SIFMA Urges CFPB to Provide More Clarity for Proposals on Consumer Rights to Access Personal Financial Information

In comments on a CFPB Small Business Review Panel outline of proposals to implement a consumer's right to access personal financial information, SIFMA argued for limiting the scope of the data required to be reported, establishing necessary exemptions and further protecting data providers.

The CFPB's outline of proposals and alternatives responds to the agency's obligation to prescribe rules under Dodd Frank Section 1033 ("Consumer rights to access information"). That section establishes a consumer's right to access information in the control or possession of a "covered person," "including information related to any transaction, series of transactions, or their account including costs, charges and usage data" and provides that this information "shall be made available in an electronic form usable by consumers."

In its comments, SIFMA urged the CFPB to limit the scope of the data that would become subject to the reporting requirements. SIFMA asserted that the alternatives as proposed are too prescriptive and would place an unnecessary burden of cost on covered institutions. SIFMA acknowledged the CFPB's effort to clearly define the information it would collect, but said that the CFPB should include an exemption for highly sensitive personal information, as constantly sharing that information would increase consumers' exposure to identity theft or other confidentiality breaches. SIFMA urged the CFPB to address the potential liability providers might face from data sharing activities by an authorized third party and to create a flexible framework that tailors to the individual needs of data providers.

SIFMA acknowledged the CFPB's efforts to incorporate previous feedback, including (i) not proposing additional security requirements on top of existing Gramm-Leach-Bliley Act provisions, (ii) providing consumers with a clear and easy method to terminate data access for firms and (iii) not requiring consumers to provide login credentials to data aggregators. SIFMA encouraged the CFPB to continue building on these existing principals while clarifying certain topics such as the standards for data accuracy, or what defines "high-risk" secondary use of data.