giving them the ability to access the consumer’s data, according to a CFPB press release. Screen scraping can lead to the sharing of inaccurate data and the dissemination of login information, according to remarks CFPB Director Rohit Chopra will deliver when he unveils the rule later today. Large financial institutions will be required to begin complying with the regulation, known as the Personal Financial Data Rights Rule, by April 2026 while smaller ones will be given until April 2030, according to a CFPB fact sheet. Some especially small banks and credit unions will be exempt from the regulation. The final rule prohibits what the CFPB press release called “bait-and-switch data harvesting” by mandating that third parties can only gather, use, or store data to provide the financial product the consumer asks for. “A company that ingests consumer’s data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes the consumer doesn’t want,” according to the prepared remarks. “And it doesn’t matter that the company has included those purposes in legal fine print that you don’t have any practical ability to reject.” The new rule also gives consumers the right to revoke access to their data and upon doing so immediately block companies from using it, the agency said. A separate element of the rule makes data deletion automatic after a year unless a consumer explicitly consents to extending that period. Chopra portrayed the new rule’s impact on data privacy and consumer protection as significant. Companies will no longer be able “use your data against you by feeding it to a dynamic pricing model that ends up charging you more for an airline ticket,” according to his prepared remarks. “That’s not what you were in the market to get.” The rule relies on authorities provided by the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act and is the first significant regulation put in place to take advantage of the law’s provision that consumers can access their personal financial data in a “standardized format,” according to Chopra’s remarks. https://lnkd.in/ei3U5b9J

How the CFPB’s 1033 Final Rule Differs from the Initial Proposal Today is a day the U.S. financial services community has been waiting for for at least a year– the Consumer Financial Protection Bureau (CFPB) issued its final 1033 rule making. The new rule, issued in the form of a 594-page document, aims to enhance consumers’ rights, privacy, and security over their own personal financial data. In order to accomplish this, the CFPB is requiring financial institutions, credit card issuers, and third-party fintech providers to make consumers’ personal financial data available to transfer to another provider for free. As a result, consumers will be able to add or switch providers in order to access better rates, receive better terms, and find services that best suit their needs. The CFPB states that the rule promotes competition and consumer choice, and will ultimately help improve customer service. “Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.” Today’s rule comes about a year after the CFPB issued a much shorter, 29-page document that proposed the change. So, aside from the document length, how does last year’s proposal differ from this year’s official ruling? Here are a aspects to note. As you may expect the final ruling provides a much more comprehensive and detailed explanation of the CFPB’s approach to regulating consumer access to financial data. The new document offers the rationale behind the rule, defines key terms, specifies requirements for data providers and third parties, and analyzes the rule’s potential impact on the market. Here are some specific differences between the proposed rule-making and today’s official rule. Transitioning away from screen scraping The final rule-making discusses the issues of screen scraping and emphasizes the aim to promote safer and more standardized methods to access data via developer interfaces. Liability considerations Today’s rule touches on the liability that stems from data sharing and explains the CFPB’s approach to addressing the liability with regulations and industry standards. Interaction with other laws The final rule includes a discussion on how it interacts with other existing laws, such as the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA). CFPB oversight and enforcement The rule released today includes the CFPB’s plans for overseeing and enforcing the rule’s requirements, including details on supervising third parties and addressing consumer complaints. Scope of data coverage The final rule offers a detailed look at the types of data covered by the rule, including discussions about specific data fields and potential exclusions. Definition of consumer Today’s rule specifically defines what constitutes a consumer for the purposes of the rule. It also offers...

Distinguishing Between Data Used for Fraud Detection vs. Identity Verification In its recent comments, the CFPB outlined its approach to regulating emerging technologies like AI and machine learning in financial services, particularly emphasizing fraud screening and risk assessment. However, a key risk to data providers arises from the CFPB's failure to distinguish between data used for fraud/credit risk assessments and identity detection. If the CFPB applies the same strict oversight to all data-driven activities without recognizing the fundamental differences between these use cases, data providers involved in identity detection could face unnecessary regulatory burdens. This could stifle innovation, as identity detection is often about verifying consumer identities rather than assessing creditworthiness or risk, which is traditionally governed by the Fair Credit Reporting Act (FCRA). Without making this distinction, data providers may find themselves subject to the same reporting and compliance requirements as those handling credit data, which could complicate their operations and increase costs. Companies that focus on identity verification could be penalized under the same rules applied to those assessing credit risk, creating regulatory confusion and hampering the ability of businesses to fight fraud effectively. For data providers, the absence of clear boundaries between these two distinct types of data application presents a significant risk, as it could lead to overregulation and potential limitations on their ability to serve financial institutions and companies marketing to consumers efficiently.

“On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released its long-awaited "Required Rulemaking on Personal Financial Data Rights" (Proposed Rule) for public comment. The Proposed Rule was issued under Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA) and is intended to foster a consumer financial data access framework for third-parties that is safe, secure, reliable, and competitive by "direct regulation of practices in the market and by identifying areas in which fair, open, and inclusive standards can develop to provide additional guidance to the market.” This is the core of the US #OpenBanking framework. ..  “Through the Proposed Rule, the CFPB aims to establish a framework for consumers that would allow them to authorize third parties to safely collect their personal #financialdata and enable access to products and services provided primarily by #Fintechs. The Proposed Rule is comprehensive in scope and application, with potential impacts on a wide array of data providers (depository and non-depository institutions), third parties, and data aggregators.” Key points: ➡ Consumer Rights and Data Access: 1️⃣ The rule enforces Section 1033 of the Consumer Financial Protection Act, mandating financial institutions to provide consumers and authorized third parties with access to personal #financialdata in a secure and standardized electronic format. 2️⃣ The purpose is to promote transparency, competition, and innovation, enabling consumers to evaluate their relationships with financial providers and switch if desired. ➡ Data Providers and Third-Party Obligations: 1️⃣ Financial institutions (data providers) must ensure reliable and secure data access for consumers and third parties, prohibiting the use of screen scraping for data retrieval. 2️⃣ Authorized third parties must obtain explicit consumer consent, limit data use to necessary services, and maintain data security practices compliant with the Gramm-Leach-Bliley Act. They must also provide consumers with options to revoke data access. ➡ Market Competition and Standardization: 1️⃣ The rule aims to reduce barriers for new market participants by promoting open data standards and secure access protocols, countering incumbent dominance. 2️⃣ Compliance timelines are staggered, with larger institutions starting in 2026 and smaller providers having additional time, ensuring fair implementation while protecting smaller entities from competitive disadvantages. Consumers stand to gain in terms of ability to compare products and switch providers taking away a significant lockin from the provider’ side. PLEASE NOTE: the attached file is tuncated to its first 300 pages as Linkedin limits attachment size and lenght. The full document is: https://lnkd.in/dKWFU9a6 https://lnkd.in/dy9g2VPE

CFPB: New regulations will better protect consumers’ personal financial data. Key takeaways: 1. The new CFPB rule significantly increases financial data privacy protections for consumers, ensuring personal data is only used for purposes explicitly requested and forbidding third parties from benefiting from it. 2. The rule begins to tackle "screen scraping," a problematic practice that can lead to inaccurate data sharing, by aiming to push the financial industry away from it. Referred to as the Personal Financial Data Rights Rule, compliance will be required of larger financial institutions by April 2026 and smaller ones by 2030. 3. Notably, the rule introduces measures against "bait-and-switch data harvesting," mandating third parties to collect and use data only for delivering requested financial products and services, and enables consumers to revoke data access and ensure automatic deletion after a year. Learn more by visiting The Record from Recorded Future News: https://lnkd.in/e_hj4cgt

Unpacking US Privacy Laws in 2024 The digital age has brought immense benefits, but also significant concerns about how our personal information is collected, used, and protected. The United States currently lacks a comprehensive federal privacy law, leaving consumers with a patchwork of regulations depending on the type of data and the state they reside in. Federal Efforts: There are some existing federal laws that offer limited privacy protections. The Gramm-Leach-Bliley Act (GLBA) safeguards financial information, while the Children's Online Privacy Protection Act (COPPA) restricts data collection from minors. However, these laws are specific and don't offer a broader framework for consumer privacy. A Step Forward: The CFPB's Personal Financial Data Rights Rule A recent development is the Consumer Financial Protection Bureau's (CFPB) finalization of the Personal Financial Data Rights Rule. This rule empowers consumers to access and transfer their financial data between institutions, promoting competition and potentially lowering loan rates. It also includes data security measures, prohibiting "bait-and-switch" data harvesting and requiring data deletion upon request. While this is a positive step, it focuses solely on financial data. The State of State Laws: The void left by a lack of federal law has been partially filled by a flurry of state-level privacy legislation. California's Consumer Privacy Act (CCPA) of 2018 was a landmark, and since then, several other states have enacted comprehensive privacy laws. These laws typically grant consumers rights to access, delete, and opt-out of the sale of their personal information. However, the specifics and enforcement mechanisms vary significantly from state to state, creating a confusing landscape for businesses and consumers alike. Alignment with GDPR: The European Union's General Data Protection Regulation (GDPR) is considered a gold standard for data privacy. While the US approach is fragmented, the CFPB rule shares some similarities with GDPR in its focus on consumer control and data security. However, the US approach lacks the GDPR's comprehensive scope and enforcement mechanisms. The Road Ahead: The current situation leaves much to be desired. Consumers deserve clear and consistent privacy protections across the US. Whether a federal law will emerge remains to be seen, but the CFPB's rule and the growing number of state laws suggest a continuing push for more robust privacy protections. Moving the Needle: The CFPB's Contribution The CFPB's Personal Financial Data Rights Rule is a significant development. It empowers consumers with control over their financial data, fostering competition and potentially leading to better financial products and services. While not a comprehensive privacy law, it represents a step towards a more secure and consumer-centric data environment. #USPrivacyLaws #DataPrivacy #CFPB #OpenBanking #GDPR #ConsumerProtection

Today, the Consumer Financial Protection Bureau (CFPB) issued a comprehensive and protective final Personal Financial Data Rights Rule that gives consumers the right to share their financial account information with third parties while promoting privacy. “The Personal Financial Data Rights Rule will facilitate competition with the Big Three credit bureaus, which have long operated as an oligopoly that gives consumers no choice,” said Chi Chi Wu, senior attorney at NCLC. “This new rule also gives consumers greater control over what data is used and how. It should serve as a model for all data privacy regimes in the United States. It far exceeds the protection of weaker privacy laws that preceded it, such as the Gramm-Leach-Bliley Act.” #ProtectConsumers #Privacy

💯🎯Indeed, Kareem Saleh is spot on here. The consumers' best interest has never been debatable in the minds of the regulators (or ethical practitioners like us). 🔍 For those tech firms and FIs that have well prepared, according to historical analog guardrails, an invitation to review and confirm programmatic components. 😫 But for the others who have skirted the edges of ethical and regulatory boundaries, woe to them for their short-term thinking and failure to build the compliant foundation. ⚖ Fortunately, FairPlay AI has remained at the forefront of these issues and more. Never a bad idea to check in with Kareem and his team for an evaluation. #EWA #BNPL #CFPB #consumerprotection #regulatoryaffairs #riskmanagement #fairbanking

Many financial firms protect consumer privacy, even if they can claim Gramm-Leach-Bliley (GLBA) exemption from state privacy laws. But some financial firms push the limits of data collection and sharing. Then they state in their privacy notices they don’t sell or share data because of the exemption. This can give consumers a false sense of security. Boltive has found certain financial firms regularly going for broke. This includes lenders, banks, credit card issuers, and other organizations extending credit. They pervasively share data through pixels, tags and cookies with marketing and analytics vendors without the consent of consumers. Then they retarget ads to consumers who have attempted to opt out Fortunately, some regulators are limiting exemptions for financial firms. Here are a few examples ★California’s CCPA exempts financial information, but financial institutions regulated by the GLBA are still subject to the CCPA ★Oregon’s OCPA exempts data subject to GLBA. Similar to California, the entities themselves are not exempt. ★Minnesota’s MCPA exempts financial entities, but not their affiliates that aren’t’ primarily engaged in financial activities. The Consumer Financial Protection Bureau (CFPB) has issued a report that notes: “The GLBA and the FCRA give States latitude to offer consumers greater protections than what those federal laws provide for consumers. Absent action to enhance federal privacy protections, States may need to amend privacy laws to adequately protect consumers’ personal financial data.” 🔥If more states heed the advice of the CFPB, consumers will be better protected. Thanks to Keir Lamont for drawing attention to this topic in the Patchwork Dispatch last week #privacycompliance #dataprotection #dataprivacy

"The Consumer Financial Protection Bureau (#CFPB) today released a report examining federal and state-level privacy protections for consumers’ financial data. The report notes that protections under federal regulations for financial data have limits. Yet, many new state data privacy protections exempt financial institutions and consumer financial data covered by federal law, even though states generally have authority to go beyond the federal rules. As a result, in many states, privacy protections for financial information now lag behind safeguards in other sectors of the economy. The report explores whether consumer financial data is sufficiently protected, given new business models from banks and other financial institutions that make money from the use of this data, such as by creating advertising or marketing businesses." https://lnkd.in/eva5dGQX