CU Trades List 13 ‘Important’ Changes to CFPB’s Proposed Data Reporting Rule

Since October, CUNA and NAFCU officials have made several attempts to communicate the organizations’ stance against the CFPB’s proposed rule, which would implement a section of the Dodd-Frank Act requiring financial institutions to share certain specific consumer financial data with third parties if the consumer says so.

In a 45-page letter to the CFPB on Friday, the trade groups, which have since officially merged into America’s Credit Unions, made another attempt to convince the Bureau to delay and make changes to the implementation of section 1033 of the Dodd-Frank Act.

According to the CFPB, the rule would apply to credit unions, banks, card issuers and other “payment facilitation providers” to hand over the financial data of consumers or members to a third party. CFPB Director Rohit Chopra said he believes the proposed rule would “give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices.”

CUNA Senior Director of Advocacy and Counsel Madison Rose and NAFCU Senior Counsel for Research and Policy Andrew Morris co-authored the Dec. 29 letter and suggested 13 “substantive” and “important” changes to the proposed rule. Those changes include:

1. Provide tiered exemptive relief for covered data providers.
2. Provide longer compliance timeframes with transitional relief for covered data providers.
3. Recognize a qualified industry standard before advancing a final rule.
4. Establish a framework that permits data providers to charge reasonable fees for third party access.
5. Withdraw granular technical performance specifications for the developer interface.
6. Substantially curtail the categories of covered data.
7. Exclude certain data fields in the enumerated categories of covered data to the extent the categories themselves are not substantially curtailed.
8. Issue an additional request for information to refine cost estimates before proceeding with a final rule.
9. Create a safe harbor for data providers who rely on the representations of third parties about their data security and risk management practices.
10. Establish a clear allocation of liability to third parties who mishandle covered data or abuse their consumers’ trust.
11. Accommodate supervised financial institutions who offer legitimate secondary uses of covered data.
12. Establish a framework for accreditation that leverages the CFPB’s supervisory resources to whitelist third parties and alleviate excessive due diligence costs for data providers.
13. Establish clear data security standards and an appropriate supervisory framework for third parties that access covered data.

The letter added, “To mitigate the harm of the proposal and the hazards of rushing to publish a final rule, the CFPB should postpone the rulemaking and engage credit unions and other data providers through industry town halls, working groups, and pilot programs, then embark upon a new, better-informed rulemaking that takes into account the many harms that smaller entities may face without a robust RFA analysis. More meaningful engagement would yield more accurate assessments of costs, technical obstacles, and implementation timeframes, all of which the CFPB has severely underestimated.”

Comments on the CFPB’s proposed rule were due by Dec. 29. According to the Federal Register, there have been 5,956 comments submitted. The rule, if finalized, will go into effect 60 days after it’s published in the Federal Register.