CFPB Announces Future ANPR on Consumer Financial Access Rights Under Dodd-Frank

On July 24th, the Consumer Financial Protection Bureau (CFPB) announced plans to issue an advance notice of proposed rulemaking (ANPR) later this year implementing a section of the 2010 Dodd-Frank Act (Dodd-Frank) regarding consumer access to financial records held by, among others, residential mortgage lenders.

Section 1033 of Dodd-Frank requires lenders to “make available to a consumer, upon request, information in the control or possession of the [lender] concerning the consumer financial product of service that the consumer obtained from such [lender] … in an electronic form usable by consumers.”

The CFPB held a symposium about six months ago to solicit input from industry participants about how best to implement the Dodd-Frank requirement while also addressing potential issues with data security, privacy and unauthorized access to consumer data.  For example, symposium participants were generally in favor of allowing consumers to give third parties permission to access the consumer’s information held by lenders, although there were concerns that lenders would be forced to share proprietary lender information with third-party competitors.  A current practice of ‘credential-based access,’ in which a third-party uses the consumer’s credentials to access the consumer’s account information directly from the lender, often resulting in a ‘screen-scrape’ of the consumer’s data directly into the third-party’s system, could lead to unauthorized disclosure.  Participants generally agreed that a move towards third-party access through an ‘application programming interface,’ or API, would benefit both consumers and lenders.

The ANPR should address these concerns with detailed disclosure requirements and technical standards, as well as potentially adding a consumer disclosure requirement.  As symposium participants noted, other issues will likely arise in the implementation of these rules, such as liability of lenders and third-parties for unauthorized disclosure and use of consumer data, and whether a lender can refuse to disclose consumer data if it determines that the third-party request is not authorized, or that the third-party does not maintain sufficient security for the information it collects.

Sign up for news + updates

Expert insights and regulatory updates on RegTech, compliance management, and fair lending.

In this blog post concerning legal and regulatory matters of interest to the mortgage industry, Sandler Law Group (SLG) provides general information and industry observations that are not motivated by or concerned with a particular past occurrence or event, or a specific existing legal problem of which SLG is aware. Nothing published herein is intended to constitute legal advice and the use of the blog post by a reader shall not give rise to an attorney-client relationship with SLG. SLG expressly disclaims any representation of accuracy or reliability as to the content of this blog post, as well as any obligation to maintain such content over time or to ensure it is free from errors. Brad Cope is the attorney responsible for the SLG content of this blog post. Unless otherwise noted, the attorneys of SLG are not certified by the Texas Board of Legal Specialization.

Recommended Resources