Consumer Watchdog Invites State Regulators To Dance – NMP Skip to main content

Consumer Watchdog Invites State Regulators To Dance

Nov 14, 2024
CFPB Data Privacy report
Contributing Writer

As regulatory roll-backs loom over financial sectors, the CFPB says consumers' financial data rights are states' to forfeit

Following the Consumer Financial Protection Bureau (CFPB)’s late October finalization of a rule handing control of personal financial data back to consumers, the regulator released a report Tuesday underscoring the complexity of state consumer privacy laws that help or hinder their efforts, given a lack of strong federal consumer financial data protections.

Now that the U.S. presidential election is decided, markets anticipate a second Trump administration to support regulatory roll-backs across swaths of the U.S. economy, particularly in financial services. It's difficult not to see the CFPB’s report as an invitation to state regulators 
should an advocate for consumer financial protection disappear at the federal level.

As the market for collecting, mining, and selling consumers' personal financial data matures, the October rule seeks to strengthen consumers’ ability to shop around for financial services by requiring financial institutions, credit card issuers, and other providers to unlock an individual’s financial data and transfer it to another provider at the consumer’s request, for free.

That rule activates Section 1033 of the Consumer Financial Protection Act, a portion of the law that the CFPB has been slow to implement since Congress enacted the CFPA in 2010. At the time October’s rule was finalized, more rules were expected to follow.

Tuesday’s report from the CFPB underscores how financial institutions’ business models “are increasingly focusing on collecting and using large quantities of consumers’ financial data as a source of revenue, including by selling that data to third parties.” Ostensibly, aggregating personal data helps companies retain customers and target new customers more effectively, while tailoring delivery of services and cost structures accordingly.

However, a July 2024 report published by the House Committee on Financial Services found broad consensus that “existing federal privacy protections for financial information have limitations and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data,” the CFPB cited, highlighting gaps in federal privacy laws and newly adopted state laws.

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999 and updated in 2023, for example, “focuses on informing consumers so they can opt out, but an opt-in approach that prohibits businesses from sharing information until the consumer affirmatively agrees could be more protective of consumers’ sensitive information,” the report noted. "When consumers were given notice and a reasonable opportunity to opt out but did not do so, the financial institution and its affiliates can broadly use and share the consumers’ nonpublic personal information without violating the GLBA, so long as they do so consistent with what the financial institution’s privacy policy disclosed.”

Modeled after the European Union’s General Data Protection Regulation, 18 states have passed data privacy laws since Jan. 2018 that incorporate three, first-of-their-kind data rights for U.S. consumers: the right of access, the right to delete, and the right of portability.

These laws generally govern the “controller” of nonpublic personal information, or “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data," according to the CFPB. The laws also impose certain obligations on processors, who handle and/or store data, but do not control it.

While these state laws offer a generally higher standard of consumer financial protections, they carry a fatal flaw, according to the consumer watchdog — “every one” of the new state laws includes exemptions for data governed by the federal GLBA, in addition to financial institutions subject to the GLBA. Fifteen states even exempt the affiliates of those financial institutions, as in, those financial institutions' third-party service providers.

“The GLBA exemptions in these state laws sharply circumscribe the effect of the state laws, and result in providing new protections with respect to data collected by nonfinancial institutions while leaving data collected by financial institutions behind,” the CFPB says, pointing out that exemptions in state laws reach far “beyond just exempting banks” because the term “financial institution” under the GLBA encompasses a wide variety of businesses engaged in lending, transferring money or securities, financial advising, asset management, consumer reporting, debt collection, loan servicing, and transaction services.

With the specter of regulatory roll-backs looming, “financial institutions’ rapid investment in expanding their own data monetization and absent stronger federal protections,” the CFPB warned, “states should consider whether they wish to continue to exempt these activities from the consumer rights and protections their comprehensive state privacy laws provide.”

About the author
Contributing Writer
Ryan Kingsley is a contributing writer for NMP.
Published
Nov 14, 2024
CFPB Weighs Changes To TRID Timing And Mortgage Rescission Rules

The bureau is seeking feedback on whether federal disclosure requirements raise costs, delay closings or limit access to mortgage credit

CFPB Issues AI Underwriting Guidance On Adverse Action Notices

The agency says proprietary and machine-learning models do not relieve lenders of their fair lending and disclosure responsibilities

VantageScore Says 4.0 Model Could Unlock $1 Trillion In Mortgage Originations

New study says VantageScore 4.0 scores five million more creditworthy borrowers than FICO Score 10T, expanding lending opportunities as the industry prepares for the GSE credit score transition

MISMO Updates Mortgage Insurance Standards To Support FICO 10T, VantageScore 4.0

New implementation guide standardizes mortgage insurance data exchange, helping lenders, insurers and technology providers prepare systems for newer credit scoring models

Congress Weighs New Roadmap To End Fannie, Freddie Conservatorship

Rep. Scott Fitzgerald's three-bill housing package would establish a statutory framework for releasing the GSEs while expanding construction lending and easing some TRID compliance requirements

CHLA Backs Bank Capital Proposal, Questions Impact On Mortgage Lending

Trade group supports lower mortgage risk weights but says broader market forces — not capital rules — drove banks' retreat from the market