Newsroom

NAFCU Senior Counsel for Research and Policy Andrew Morris Wednesday responded to the CFPB’s outline of proposals to implement section 1033 of the Dodd-Frank Act, which aims to provide a formal mechanism for making consumer data portable, sharing several concerns and suggestions on implementing the rule. This set of proposals marks the agency’s next step in issuing a financial data rights rule.

Currently, the proposals under consideration present significant challenges, both technical and competitive in nature. In the letter, Morris reiterated that the CFPB must avoid implementing section 1033 in a way that will “unfairly burden credit unions with enormous compliance costs and ultimately distort the financial sector’s competitive landscape.” 

To mitigate the risks associated with the CFPB’s outline of proposals, NAFCU instead supports an approach that issues “appropriate exemptive relief, scales back the technically prescriptive aspects of the Outline and allows credit unions to exercise appropriate judgment before granting third parties access to member data.”

Morris also underscored that granting access to consumer financial data, including for third-party data recipients, must be governed by principles of transparency, security, and fairness, and which allow consumers to exercise control over the use and retention of their data. 

“In general, when exercising section 1033 rights, consumers should know exactly what data a third party will be requesting on their behalf," wrote Morris. “Ultimately, the obligation to ensure that consumer data sharing preferences are honored should fall upon the third party recipient rather than the data provider.”

One of NAFCU’s major concerns relates to the data security of credit unions and their members. Morris noted credit unions have demonstrated great success in complying with the security and privacy requirements under Gramm-Leach Bliley Act (GLBA) and should be viewed as a model by the CFPB when implementing section 1033. He remarked that the bureau should ensure that nonbank, non-supervised third parties comply with similar safeguard guidelines, as adopted by functional banking regulators to mitigate fraud risks. 

In addition, the CFPB should ensure that data providers “are able to exercise, at their discretion, appropriate due diligence, and that the duration, scope, and usage of consumer data by third parties is governed by clear disclosures, informed consent, and principles of data minimization,” added Morris.

NAFCU supports empowering consumers with modern financial tools but has emphasized that the bureau should avoid issuing prescriptive technical standards and should instead focus its attention on a principles-based approach that supports a level playing field for all entities subject to a future section 1033 rulemaking. 

NAFCU has been an active voice on this topic and has submitted comments to the CFPB on its advance notice of proposed rulemaking on section 1033. The association has also met with agency staff to discuss the rule’s implementation and share related credit union concerns. 

Read the letter. NAFCU will continue to work with the bureau on its efforts to balance consumer protections while ensuring a reasonable regulatory environment for credit unions.