news.cuna.org/articles/122008-cuna-makes-recommendations-for-cfpb-personal-data-rights-rulemaking
Data_center_119997

CUNA makes recommendations for CFPB personal data rights rulemaking

January 26, 2023

The Consumer Financial Protection Bureau’s (CFPB) rulemaking on personal financial data rights has the capacity to fundamentally transform financial services. That’s what CUNA submitted on Wednesday to the CFPB’s Small Business Advisory Review Panel for its rulemaking on personal financial data rights in section 1033 of the Dodd-Frank Act.

CUNA’s comment letter—along with a joint letter sent the same day with other financial services organizations—also included a number of recommendations for the CFPB.

“[D]edication to credit union members includes ensuring their members maintain the rights of access to their personal financial data and that the information remains safe, secure, accurate, and private,” the letter reads  “With this in mind, we ask the Bureau to consider the recommendations delineated below when designing the rules to foster innovation and improve the lives of consumers.”

These recommendations encourage the CFPB to:

  • Take ownership of authenticating third parties on behalf of covered data providers, including credit unions.
  • Provide a database of authenticated third parties for access request verification and specify reliance on the database should be a safe harbor from agency action or litigation relating to the authentication of the third-party requester.
  • Require the authorization disclosure to clearly and precisely describe the information being access, the duration and frequency of access, the identity of intended third parties, and the purpose of access.
  • Propose covered data providers take ownership of acquiring consumer consent for third party access requests.
  • Limit secondary uses of consumer data.
  • Pare back the categories of information required to be made available by covered data providers.
  • Allow for an extended implementation timeline.
  • Unambiguously shift liability from a covered data provider to a third party once the data leaves the provider’s system.

Engage in a rulemaking defining larger participants in the aggregation services market.