The Consumer Financial Protection Bureau (the Bureau) is currently writing regulations to implement section 1033 of the Dodd-Frank Act (DFA). The proposed rules would require a covered entity to make available transaction data and other information concerning a consumer financial product or service obtained from a covered entity to a consumer or to a third party (agent, trustee, or representative acting on behalf of a consumer), at the consumer’s request. It also requires the Bureau to develop standards for the development and use of standardized formats for information made available to consumers. It enables consumers to allow consumers to transfer data to a new company, to a new service provider without having to start over. The Bureau stated the proposal will impact “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” There are six categories of information that must be made available to consumers:

  • Periodic statement information for transactions which have settled;
  • Information regarding prior transactions that have not yet settled;
  • Information about prior transactions not typically shown on periodic statements or online banking portals;
  • Online banking transactions that the consumer set up but has not processed;
  • Account identity information; and
  • Other information, including consumer reports, fees, bonuses, rewards, discounts, and information about security breaches that exposed a consumer’s identity or financial information.

Third parties who collect, use, or retain consumer information would be obligated to:

  • Authorization disclosures including key terms of access, and categories of information accessed, and how to revoke it;
  • Protocols for the solicitation and obtain consumers’ consent to the terms of access
  • A statement of adherence to obligations regarding collection, use, and retention of the consumer’s information
  • Limiting collection, use, and retention of consumer-authorized information to what is reasonably necessary to provide a product or service
  • Providing consumers with a simple means to revoke authorization
  • Implementing data security standards to prevent exposing consumers to data security harms

The CFPB is considering an exemption based on a threshold based on asset size or activity level.