The 2010 Dodd-Frank Act really is the gift that keeps on giving. What’s it giving us this time? The regulations to enforce Section 1033 of Dodd-Frank, which will likely burden banks with responding to consumer and third-party requests. Section 1033, in case you have forgotten is a consumer data-sharing rule. According to the CFPB, Section 1033 requires banks to make information available regarding products or services that a consumer obtained from the bank, including information relating to transactions (including costs, charges, and usage data). In the view of the CFPB, the Section 1033 rule should empower customers to move away from banks that are not meeting their needs and create more competition in the market. Based on current estimates, expect a proposed rule sometime in 2023 and a final rule sometime in 2024.
The CFPB published a lengthy high-level summary (22 pages) and even lengthier outline of proposals and alternatives (71 pages) of what they’re considering for the proposed rule to implement Section 1033. In these publications are discussions of which institutions would be covered by the proposed rule, which accounts would be covered, who may make requests of covered institutions, and what information may be requested…among other things.
Covered Institutions
Referred to as “covered data providers,” the publications lean heavily on definitions in Regulation E and Regulation Z. Both regulations apply only to consumers, and Section 1033 is no different. Covered data providers will be comprised of “financial institutions” as defined in Regulation E (e.g., anyone that holds consumer accounts or issues access devices and agrees to provide EFT services), as well as “card issuers” as defined in Regulation Z (e.g., anyone that issues a credit card).
Covered accounts
Covered data providers would provide information regarding an “account” as defined in Regulation E (e.g., a demand deposit, savings, or other consumer account), or a “credit card account under an open-end (not home-secured) consumer credit plan” as defined in Regulation Z (e.g., any open-end account accessed by a card, other than a HELOC or overdraft line).
Requestors of Information
Under the current proposal, both consumers and third parties will be able to make information requests from covered data providers. Consumer requests should be straightforward, but third parties will be required to provide some sort of authorization disclosure to the consumer for which the third party will need to obtain express consent. The third party will also need to certify to the consumer that the third party will abide by certain rules regarding the collection, use and retention of the consumer’s information.
Information Requested
There are six categories of information the CFPB is considering requiring be made available:
1) Transactions and deposits that have settled, fees, account terms and conditions, the annual percentage yield, and the annual percentage rate (as applicable)
2) Prior transactions and deposits that have not yet settled
3) Prior transactions not typically shown on periodic statements or online account portals
4) Online banking transactions that the consumer has set up but that have not yet occurred
5) Account identity information
6) Other information, such as consumer reports, fees assessed on consumer accounts, bonuses, or other incentives, and information about security breaches that exposed consumer information.
When the CFPB publishes nearly 100 pages of guidance as a precursor to a proposed rule, you should expect a lengthy and robust rule will be published at some point in 2023. There’s no way to know for sure exactly what will be in the proposed or final rule but expect banks to be saddled with some level of responsibility for disclosing consumer data upon request. We’re available on the hotline to discuss the guidance published by the CFPB, but the real work on this issue shouldn’t begin until the proposed rule is published at a yet to be determined date in 2023.