CFPB Targets Financial Industry's Ability to 'Hoard' Personal Data in Proposed Rule

Bill Clark/CQ-Roll Call, Inc via Getty Images

The regulatory agency is the latest entity to propose its own consumer data privacy requirements absent an overarching federal law.

The Consumer Financial Protection Bureau is taking steps to potentially incorporate more financial data protection rules into federal regulations to help individuals maintain control over their sensitive information.

Outlined in a series of new proposals, the CFPB is currently accepting feedback on proposed rules to amend the Dodd-Frank Wall Street Reform and Consumer Protection Act that focus on strengthening consumers’ control and knowledge over their financial data in companies’ business operations. 

CFPB officials announced the new proposed rules to augment section 1033(a) of Dodd-Frank on Oct. 27. They cover regulatory areas like record retention, information receipts and disclosures to customers from authorized third parties. 

“Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” said CFPB Director Rohit Chopra. “The CFPB’s personal financial data rights rulemaking has the potential to jumpstart competition, giving Americans new options for financial products.”

The agency developed the proposals following its own analysis as well as from public feedback, particularly collected within the CFPB’s earlier 2020 Advance Notice of Proposed Rulemaking on consumer data access. 

This rulemaking would work to force private companies to improve their data services and products to better suit consumer safety, as well as give consumers more avenues to opt out of certain services. Companies impacted by these rules include banks and depository institutions, financial tech companies and any other firms that collect and store user data. 

Pursuant to the Small Business Regulatory Enforcement Fairness Act, the CFPB will be required to convene a Small Business Review Panel to evaluate the economic impact of the proposed rules to businesses that handle financial data. This panel will consist of one representative from the Office of Advocacy of the Small Business Administration, one representative from the Office of Information and Regulatory Affairs within the Office of Management and Budget, and one representative from the CFPB.

Within 60 days of convening, the panel will submit a report to the public rulemaking record consisting of advice from surveyed small entity representatives that are likely to be impacted by the proposed augmentations to the Dodd-Frank Act. The CFPB will then take this feedback into consideration.

The CFPB’s rulemaking is the latest federal attempt to instill greater consumer protection and control over individual data. Absent a federal data privacy law, agencies like the CFPB and the Federal Trade Commision have recently developed their own regulations and authority surrounding consumer data privacy. 

Earlier this week, Chopra opened the CFPB’s Advisory Board meeting with a statement emphasizing financial data rights and the agency’s forthcoming actions to help safeguard sensitive data, as part of a pivot to more open banking in the U.S.