Last week, I despaired of CFPB edicts because I disapprove on principle of despotism no matter how well intentioned. But, as shown in our in-depth analysis of the CFPB’s request for views on consumer data rights, democratic process can also be disastrous. In what purports to be an “outline” of 71 pages and 149 questions often including numerous substantive sub-questions, the Bureau has gone back to its old habit of 1,000-plus page rules sure to do far, far more for lawyers than consumers seeking to better control their own financial destinies.
The outline and Director Chopra’s statements thereon lay out a powerful, persuasive argument about the benefits of data portability to an innovative, competitive, and inclusive retail financial system. I get it, but after that, I’m at a loss.
Here are just a few questions we couldn’t answer about whether the CFPB’s new standards will do what the Bureau wants or heighten consumer exposure to still more cyber, privacy, and financial risk:
Will the third parties gaining control of our account data be covered by new security standards and, if so, will these be enforceable? Will the data third parties gain via whatever authorization process the Bureau demands be deployed not just to answer our questions, but also to empower the already awesome network effects at the biggest quasi-financial companies wholly outside the reach of cross-selling and conflict-of-interest restrictions? Will the products that third parties and their partners select based on our data do us good or ill? For example, will “high-yield” accounts be FDIC-insured or otherwise cash-equivalent if funds being “managed” go from bank accounts to God knows where?
The Bureau’s outline is just as perplexing on the critical questions of what it means to financial institutions. Will payment-system providers be required to give consumers data on interchange fees or disputed transactions even in the course of an investigation thereon? It looks as if financial companies subject to these rules would need to tell consumers how they fared in internal score-keeping systems not just for the consumer’s own risk profile, but also for internal measurements such sales-compensation incentives. These and other disclosures appear expressly exempted by law from consumer-data rights, but the Bureau begs to differ.
Or, maybe it doesn’t – the questions are so voluminous and often also so contradictory as to make this just a guess about what the agency might have in mind. Is screen-scraping to be allowed? Maybe yes, maybe no, maybe sort of. And so forth.
To be sure, the Bureaus says that all it’s done is issue an outline that kicks off its mandatory small-business impact review. However, small businesses will be even more bewildered than we are because the outline often addresses them only in detailed descriptions of who is small rather than how consumer-data rights would affect them.
The CFPB can of course pronounce – as I said, it’s done that over the years in lots of rules that make a bit of sense only after still more 1,000-page “plain-English explainers” and, all too often, litigation. The Bureau seems to know it’s asking a lot and deciding very little – it’s already promising explainers. Still, it also says that the rule will be implemented and enforceable well before these are released or, indeed, the infrastructure essential for sound data rights is in place.
Comments on this quagmire are due by January 25, with the Bureau planning to enact final, definitive data standards by the end of that year. Good luck to that, but the likely outcome of this chaotic process is fast-finalized rules with many unintended consequences. Surely, the almost-thirteen years since Dodd Frank mandated these standards gave the CFPB time to do.