President Biden Issues Executive Order Encouraging CFPB To Act On 1033 Data Access and UDAAP
On July, 9 2021, President Biden signed an Executive Order (EO) that is significant for the consumer financial services industry. The EO encourages the Director of the Consumer Financial Protection Bureau (CFPB or Bureau) to commence rulemaking under Section 1033 of the Dodd-Frank Act, which governs financial data access rights for customers of FinTechs or banks. The US policy behind this mandate is consistent with the desire to encourage open banking standards, albeit in a more piecemeal fashion than what has already been done in the UK. Nonetheless, it is important for businesses to understand that the various concerns of the CFPB with respect to data privacy and data control are now front and center for the administration as well.
Secondly, the EO also encourages the CFPB to keep enforcing the law in Section 1031 of the Dodd-Frank Act, which outlaws Unfair, Deceptive, or Abusive Acts and Practices (UDAAP) and can be at times controversial in a given case application. This requirement of Biden also dovetails substantively with the administration’s overarching goals: conceptually, the federal policy of Biden is that all businesses deserve a full and fair chance to attain the highest fruits of capitalism – but this cannot be done if some businesses are flouting regulations to the detriment of other businesses who are compliant. During the issuance of the EO, Biden noted in public statements that “capitalism without competition is exploitation” and “true capitalism depends on fair and open competition.” Never before had a White House, as the Biden administration has done here, put UDAAP concerns front and center in terms of the work that the CFPB must do to advance the White House goals concerning fair competition and open banking.
What is also notable is the context in which this EO arises. From a tangible standpoint, however, the CFPB was already working to study the voluminous comment letters that the public had submitted in reaction to the CFPB’s solicitation under Section 1033. The proposed rulemaking is the first of its kind and seeks to fill a hole in the patchwork quilt of federal and state privacy regulations created by tech innovation.
The existing CFPB work on 1033 builds upon what the prior Director, Kathleen Kraninger, had stated under the Trump administration. She emphasized how regulation ought to be promulgated, in the face of myriad albeit consumer-benefitting innovations, to ensure that consumers can control their own data while using new technologies. As a result, the 1033 rulemaking always had the potential to affect a multitude of products and services, including payments, lead generators, peer-to-peer lending, online trading, crypto trading, credit score improvement, financial management, and other types of financial records transfers. To add to the existing complexity, the CFPB is also able to hold technology companies liable (as service providers to financial services businesses) for violations of consumer privacy rules like those contemplated by the CFPB solicitation.
For convenience, we have condensed the 45 questions contained in the CFPB’s 1033 solicitation into the eight key categories of topics, which we previously wrote about here.
As we noted last November 2020, while not stated explicitly in the solicitation, the CFPB may assess the solicited comments to help determine whether and how to define a UDAAP (Sections 1031 and 1036 of the Dodd-Frank Act) in regards to consumer data access, building upon the decades of precedent by the Federal Trade Commission. The questions in the CFPB’s publication have set forth a practical blueprint to do so.
Now, with the Executive Order, the Biden administration has just put rocket fuel on an existing imperative for consumer financial regulation and technology companies.