December 20, 2023

VIA E-Mail to [email protected]
U.S. Bureau of Consumer Financial Protection
1700 G Street, NW
Washington, DC 20552

Re: Docket No. CFPB-2023-0052 – Required Rulemaking on Personal Financial Data Rights

SIFMA1 appreciates the opportunity to provide feedback on the above-referenced Notice of Proposed Rulemaking (“NPRM”) issued by the Consumer Financial Protection Bureau (“CFPB”).

The NPRM invites feedback on the CFPB’s proposed rule to implement Section 1033 of the Dodd-Frank Act. In relevant part, Section 1033 establishes, in accordance with rules to be prescribed by the CFPB, a consumer’s right to access information in the control or possession of a “covered person,”2 including information related to any transaction, series of transactions or their account including costs, charges and usage data and further provides that this information “shall be made available in an electronic form usable by consumers.”3

As stated in SIFMA’s January 23, 2023, comment letter on the Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights Outline of Proposals and Alternatives Under Consideration for the Personal Financial Data Rights Rulemaking (“SBREFA Comment Letter”), SIFMA supports consumers’ right to access their financial information in a safe and secure format.4 SIFMA likewise continues to advocate for that access right to be achieved in a manner that is designed to ensure responsibility and accountability for data aggregators and other parties that access such data, consistent with SIFMA’s Data Aggregation Principles.5 SIFMA is encouraged by the CFPB’s efforts to promote consumer-friendly innovation and competition in financial markets. However, there remains uncertainty regarding definitions, access, data fields, industry standards and liability for misuse or misappropriation of shared information, and the proposed rule leaves many of these issues to be solved later by standard-setting bodies. There is also uncertainty around the potential unintended impacts of the proposal’s limitation on access caps and prohibition on charging fees to request and access data.

Executive Summary
SIFMA believes the proposals should be further clarified and enhanced to ensure that SIFMA’s members are not unnecessarily burdened with requirements that lead to unintended consequences without a tangible benefit to consumers’ access rights under Section 1033. In this regard, SIFMA recommends the following clarifications and amendments to the proposals:

• address liability for shared information;
• amend the definition of consumer to mean current customer;
• impose and define access caps based on reasonableness;
• clarify the scope of covered data fields;
• amend the definition of covered data to exclude the sharing of payment initiation
  information;
• ensure that the final rule will not impose any recordkeeping requirements;
• allow the assessment of fees for market and reference data and reimbursement for
  reasonable costs associated with building, maintaining and making covered data
  available in the developer interface;
• ensure at least one standard-setting body is recognized pursuant to a public and
  transparent process and operating well in advance of the first compliance date and
  extend the first compliance date to two years after a standard-setting body has been
  recognized and issued qualified industry standards;
• amend the definition of qualified industry standards to be more prescriptive and
  implement guidelines for the promulgation of non-mandatory qualified industry
  standards;
• provide an explicit safe harbor so there is a rebuttable presumption of compliance
  when operating pursuant to the rule and qualified industry standards;
• clarify that Regulation E accounts held by Securities and Exchange Commission-
  registered entities are not within scope of the rule;
• clarify whether the final rule will apply to certain fiduciary accounts and ensure that
  the final rule will not conflict with a data provider’s fiduciary duties;
• clarify that certain data uses, such as information shared across institutions or within an institution among affiliates, are permissible;
• allow data providers to confirm the scope of their authorization with consumers regarding accounts and duration of sharing; and
• set a framework for diligence and supervision of authorized third parties and data aggregators.

1 SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s nearly 1 million employees, we advocate on legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). For more information, visit http://www.sifma.org.

2 The term “covered person” is defined in section 1002(6) of the Dodd-Frank Act as “(A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person.” 12 U.S.C. § 5481(6).

3 12 U.S.C. § 5533(a).

4 On February 4, 2021, in response to the advanced notice of proposed rulemaking published by the CFPB on November 6, 2020, SIFMA submitted a comment letter recommending among other things, that the CFPB limit the scope of data subject to Section 1033 and support industry efforts to create interoperable standards that can accelerate innovation.

5 See SIFMA Data Aggregation Principles available here.