The latest lawsuit against the Consumer Financial Protection Bureau (CFPB) reflected a familiar theme, according to Garris Horn Senior Partner John Levonick, who sat down with Dodd Frank Update for an exclusive interview.
After combing through the bureau’s nearly 600-word data privacy final rule implementing Sec. 1033 of the Dodd-Frank Act and the subsequent 56-page complaint challenging its legality in a Kentucky district court, Levonick drew parallels to the industry’s reaction to past CFPB rulemakings which also spurred legal challenges.
In this particular case, the plaintiffs (Bank Policy Institute, Kentucky Bankers Association, Forcht Bank) argued the CFPB exceeded its statutory authority with the rulemaking because it will, upon implementation, require banks to share consumer financial data with third-party fintechs and data aggregators and that such a requirement will put consumer financial data at risk because these entities generally have less regulatory oversight than traditional banks.
Noting that many of the third parties in question are not subject to data protection and disclosure requirements outlined under the Gramm-Leach-Bliley Act (GLBA), the lawsuit argued the task of ensuring the accuracy and security of consumers’ sensitive information will fall to traditional financial institutions.
However, Levonick said this argument ignores the fact that banks already have a regulatory obligation to protect their customers’ data and the rule addresses third-party supervision concerns raised in the complaint.
“The rule clearly defers to the Federal Trade Commission for entities that aren’t subject to GLBA,” Levonick said. “[The plaintiffs] further contend that the rule limits banks’ ability to deny access to potentially unvetted third parties, which could jeopardize both the security of consumer data and the overall soundness of the banking system. However, the final rule gives a data provider ample opportunity to deny access to unvetted third parties if the data provider feels that safety and soundness questions exists. As long as the denial is reasonable, the data provider is fine.”
He also pointed to a section of the rule defining a “reasonable” denial of data access as being “(1) [d]irectly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and (2) applied in a consistent and non-discriminatory manner.”
Essentially, the rule represents the codification of best practices in consumer data security regulators have been championing for years, Levonick asserted.
“The subtle message here is that the CFPB is reaching further into creating clear requirements that are going to force financial institutions to be responsible for the actions of their vendors, pulling the veil on the multilayered dependency of technology providers,” he said.
The CFPB’s stated mission to facilitate the establishment of an open banking system in the U.S. to empower consumers by giving them control over their sensitive financial data and the associated implementation costs to banks are likely among the greatest concerns at issue for the industry, Levonick believes.
He noted the tremendous pushback that came when the CFPB introduced its TILA-RESPA Integrated Disclosure (TRID) rule and then again with its Ability-to-Repay/Qualified Mortgage (ATR/QM) standards, which highlighted the industry’s recurring concerns about the cost of compliance. In this respect, the data privacy rule may represent a similar crossroads for traditional brick-and-mortar institutions.
The CFPB gathered several cost estimates for upfront implementation and ongoing maintenance for a variety of institutions and provided a thorough explanation of these figures in the rule, as well as several categories of one-time costs, staffing costs, and various updates to these figures throughout the research phase of the rulemaking process.
“The CFPB is attempting to set the stage to enable financial institutions to become more interoperable, to reduce the financial moats they have created around their products and services, and the CFPB clearly wants to establish that this massive shift in how business is to be conducted is being directed by a prudential regulator,” Levonick said. “Any massive shift in paradigm requires a regulatory framework, however vague it may be initially, as it is a place to start and an assurance that consumers are being protected while ushering in the next generation of banking.”
While consumers may benefit from greater interoperability between financial institutions and third parties, provided proper security safeguards are in place, banks understandably may be concerned about the prospect of potentially losing depositors at the drop of a hat. Such a prospect is always a concern from a safety and soundness perspective, which is partially why Levonick said he will be interested to see whether the Office of the Comptroller of the Currency weighs in on the CFPB’s rule.
Levonick said he is also keenly interested in the CFPB rule’s revised provisions regarding secondary data use, from the proposed rule to the finalized version. He believes this portion of the rule will have the most immediate impact on financial institutions as they look to deepen their vendor management programs and amend their vendor contracts, accordingly.
“The proposed rule limited secondary use of consumer-authorized data, requiring separate consumer consent for each use,” Levonick said. “Apparently, there was significant feedback on this subject, as the final rule allows some secondary uses without additional authorization, such as using data for improving the product or service the consumer requested, developing anti-fraud measures, and training underwriting models.”
Many fintech companies attempt to obtain secondary-use authority to hold consumer data beyond the term of their contractual obligations through their service agreement with a financial institution. By doing so, they seek to add valuation value to their business as a whole or provide better market trending analysis. Generally, Levonick said, this would be palatable for institutions if the fintech “deidentified” the data, which entailed removing or altering certain personally identifying attributes from data. Eventually, this concept morphed into requiring full “anonymization” of the data, which is an even more comprehensive way to obscure the link between the data and the person connected to it.
“With these controls around secondary use, it appears that regulators will now be not only requesting vendor contracts, they will be scrutinizing these vendor contracts to see if they permit any violations of the secondary use constraints and now have another reason to assess data security and privacy controls,” Levonick said.
The CFPB’s data privacy rule and the lawsuit that followed have given the industry a lot to consider. If history is a guide, banks would be well-advised to begin reviewing vendor contracts and other activities necessary for compliance sooner rather than later.