Thoughts on 1033 and what I'm looking for in comments
Hey all! First, I hope everyone had a safe and happy holiday season! Second, I look forward to keeping a more consistent publishing cadence for 2024!
Now that the time frame for 1033 comments has passed, the exciting part of reading the comments begins! Overall, the proposed rule was a good first step, but the CFPB left enough key questions unanswered that I hope the final rule will clarify. And I’m curious how any affected parties commented. My questions below are far from exhaustive, but I thought a few are worth discussing a bit.
Questions and Issues from 1033 NPRM I Find Interesting
Who is covered, when must they comply, and what happens if the bank partner has a different compliance date?
“Third party” is not clearly defined regarding fintech and bank partner relationships. The CFPB is proposing it to mean, in part, “[a]ny other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.”
It is not clear—at least to me—what “obtained from that person” means and if it is meant to capture many fintechs with bank sponsors. For example, Fintech X partners with Bank Y to provide accounts through which consumers can deposit money and access and use debit cards. Bank Y holds the accounts and has the banking relationship with the consumer, but Fintech X is the consumer’s sole means of accessing the product. Put another way, the consumer cannot log into Bank Y’s website to gain access to or information about their account. The consumer can only log into Fintech X’s app or website. Has the consumer “obtained” the consumer financial product or service from more than one person here?
Put another way, is this fintech a data provider? If so, and it has less than $10 billion in revenue, it must comply with requirements for maintaining a developer interface one year or so after the effective date. But if Bank Y is under $50 billion in total assets, it won’t need to comply until at least two and a half years after the effective date. If the fintech must comply by a specific date, but the bank does not, will it be able to do so if the bank’s systems are not adequate to allow it to do so? What will happen then? Is the CFPB expecting banks that sponsor fintechs to upgrade their capabilities faster than otherwise required? Or is the CFPB expecting fintechs migrate to banks able to provide the relevant technology stack?
I’m very curious to read responses that address this point. For example, if the third party is just a PFM app, then presumably the fintech can handle the internal ledger and access needed for balance and transaction history requests. But if the third party needs to initiate payments on a consumer’s behalf, that may require greater integration with the sponsor bank.
Who will bear the costs?
The NPRM is clear here - the data provider. However I’m skeptical that the CFPB’s discussion of costs captured all the new costs imposed on data providers to meet third-party developer interface access requests. The CFPB is likely correct that contract negotiation will become more streamlined, but will an increased request for access offset those cost savings? And many critical points of contractual friction are not directly addressed by the rule, such as liability and indemnification (not saying that the CFPB should address these through rulemaking, only that failure to acknowledge these components may mean that the CFPB is underestimating both the cost and time it will take data providers to onboard third parties or data aggregators). I am very curious to read industry feedback on this point and whether the CFPB will adopt an alternative approach.
How are virtual assets treated for purposes of a Regulation E account?
In the CFPB’s NPRM for larger participants in the “general-use digital consumer payment application” ecosystem, the CFPB stated that it believes
the term “funds” in the CFPA is not limited to fiat currency or legal tender, and includes digital assets that have monetary value and are readily useable for financial purposes, including as a medium of exchange.1
That NPRM did not address any Federal consumer protection law. But such laws use the word “funds,” most notably the EFTA and Regulation E, but also, for example, Regulation Z in the context of secured cards.2
Will the CFPB consider entities that store virtual assets on behalf of a consumer to be providing a “Regulation E account” for purposes of 1033? Will the CFPB address this in the 1033 final rule or will it leave it unanswered? As I note in an upcoming chapter in an ABA book on banking and blockchain, in the past, when the regulator responsible for EFTA proposed changing its scope, they engaged in substantive rulemaking.3 Failure to do so here—and instead to announce through an unrelated rule—would undermine consumer protection. Hopefully if the CFPB maintains its stance that “funds” include specified virtual assets, it will follow custom and engage in substantive rulemaking rather than back-door compliance obligations through an unrelated rule.
Why did the CFPB choose “clear and conspicuous” and require an electronic signature rather than requiring the disclosures to be “non-bypassable”?
“Clear and conspicuous” is a typical disclosure standard, but regulators have provided limited guidance on meeting this standard in an electronic environment. In Regulation F—which implements the FDCPA—the CFPB elaborated more on this standard for written and electronic environments by specifying that “the location and type size also must be readily noticeable and legible to consumers, although no minimum type size is mandated.”4
Because the disclosures are prescriptive and must be segregated, this may not be problematic for third parties (or aggregators on their behalf) to meet. But this gets to my second question - why require an electronic signature? An electronic signature is very broadly defined under ESIGN5 and it will be easy for third parties or aggregators to get an electronic signature. It is unclear whether the CFPB believes that imposing this obligation will require third parties to inherently make the authorization non-bypassable, but that will not be the case.
If the CFPB wants to ensure consumers at least open the authorization, it could have chosen to require that the authorization be non-bypassable, as it did for the short- and long-form disclosures for specified prepaid cards6 or as Regulation Z requires for certain disclosures.7 An electronic signature requirement will not ensure this. If the CFPB wants the consumer to agree to the authorization, it could have said that instead (Note: checking a box or agreeing to an agreement is not inherently an electronic signature and can serve many purposes). This is not a “statute of frauds” concern. So, again, I’m unclear why and for what purpose the CFPB wants the consumer to sign the authorization.
Conclusion
The NPRM raised numerous other questions for me, and these are just a few that I thought worth discussing. As I review comment letters, I’m sure industry participants will raise issues that will be new to me. Overall, 2024 will be an integral year to developing open banking in the U.S.
88 Fed. Reg. 80197, 80202 (Nov. 17, 2023).
TILA and Regulation Z prohibit offsets using funds deposited by the cardholder, or requiring that the consumer provide the bank with a valid security interest in such funds. 15 U.S.C. § 1666(h); 12 C.F.R. § 1026(d).
See, e.g., 59 Fed. Reg. 10,678 (Mar. 7, 1994) (The Federal Reserve Board amended Regulation E to address government benefit cards); 71 Fed. Reg. 51,437 (Aug. 30, 2006) (The Federal Reserve Board amended Regulation E to include payroll card accounts); and 81 Fed. Reg. 83,934 (Nov. 22, 2016) (The CFPB amended Regulation E to cover specified prepaid accounts).
12 C.F.R. § 1006.34(b)(1),
15 U.S.C. § 7006(5). “The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
12 C.F.R. § 1005.18(b)(1)(i); Comment 18(b)(1)(i)-2.
Disclosures for certain variable-rate transactions, Comment 19(b)-2(v)(C); Disclosures with HELOC applications, Comment 40(a)(1)-5(iii); Disclosures with credit card applications, Comment 60(a)(2)-1(ii)(C).
For those interested in electronic disclosures, tracing the history behind providing disclosures electronically under Regulation Z is fascinating.