81 FR 83806 - Request for Information Regarding Consumer Access to Financial Records
BUREAU OF CONSUMER FINANCIAL PROTECTION Federal Register Volume 81, Issue 225 (November 22, 2016)
Federal Register Volume 81, Issue 225 (November 22, 2016)
| Page Range | 83806-83811 | |
| FR Document | 2016-28086 |
[Federal Register Volume 81, Number 225 (Tuesday, November 22, 2016)] [Notices] [Pages 83806-83811] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-28086] ======================================================================= ----------------------------------------------------------------------- BUREAU OF CONSUMER FINANCIAL PROTECTION [Docket No.: CFPB-2016-0048] Request for Information Regarding Consumer Access to Financial Records AGENCY: Bureau of Consumer Financial Protection. ACTION: Notice and request for information. ----------------------------------------------------------------------- SUMMARY: The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) provides for consumer rights to access financial account and account-related data in usable electronic form. The Bureau of Consumer Financial Protection (Bureau or CFPB) is seeking comments from the public about consumer access to such information, including access by entities acting with consumer permission, in connection with the provision of products or services that make use of that information. Submissions to this Request for Information will assist market participants and policymakers to develop practices and procedures that enable consumers to realize the benefits associated with safe access to their financial records, assess necessary consumer protections and safeguards, and spur innovation. DATES: Comments must be received on or before February 21, 2017. ADDRESSES: You may submit responsive information and other comments, identified by Docket No. CFPB-2016-0048, by any of the following methods:Electronic: Go to http://www.regulations.gov. Follow the instructions for submitting comments. Email: [email protected]. Include Docket No. CFPB-2016-0048 in the subject line of the message. Mail: Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 20552. Hand Delivery/Courier: Monica Jackson, Office of the Executive Secretary, Consumer Financial Protection Bureau, 1275 First Street NE., Washington, DC 20002. Instructions: Please note the number associated with any question to which you are responding at the top of each response (you are not required to answer all questions to receive consideration of your comments). The Bureau encourages the early submission of comments. All submissions must include the document title and docket number. Because paper mail in the Washington, DC area and at the Bureau is subject to delay, commenters are encouraged to submit comments electronically. In general, all comments received will be posted without change to http://www.regulations.gov. In addition, comments will be available for public inspection and copying at 1275 First Street NE., Washington, DC 20002, on official business days between the hours of 10 a.m. and 5 p.m. eastern standard time. You can make an appointment to inspect the documents by telephoning 202-435-7275. All submissions, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Sensitive personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Submissions will not be edited to remove any identifying or contact information. FOR FURTHER INFORMATION CONTACT: For general inquiries, submission process questions or any additional information, please contact Monica Jackson, Office of the Executive Secretary, at 202-435-7275. Authority: 12 U.S.C. 5511(c); 12 U.S.C. 5512(c). SUPPLEMENTARY INFORMATION: The Bureau is seeking public comment through this Request for Information (RFI) to better understand the consumer benefits and risks associated with market developments that rely on access to consumer financial account and account-related information. This RFI generally refers to such information as ``consumer financial account data.'' \1\ It further refers to consumer access to such information, including access by entities acting with consumer permission, as ``consumer-permissioned'' access. The RFI also labels account information that is obtained via consumer-permissioned access as ``consumer-permissioned account data.'' --------------------------------------------------------------------------- \1\ The RFI sometimes distinguishes ``consumer financial account data'' from ``non-financial'' consumer account data, the latter being held by companies that offer consumers non-financial products and services. The RFI uses the term ``consumer account data'' to refer collectively to both kinds of consumer account data, financial and non-financial. --------------------------------------------------------------------------- [[Page 83807]] The information obtained in response to this RFI may help industry develop best practices to deliver benefits to consumers and address potential consumer harms. It may also help the Bureau in prioritizing resources. For example, the Bureau may use the information obtained to evaluate whether any guidance or other action by the Bureau is called for, including future rulemaking. The Bureau encourages comments from all members of the public. The Bureau anticipates that the responding public may encompass the following groups, some of which may overlap in part: Individual consumers; Consumer and civil rights groups; Privacy advocates; Consumer financial product and service providers that control or possess data about consumer use of their products and services (for purposes of this RFI, ``consumer financial account providers''); Consumer financial product and service providers that rely, at least in part, on consumer-permissioned access to consumer financial account data (for purposes of this RFI, ``consumer- permissioned providers'' or ``permissioned parties''); \2\ --------------------------------------------------------------------------- \2\ For purposes of this RFI, consumer-permissioned providers are third-party providers. Thus, consumer financial account providers do not themselves count as consumer-permissioned providers by virtue of using the account data that they already hold to deliver additional services to customers. --------------------------------------------------------------------------- Entities that obtain consumer financial account data directly from consumer financial account providers for consumer- permissioned providers (for purposes of this RFI, ``account aggregators''); Consumer reporting agencies; Data brokers, processors and platform providers; Regulators; Providers of non-financial consumer products and services that may have knowledge of or experience in the use of consumer- permissioned account data to provide products and services to consumers; Participants in non-U.S. consumer markets with knowledge of or experience in the use of consumer-permissioned account data to provide products and services to consumers; and Any other interested parties. Part A: Regulatory Framework Applicable to Consumer-Permissioned Access to Account Information General Background In the Dodd-Frank Act, Congress instructed the Bureau to implement and enforce consumer financial law ``for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent, and competitive.'' \3\ Congress further instructed the Bureau to exercise its authorities so that ``markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.'' \4\ --------------------------------------------------------------------------- \3\ 12 U.S.C. 5511(a). \4\ 12 U.S.C. 5511(b)(5). --------------------------------------------------------------------------- The Bureau has jurisdiction with respect to a number of Federal statutes and regulations that establish rights and protections related to consumer financial account-related information. These well- established statutory and regulatory frameworks cover a broad range of entities, including traditional providers of consumer financial products and services and newer entrants. In some cases, they may cover service providers to such entities as well. Many of these frameworks impose requirements that consumer financial account providers disclose certain information to their customers about their accounts. Disclosure requirements may include, for example, periodic statements with account information on transactions and fees or disclosures about the collection, sharing, use, and protection of consumers' non-public personal information.\5\ A consumer also has the right to access information about himself or herself held by certain entities, such as information in a consumer reporting agency's file on the consumer.\6\ --------------------------------------------------------------------------- \5\ See, e.g., Regulation Z, 12 CFR 1026.5(b)(2) and 1026.7(b) (implementing the Truth in Lending Act with respect to periodic statements for credit cards); Regulation E, 12 CFR 1005.9(b) (implementing the Electronic Fund Transfer Act with respect to periodic statements for traditional bank accounts and other consumer asset accounts); Regulation DD, 12 CFR 1030.6(a)(3) (implementing the Truth in Saving Act with respect to periodic statements for deposit accounts held at depository institutions); Gramm-Leach Bliley Act, 15 U.S.C. 6803, and its implementing regulations. Further, on October 5, 2016, the Bureau issued a final rule amending Regulations E and Z for prepaid accounts. For prepaid accounts, the final rule provides that as an alternative to providing the periodic statement, a financial institution must, among other things, make an electronic history of a consumer's account transactions available to the consumer that covers at least 12 months preceding the date the consumer electronically accesses the account. The requirement will become effective on October 1, 2017. \6\ Fair Credit Reporting Act, 15 U.S.C. 1681g(a). --------------------------------------------------------------------------- These and other legal frameworks also establish substantive consumer protections with respect to certain types of consumer information. Such protections include limitations on the use of such information, limitations on the disclosure of such information to third parties, and requirements relating to the security of such information.\7\ Other protections include limitations on consumer liability if a consumer's information is lost or stolen and the consumer suffers a loss from unauthorized use or an erroneous electronic debit.\8\ The Bureau also has authority under Title X to take action to prevent covered persons and service providers from committing or engaging in unfair, deceptive, or abusive acts or practices (UDAAPs). An entity's consumer data privacy or security practices can violate UDAAP standards.\9\ --------------------------------------------------------------------------- \7\ See, e.g., Fair Credit Reporting Act, 15 U.S.C. 1681 through 1681x, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 through 6809, and their implementing regulations. \8\ TILA, as implemented by Regulation Z, protects credit card consumers from unauthorized credit card use. See TILA section 133; 15 U.S.C. 1643; 12 CFR 1026.12(b). EFTA, as implemented by Regulation E, does the same with respect to EFTs. See EFTA section 909(a); 15 U.S.C. 1693g(a); 12 CFR 1005.6(b)(2). \9\ In March 2016 the Bureau entered into a consent order with a provider of a consumer-facing, online payment network. Among other things, the Bureau found that the entity falsely represented to consumers that it employed reasonable and appropriate measures to protect data obtained from consumers from unauthorized access. (See http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.) Relying on section 5 of the Federal Trade Commission Act, which makes unlawful all ``unfair or deceptive acts or practices in or affecting commerce,'' see 15 U.S.C. 45(a)(1), the FTC has also taken action against companies that fail to take reasonable measures to protect the security of consumer data. See, e.g., FTC Matter/File Numbers 1023142-X120032 (Wyndham Worldwide Corporation); 052-3148 (CardSystems Solutions, Inc.); 052-3136 (Superior Mortgage Corp.); 052-3096 (DSW Inc.); 052-3117 (Nations Title Agency, Inc.); 062-3057 (Guidance Software, Inc.); 072-3046 (Life is good, Inc.); 072-3055 (TJX Companies); and 052-3094 (Reed Elsevier, Inc.). --------------------------------------------------------------------------- Consumer-Permissioned Access to Consumer Financial Account Information In the context of this existing statutory and regulatory landscape, section 1033 of the Dodd-Frank Act provides for consumer rights to access information.\10\ More specifically, section 1033 requires that ``[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, or series of transactions, to the account including costs, charges, [[Page 83808]] and usage data.'' \11\ Section 1033 further provides that the information must be in an electronic form usable by the consumer, although it does not impose any duty to maintain or keep any information about a consumer. Additionally, section 1033 applies only to information that the consumer financial account data holder can ``retrieve in the ordinary course of its business with respect to that information.'' \12\ --------------------------------------------------------------------------- \10\ 12 U.S.C. 5533. \11\ 12 U.S.C. 5533(a). The Dodd-Frank Act defines ``covered person'' in detail at 12 U.S.C. 5481(6). The Act defines a ``consumer'' as ``an individual or an agent, trustee, or representative acting on behalf of an individual.'' 12 U.S.C. 5481(4). \12\ See id., 5533(c), & 5533(b)(4). Section 1033 contains a number of other exceptions. See 5533(b)(1)-(3). In addition, it requires the Bureau to prescribe standards to promote the development and use of standardized formats for information to be made available to consumers, including through the use of machine readable files. See 5533(d). --------------------------------------------------------------------------- Part B: Current Market Practices in Connection With Consumer- Permissioned Access to Account Information General Market Practice In recent years, the availability of consumer financial account data in electronic form, often in real-time or near-real-time, has made possible a range of benefits to consumers. When made readily available, such data foster consumer convenience, and they can help consumers understand and control their financial lives, make useful decisions, monitor spending and debt, set and achieve savings goals, communicate effectively with their financial service providers, and solve financial problems in timely ways.\13\ --------------------------------------------------------------------------- \13\ See, e.g., Aite Group, Personal Financial Management: A Platform for Customer Engagement (Feb. 24, 2010). --------------------------------------------------------------------------- Many providers of consumer financial products and services, from traditional providers like banks and credit unions to newer entrants such as online lenders, make available to consumers extensive electronic data about their accounts at that firm. Many consumers, however, maintain accounts with several financial service providers. As a result, by the late 1990s, market participants began to offer consumers services that depended, at least in part, on broader, consumer-permissioned access to data across a consumer's financial accounts--sometimes combined with other information about the consumer. Traditional account providers like banks have been the predominant users of such consumer account data. By obtaining data about the consumers' other accounts, banks and other traditional market participants have been able to supplement their use of existing in- house data for online advisory and account management services.\14\ Over time, however, newer entrants have also begun to provide products and services to consumers using consumer-permissioned, electronically- sourced account data.\15\ --------------------------------------------------------------------------- \14\ As far back as 2001, the Office of the Comptroller of the Currency (OCC) issued guidance to depository institutions under its supervision about using third parties to provide data aggregation services. See Office of the Comptroller of Currency, OCC Bulletin 2001-12, Bank-Provided Account Aggregation Services (February 28, 2001), available at https://www.occ.gov/news-issuances/bulletins/2001/bulletin-2001-12.html#. \15\ See, e.g., https://www.mint.com/terms (``The Mint Service is a personal finance information management service that allows you to consolidate and track your financial information. The Mint Service is provided to you by Intuit without charge[.]'') Intuit is Mint's parent company. --------------------------------------------------------------------------- Some consumer-permissioned providers have used their own proprietary technology solutions to access data from consumer financial account providers. However, given the large number of potential data sources and the transaction costs associated with obtaining consumer account data (sometimes on a recurring basis), other providers have relied on third-party ``account aggregators'' to provide the necessary technology. (Some entities have provided both account aggregation services to third parties and direct services to consumers using permissioned data.) In either case, the process of accessing consumer account data is often referred to as account or data aggregation.\16\ --------------------------------------------------------------------------- \16\ This RFI generally uses the terms ``account aggregation'' or ``aggregation.'' --------------------------------------------------------------------------- Technology advances have facilitated the development of aggregation services and the associated delivery of products and services that rely on consumer account data access. The Bureau understands that methods to access consumer account data--and to obtain consumer permission to do so--are technically complex and actively evolving. To enable access, consumers are often prompted to provide their online account credentials, including user name and password, and other forms of authentication such as knowledge-based security questions. Depending on the product or service, consumers may be asked to permit access only to a single account with an individual company or financial institution, or to multiple accounts held by a number of financial institutions and other companies. Typically, consumers provide their account credentials for a particular company or financial institution where they hold an account. Those credentials are then used to obtain their account data through either: (1) A structured data feed or an application program interface (API) hosted by the company or financial institution, or (2) the company or financial institution's consumer-facing Web site in a process known as screen-scraping.\17\ If an account aggregator is an intermediary in this process, it will generally transmit the consumer's data to permissioned parties through an API. The Bureau understands that account aggregators, as well as product and service providers that use consumer-permissioned data, sometimes store consumer account data for a range of uses, including those discussed further below. In addition, they sometimes obtain updated consumer account data on a recurring basis. --------------------------------------------------------------------------- \17\ For example, Yodlee, an account aggregator, reports that 75 percent of the data it aggregates from over 14,500 sources is collected through structured feeds from its financial institution customers and other financial institutions. See Envestnet, 2015 Annual Report, at 14 (Feb. 29, 2016), available at http://ir.envestnet.com/phoenix.zhtml?c=235783&p=irol-IRHome. Yodlee was an independent company until it was acquired by Envestnet in 2015. --------------------------------------------------------------------------- Consumer Benefits From Specific Market Uses The Bureau is aware of a number of types of products and services provided to consumers that make use of consumer financial account data on a consumer-permissioned basis, including the following: Personal financial management: Many personal financial management (PFM) tools allow consumers to view their account information from many accounts and financial service providers in a single, consolidated view. Automatic or motivational savings: Some companies provide automatic savings mechanisms for consumers to choose as well as messages to encourage savings. These companies may use algorithms that rely on permissioned account data to determine how much a consumer can afford to save or, at the transaction level, to ``round-up'' transaction amounts to the next dollar and save the remainder. Budgeting analysis and advice: Many providers allow consumers to set budgets and analyze their spending activity based on the classification of transaction data into categories like entertainment, food, and health care. Some services send a mobile or email notification when a consumer is over-budget or close to being over-budget. Consumers may be provided with other budgetary advice based on analysis of their transaction data, including comparisons with peer groups. [[Page 83809]] Product recommendations: Some advisors or providers may make product recommendations based on consumer financial account data. For example, if checking account data show the consumer incurring ATM fees, a provider might recommend other checking accounts with lower or no ATM fees. Account verification: Many consumer financial and non- financial products and services require consumers to verify their identity and bank account information. Account aggregation technology may be used for near-instant verification of account ownership. When used in this manner, such technology eliminates any need for the consumer to enter their account and routing number, a manual process that carries the possibility of typographical error. Account aggregation technology used for verification purposes can also eliminate the use of ``micro-deposits,'' which is a verification method that can take significantly longer to confirm account ownership. Loan application information verification: Some lenders may access consumer financial account data, such as the account's deposit history, to verify income and other stated loan application data. Aggregation can make this kind of verification process more efficient and more reliable. Credit decisioning: Some lenders may be using or considering using consumer or small business owner account data for underwriting or credit scoring purposes. Cash flow management: Some third-party providers notify consumers when transactions occur, when funds clear, or when an account balance approaches or dips below zero. These alerts can help consumers manage their cash flow and, in some cases, transfer money into their account to avoid NSF and overdraft fees. Funds transfer and bill payment: Some providers may obtain consumer authorizations to transfer funds for other purposes, such as timely bill payment or automatic transfers to retirement plans, and use information based on consumer financial account data to inform decisions about the transfer, such as its size and timing. Some companies also receive available funds data to verify account balances before initiating an account debit. Using that data they can avoid debiting an account that has insufficient funds and triggering NSF or overdraft fees for the consumer. In addition, some providers may retrieve bill information for consumers and allow the consumer to pay their bills, a process sometimes known as EBPP (for electronic bill presentment and payment). Fraud and identity theft detection: Some service providers may analyze consumer transactions across various financial accounts to identify and alert consumers to potential fraudulent or erroneous transactions. Investment management and other non-consumer business services: Some product and service providers rely on consumer financial account data to provide individuals with investment management services. In a similar manner, non-consumer data (such as data from a small business's checking account) may be used to provide accounting and expense management services to small business owners, their investors, or lenders. Current Market Issues and Risks Market developments to date speak to the consumer benefits associated with consumer-permissioned account data access. However, such access may also present risks to market participants, including consumers. Public discussion of access to consumer financial account data has focused significant attention on data security and privacy issues.\18\ In particular, some consumer financial account providers have raised concerns about whether account aggregators or permissioned parties employ adequate security and privacy procedures with respect to consumers' online account credentials and consumer account data obtained through aggregation.\19\ --------------------------------------------------------------------------- \18\ In a different context, commenters have told the Bureau that such concerns--what data will be retrieved, how securely it will be stored, and with whom it will be shared--may cause consumers not to adopt new, potentially beneficial products and services. See Consumer Financial Protection Bureau, Report on Mobile Financial Services, at 54-64 (November 2015) (listing ``security'' and ``privacy'' as the top two challenges or risks to adoption of mobile financial services by the underserved), available at http://files.consumerfinance.gov/f/201511_cfpb_mobile-financial-services.pdf. \19\ See Peter Rudegeair, J.P. Morgan Warns It Could Unplug Quicken and Quickbooks Users, Wall St. J. (Nov. 24, 2015), available at http://www.wsj.com/articles/j-p-morgan-may-unplug-some-customers-access-to-account-data-1448375950?alg=y. --------------------------------------------------------------------------- Privacy and security concerns have also been raised about whether account aggregators and permissioned parties obtain or retain more consumer information than is necessary for the specific product or service being provided, as well as the extent to which--and terms under which--they may use the data for purposes other than providing the requested product and service and may make data available to other entities.\20\ A number of parties have also raised concerns about the application of the Fair Credit Reporting Act in this area.\21\ In addition, some consumer financial account providers have expressed concern about their liability for unauthorized transactions that may result from a breach of consumer credentials or consumer financial account data held by an account aggregator or a permissioned party.\22\ The Bureau understands that discussions among market participants surrounding these and other security and privacy-related issues are ongoing. --------------------------------------------------------------------------- \20\ See, e.g., Bradley Hope, Provider of Personal Finance Tools Tracks Bank Cards, Sells Data to Investors, Wall St. J. (Aug. 6, 2015) (reporting that Yodlee sells some of the data it collects to investment firms but that Yodlee has not publicly disclosed that it does so, and that Yodlee has stated that individuals' identities cannot be discerned from its data set), available at http://www.wsj.com/articles/provider-of-personal-finance-tools-tracks-bank-cards-sells-data-to-investors-1438914620. \21\ See, e.g., Federal Reserve Bank of Philadelphia, Compliance Corner (Q4 2001), On-line Aggregation: Benefits and Risks, at CC4, available at https://www.philadelphiafed.org/bank-resources/publications/compliance-corner/2001/q4cc_01.pdf. \22\ See, e.g., Jamie Dimon, Letter to Shareholders, at 21 (April 6, 2016) (expressing ``extreme concern'' over, among other things, data security and privacy, because customers have let aggregators access their bank accounts and account information); see also, Robin Sidel, Big Banks Lock Horns with Personal-Finance Web Portals, Wall St. J., Nov. 4, 2015, available at http://www.wsj.com/articles/big-banks-lock-horns-with-personal-finance-web-portals-1446683450. --------------------------------------------------------------------------- The Bureau also understands that market participants, including financial institutions that provide consumer deposit and other financial accounts, non-financial providers of consumer products and services, account aggregators, and permissioned parties continue to address their working arrangements, often bilaterally, with respect to consumer account data. Those efforts encompass the sharing of technical burdens, the frequency and volume of data provision, counterparty vetting, consumer protection obligations (particularly in the event of a data breach), compensation and indemnity arrangements, and other concerns. The Bureau believes, however, that such market participants do not necessarily share common views about consumer protection and other consumer interests. More fundamental still, the Bureau does not believe that consumer views have been adequately represented in this area. The Bureau is concerned, therefore, that some market participants may decide to restrict consumer-permissioned access to data in ways that undermine consumer interests identified in section 1033--and that are broader than necessary to address legitimate privacy and security concerns. [[Page 83810]] Part C: Questions Related to Consumer-Permissioned Access to Account Information This request for information is intended to cover practices--and potential practices--concerning consumer-permissioned access to consumer financial account data. The Bureau is interested in learning more about how consumer products and services may rely on such data, regardless of whether the products or services that make use of such data are technically ``consumer financial'' products or services, or whether such products also rely on consumer-permissioned data from non- financial accounts or on data from other sources. So long as submissions shed light on the use of consumer-permissioned access to consumer financial account data, they will be responsive. Except where specifically noted, therefore, these questions use consumer ``products'' and ``services'' to refer to consumer products or services that are financial or non-financial, but that rely at least in part on consumer-permissioned access to consumer financial account data. Questions 1 through 17 below seek information about current market practices. Questions 18 through 20 enable commenters to describe how they believe market practices may or should change over time. Questions use ``consumer-permissioned access'' to cover direct access by the consumer upon request and access by the consumer's permissioned designees, but, where they deem it appropriate, respondents may provide different answers for these two forms of consumer access. Current Practices 1. What types of products and services are currently made available to consumers that rely, at least in part, on consumer-permissioned electronic access to consumer financial account data? What benefits do consumers realize as a result? This question covers the use of such data to deliver products or services or to assess eligibility for a given product or service. 2. How many consumers are using or seeking to use such products or services? What demographic or other aggregate information is available about these consumers? 3. To provide or assess eligibility for these products and services, what kinds of consumer financial account data are being accessed, by what means, under what terms, and how often? How long is accessed data stored by permissioned parties or account aggregators? 4. To provide or assess eligibility for these products and services, what kinds of non-financial consumer account data are being accessed by parties that also access consumer financial account data? By what means, under what terms, and how often? How long is accessed data stored by permissioned parties or account aggregators? 5. What types of companies offer products and services that rely, at least in part, on consumer-permissioned electronic access to consumer financial account data, either to deliver the product or service or to assess eligibility for the product or service? To what extent are such products and services offered by entities that offer transaction accounts? To what extent are they offered by other market participants? 6. In what ways, if any, do consumer products and services that rely, at least in part, on consumer-permissioned electronic access to consumer financial account data differ according to whether the offering company provides or does not provide transaction accounts to consumers? Do any such differences impact consumers? If so, how? 7. To what extent do market participants compete to offer consumer products and services that rely, at least in part, on consumer- permissioned access to consumer financial account data? How does such competition impact consumers? 8. What incentives or disincentives exist for consumer financial account providers to facilitate or discourage consumer-permissioned access to the account data that they hold by permissioned parties or account aggregators? In what ways do consumer financial account providers directly or indirectly facilitate or restrict consumer- permissioned access to account data? What are the associated impacts to consumers and other market participants? 9. What impediments, obstacles or risks do consumer financial account providers currently face in providing data to or allowing access to data by permissioned parties or account aggregators? Describe specific operational costs, risks, and actual or potential losses, and identify their specific causes. 10. What impediments, obstacles or risks do permissioned parties or account aggregators currently face in obtaining such data? Describe specific operational costs, risks, and actual or potential losses, and identify their specific causes. 11. What impediments, obstacles or risks do consumers currently face in obtaining--including permitting access to--such data? 12. What security and other risks do consumers incur if they permit access to their financial account data in order to obtain a particular product or service? What steps have consumer financial account providers, account aggregators, permissioned parties and other users of consumer-permissioned account data taken to mitigate such risks? What information do these parties communicate to consumers about associated risks? 13. In what ways, do account aggregators or permissioned parties use consumer-permissioned account data for purposes other than offering or facilitating the delivery of a specific product or service to the permissioning consumer? Do such companies continue to access or store data after the consumer ceases to use the product for which the permissioned data use was intended by the consumer? Do such companies share the data with other parties and, if so, under what terms and conditions? What are the associated impacts to consumers? 14. When consumers permit access to their financial account data, what do they understand about: what data are accessed; how often they are accessed; for what purposes the data are used; whether the permissioned party or account aggregator continues to access, store or use such data after the consumer ceases to use the product or service for which the permissioned data use was intended by the consumer; and with which entities a permissioned party or account aggregator shares the data and on what terms and conditions? What drives or impacts their level of understanding? What impact does their level of understanding have on consumers and on other parties, including on consumers' willingness to permit access? 15. To what extent are consumers able to control how data is used by permissioned parties or account aggregators that obtain that data via consumer-permissioned access? Are consumers able to control what data are accessed, how often they are accessed, for what purposes and for how long the data are used, and with which entities, if any, a permissioned party or account aggregator may share the data and on what terms and conditions? Are they able to request that permissioned parties, account aggregators, or other users delete such data? Is such data otherwise deleted and, if so, when and by what means? To what extent are consumers consenting to permissioned party and account aggregator practices with respect to access, use and sharing of consumer financial account data? 16. Do consumer financial account providers vet account aggregators or permissioned parties before providing [[Page 83811]] data to them? Do consumer financial account providers perform any ongoing vetting of account aggregators or permissioned parties? If so, for what purposes and using what procedures? What are the associated impacts to consumers and to other parties? 17. What industry standards currently exist, in development or otherwise, to enable consumer-permissioned access to financial account data? Potential Market Developments 18. What changes are or may be expected to happen to any market practice described in response to questions 1 through 17, why, and with what impacts to consumers, consumer financial account providers, permissioned parties, and account aggregators? Responses to this question may be integrated into responses to questions 1 through 17 if commenters prefer. 19. What changes should happen to any market practice described in response to questions 1 through 18, why, and with what impacts to consumers, consumer financial account providers, permissioned parties, and account aggregators? Responses to this question also may be integrated into responses to questions 1 through 17 if commenters prefer. 20. Are ``industry standard'' practices that provide consumers with data access comparable to that envisioned by section 1033 of the Dodd- Frank Act likely to be broadly adopted by consumer financial account providers, permissioned parties and account aggregators in the absence of regulatory action? If not, how will ``industry standard'' practices be insufficient? What marketplace considerations are likely to bear on such developments? Generally, how will the advent of standard practices for consumer-permissioned access to consumer financial account data affect competition and innovation in various consumer financial service markets? Dated: November 14, 2016. Richard Cordray, Director, Bureau of Consumer Financial Protection. [FR Doc. 2016-28086 Filed 11-21-16; 8:45 am] BILLING CODE 4810-25-P
![83806 Federal Register / Vol. 81, No. 225 / Tuesday, November 22, 2016 / Notices
the address listed above. Comments may Dated: November 16, 2016. you are responding at the top of each
also be submitted by facsimile to Julia Harrison, response (you are not required to
(301)713–0376, or by email to Chief, Permits and Conservation Division, answer all questions to receive
NMFS.Pr1Comments@noaa.gov. Please Office of Protected Resources, National consideration of your comments). The
include the File No. in the subject line Marine Fisheries Service. Bureau encourages the early submission
of the email comment. [FR Doc. 2016–28022 Filed 11–21–16; 8:45 am] of comments. All submissions must
Those individuals requesting a public BILLING CODE 3510–22–P include the document title and docket
hearing should submit a written request number. Because paper mail in the
to the Chief, Permits and Conservation Washington, DC area and at the Bureau
Division at the address listed above. The BUREAU OF CONSUMER FINANCIAL is subject to delay, commenters are
request should set forth the specific PROTECTION encouraged to submit comments
reasons why a hearing on this electronically. In general, all comments
[Docket No.: CFPB–2016–0048] received will be posted without change
application would be appropriate.
Request for Information Regarding to http://www.regulations.gov. In
FOR FURTHER INFORMATION CONTACT: addition, comments will be available for
Amy Hapeman or Sara Young, (301) Consumer Access to Financial
Records public inspection and copying at 1275
427–8401. First Street NE., Washington, DC 20002,
SUPPLEMENTARY INFORMATION: The AGENCY: Bureau of Consumer Financial on official business days between the
subject amendment to Permit No. 18016 Protection. hours of 10 a.m. and 5 p.m. eastern
is requested under the authority of the ACTION: Notice and request for standard time. You can make an
Marine Mammal Protection Act of 1972, information. appointment to inspect the documents
as amended (16 U.S.C. 1361 et seq.), the by telephoning 202–435–7275.
regulations governing the taking and SUMMARY: The Dodd-Frank Wall Street All submissions, including
importing of marine mammals (50 CFR Reform and Consumer Protection Act attachments and other supporting
part 216), the Endangered Species Act of (Dodd-Frank Act) provides for consumer materials, will become part of the public
1973, as amended (16 U.S.C. 1531 et rights to access financial account and record and subject to public disclosure.
seq.), and the regulations governing the account-related data in usable electronic Sensitive personal information, such as
taking, importing, and exporting of form. The Bureau of Consumer account numbers or Social Security
endangered and threatened species (50 Financial Protection (Bureau or CFPB) is numbers, or names of other individuals,
CFR 222–226). seeking comments from the public about should not be included. Submissions
consumer access to such information, will not be edited to remove any
Permit No. 18016, issued on May 29, including access by entities acting with
2014 (79 FR 41991), authorizes the identifying or contact information.
consumer permission, in connection
permit holder to conduct vessel surveys with the provision of products or FOR FURTHER INFORMATION CONTACT: For
in Cook Inlet, Alaska for photo- services that make use of that general inquiries, submission process
identification and observations of Cook information. Submissions to this questions or any additional information,
Inlet beluga whales (Delphinapterus Request for Information will assist please contact Monica Jackson, Office of
leucas). The purpose of the research is market participants and policymakers to the Executive Secretary, at 202–435–
to identify individual whales and to develop practices and procedures that 7275.
provide information about movement enable consumers to realize the benefits Authority: 12 U.S.C. 5511(c); 12 U.S.C.
patterns, habitat use, survivorship, associated with safe access to their 5512(c).
reproduction, and population size. The financial records, assess necessary
permit holder is requesting the permit consumer protections and safeguards, SUPPLEMENTARY INFORMATION: The
be amended to increase the number of and spur innovation. Bureau is seeking public comment
whales that may be approached during through this Request for Information
DATES: Comments must be received on
surveys from 72 to 340 whales annually. (RFI) to better understand the consumer
or before February 21, 2017. benefits and risks associated with
Animals may be taken up to 10 times
per year during surveys. The ADDRESSES: You may submit responsive market developments that rely on access
amendment is needed to increase the information and other comments, to consumer financial account and
effectiveness of photo-identification identified by Docket No. CFPB–2016– account-related information. This RFI
studies and to decrease the total time 0048, by any of the following methods: generally refers to such information as
spent operating the survey boat around • Electronic: Go to http:// ‘‘consumer financial account data.’’ 1 It
whales. No other details of the permit www.regulations.gov. Follow the further refers to consumer access to
would change. instructions for submitting comments. such information, including access by
• Email: FederalRegisterComments@ entities acting with consumer
In compliance with the National cfpb.gov. Include Docket No. CFPB–
Environmental Policy Act of 1969 (42 permission, as ‘‘consumer-
2016–0048 in the subject line of the permissioned’’ access. The RFI also
U.S.C. 4321 et seq.), an initial message.
determination has been made that the labels account information that is
• Mail: Monica Jackson, Office of the obtained via consumer-permissioned
activity proposed is categorically Executive Secretary, Consumer
excluded from the requirement to access as ‘‘consumer-permissioned
Financial Protection Bureau, 1700 G account data.’’
prepare an environmental assessment or Street NW., Washington, DC 20552.
sradovich on DSK3GMQ082PROD with NOTICES
environmental impact statement. • Hand Delivery/Courier: Monica 1 The RFI sometimes distinguishes ‘‘consumer
Concurrent with the publication of Jackson, Office of the Executive financial account data’’ from ‘‘non-financial’’
this notice in the Federal Register, Secretary, Consumer Financial consumer account data, the latter being held by
NMFS is forwarding copies of this Protection Bureau, 1275 First Street NE., companies that offer consumers non-financial
products and services. The RFI uses the term
application to the Marine Mammal Washington, DC 20002. ‘‘consumer account data’’ to refer collectively to
Commission and its Committee of Instructions: Please note the number both kinds of consumer account data, financial and
Scientific Advisors. associated with any question to which non-financial.
VerDate Sep<11>2014 16:52 Nov 21, 2016 Jkt 241001 PO 00000 Frm 00010 Fmt 4703 Sfmt 4703 E:\FR\FM\22NON1.SGM 22NON1](https://thefederalregister.org/doc/81_FR_84031/page/1.svg)
![Federal Register / Vol. 81, No. 225 / Tuesday, November 22, 2016 / Notices 83807
The information obtained in response enforce consumer financial law ‘‘for the protections include limitations on the
to this RFI may help industry develop purpose of ensuring that all consumers use of such information, limitations on
best practices to deliver benefits to have access to markets for consumer the disclosure of such information to
consumers and address potential financial products and services and that third parties, and requirements relating
consumer harms. It may also help the markets for consumer financial products to the security of such information.7
Bureau in prioritizing resources. For and services are fair, transparent, and Other protections include limitations on
example, the Bureau may use the competitive.’’ 3 Congress further consumer liability if a consumer’s
information obtained to evaluate instructed the Bureau to exercise its information is lost or stolen and the
whether any guidance or other action by authorities so that ‘‘markets for consumer suffers a loss from
the Bureau is called for, including consumer financial products and unauthorized use or an erroneous
future rulemaking. services operate transparently and electronic debit.8 The Bureau also has
The Bureau encourages comments efficiently to facilitate access and authority under Title X to take action to
from all members of the public. The innovation.’’ 4 prevent covered persons and service
Bureau anticipates that the responding The Bureau has jurisdiction with providers from committing or engaging
public may encompass the following respect to a number of Federal statutes in unfair, deceptive, or abusive acts or
groups, some of which may overlap in and regulations that establish rights and practices (UDAAPs). An entity’s
part: protections related to consumer consumer data privacy or security
• Individual consumers; financial account-related information. practices can violate UDAAP
• Consumer and civil rights groups; These well-established statutory and standards.9
• Privacy advocates; regulatory frameworks cover a broad
• Consumer financial product and range of entities, including traditional Consumer-Permissioned Access to
service providers that control or possess providers of consumer financial Consumer Financial Account
data about consumer use of their products and services and newer Information
products and services (for purposes of entrants. In some cases, they may cover
this RFI, ‘‘consumer financial account In the context of this existing
service providers to such entities as statutory and regulatory landscape,
providers’’); well.
• Consumer financial product and Many of these frameworks impose
section 1033 of the Dodd-Frank Act
service providers that rely, at least in provides for consumer rights to access
requirements that consumer financial information.10 More specifically, section
part, on consumer-permissioned access account providers disclose certain
to consumer financial account data (for 1033 requires that ‘‘[s]ubject to rules
information to their customers about prescribed by the Bureau, a covered
purposes of this RFI, ‘‘consumer- their accounts. Disclosure requirements
permissioned providers’’ or person shall make available to a
may include, for example, periodic consumer, upon request, information in
‘‘permissioned parties’’); 2 statements with account information on
• Entities that obtain consumer transactions and fees or disclosures
the control or possession of such person
financial account data directly from concerning the consumer financial
about the collection, sharing, use, and product or service that the consumer
consumer financial account providers protection of consumers’ non-public
for consumer-permissioned providers obtained from such covered person,
personal information.5 A consumer also including information relating to any
(for purposes of this RFI, ‘‘account has the right to access information about
aggregators’’); transaction, or series of transactions, to
himself or herself held by certain
• Consumer reporting agencies; the account including costs, charges,
• Data brokers, processors and entities, such as information in a
platform providers; consumer reporting agency’s file on the 7 See, e.g., Fair Credit Reporting Act, 15 U.S.C.
• Regulators; consumer.6 1681 through 1681x, Gramm-Leach-Bliley Act, 15
• Providers of non-financial These and other legal frameworks also U.S.C. 6801 through 6809, and their implementing
consumer products and services that establish substantive consumer regulations.
8 TILA, as implemented by Regulation Z, protects
may have knowledge of or experience in protections with respect to certain types
credit card consumers from unauthorized credit
the use of consumer-permissioned of consumer information. Such card use. See TILA section 133; 15 U.S.C. 1643; 12
account data to provide products and 3 12
CFR 1026.12(b). EFTA, as implemented by
U.S.C. 5511(a). Regulation E, does the same with respect to EFTs.
services to consumers; 4 12 U.S.C. 5511(b)(5). See EFTA section 909(a); 15 U.S.C. 1693g(a); 12
• Participants in non-U.S. consumer 5 See, e.g., Regulation Z, 12 CFR 1026.5(b)(2) and CFR 1005.6(b)(2).
markets with knowledge of or 1026.7(b) (implementing the Truth in Lending Act 9 In March 2016 the Bureau entered into a consent
experience in the use of consumer- with respect to periodic statements for credit cards); order with a provider of a consumer-facing, online
permissioned account data to provide Regulation E, 12 CFR 1005.9(b) (implementing the payment network. Among other things, the Bureau
Electronic Fund Transfer Act with respect to found that the entity falsely represented to
products and services to consumers; and periodic statements for traditional bank accounts consumers that it employed reasonable and
• Any other interested parties. and other consumer asset accounts); Regulation DD, appropriate measures to protect data obtained from
12 CFR 1030.6(a)(3) (implementing the Truth in consumers from unauthorized access. (See http://
Part A: Regulatory Framework Saving Act with respect to periodic statements for files.consumerfinance.gov/f/201603_cfpb_consent-
Applicable to Consumer-Permissioned deposit accounts held at depository institutions); order-dwolla-inc.pdf.) Relying on section 5 of the
Access to Account Information Gramm-Leach Bliley Act, 15 U.S.C. 6803, and its Federal Trade Commission Act, which makes
implementing regulations. Further, on October 5, unlawful all ‘‘unfair or deceptive acts or practices
General Background 2016, the Bureau issued a final rule amending in or affecting commerce,’’ see 15 U.S.C. 45(a)(1),
Regulations E and Z for prepaid accounts. For the FTC has also taken action against companies
In the Dodd-Frank Act, Congress prepaid accounts, the final rule provides that as an that fail to take reasonable measures to protect the
sradovich on DSK3GMQ082PROD with NOTICES
instructed the Bureau to implement and alternative to providing the periodic statement, a security of consumer data. See, e.g., FTC Matter/
financial institution must, among other things, File Numbers 1023142–X120032 (Wyndham
2 For purposes of this RFI, consumer- make an electronic history of a consumer’s account Worldwide Corporation); 052–3148 (CardSystems
permissioned providers are third-party providers. transactions available to the consumer that covers Solutions, Inc.); 052–3136 (Superior Mortgage
Thus, consumer financial account providers do not at least 12 months preceding the date the consumer Corp.); 052–3096 (DSW Inc.); 052–3117 (Nations
themselves count as consumer-permissioned electronically accesses the account. The Title Agency, Inc.); 062–3057 (Guidance Software,
providers by virtue of using the account data that requirement will become effective on October 1, Inc.); 072–3046 (Life is good, Inc.); 072–3055 (TJX
they already hold to deliver additional services to 2017. Companies); and 052–3094 (Reed Elsevier, Inc.).
customers. 6 Fair Credit Reporting Act, 15 U.S.C. 1681g(a). 10 12 U.S.C. 5533.
VerDate Sep<11>2014 16:52 Nov 21, 2016 Jkt 241001 PO 00000 Frm 00011 Fmt 4703 Sfmt 4703 E:\FR\FM\22NON1.SGM 22NON1](https://thefederalregister.org/doc/81_FR_84031/page/2.svg)
![83808 Federal Register / Vol. 81, No. 225 / Tuesday, November 22, 2016 / Notices
and usage data.’’ 11 Section 1033 further supplement their use of existing in- data through either: (1) A structured
provides that the information must be in house data for online advisory and data feed or an application program
an electronic form usable by the account management services.14 Over interface (API) hosted by the company
consumer, although it does not impose time, however, newer entrants have also or financial institution, or (2) the
any duty to maintain or keep any begun to provide products and services company or financial institution’s
information about a consumer. to consumers using consumer- consumer-facing Web site in a process
Additionally, section 1033 applies only permissioned, electronically-sourced known as screen-scraping.17 If an
to information that the consumer account data.15 account aggregator is an intermediary in
financial account data holder can Some consumer-permissioned this process, it will generally transmit
‘‘retrieve in the ordinary course of its providers have used their own the consumer’s data to permissioned
business with respect to that proprietary technology solutions to parties through an API. The Bureau
information.’’ 12 access data from consumer financial understands that account aggregators, as
account providers. However, given the well as product and service providers
Part B: Current Market Practices in large number of potential data sources
Connection With Consumer- that use consumer-permissioned data,
and the transaction costs associated sometimes store consumer account data
Permissioned Access to Account with obtaining consumer account data
Information for a range of uses, including those
(sometimes on a recurring basis), other discussed further below. In addition,
General Market Practice providers have relied on third-party they sometimes obtain updated
In recent years, the availability of ‘‘account aggregators’’ to provide the consumer account data on a recurring
consumer financial account data in necessary technology. (Some entities basis.
electronic form, often in real-time or have provided both account aggregation
services to third parties and direct Consumer Benefits From Specific
near-real-time, has made possible a
services to consumers using Market Uses
range of benefits to consumers. When
made readily available, such data foster permissioned data.) In either case, the The Bureau is aware of a number of
consumer convenience, and they can process of accessing consumer account types of products and services provided
help consumers understand and control data is often referred to as account or to consumers that make use of consumer
their financial lives, make useful data aggregation.16 financial account data on a consumer-
decisions, monitor spending and debt, Technology advances have facilitated permissioned basis, including the
set and achieve savings goals, the development of aggregation services following:
communicate effectively with their and the associated delivery of products • Personal financial management:
financial service providers, and solve and services that rely on consumer Many personal financial management
financial problems in timely ways.13 account data access. The Bureau (PFM) tools allow consumers to view
Many providers of consumer financial understands that methods to access their account information from many
products and services, from traditional consumer account data—and to obtain accounts and financial service providers
providers like banks and credit unions consumer permission to do so—are in a single, consolidated view.
to newer entrants such as online technically complex and actively • Automatic or motivational savings:
lenders, make available to consumers evolving. To enable access, consumers Some companies provide automatic
extensive electronic data about their are often prompted to provide their savings mechanisms for consumers to
accounts at that firm. Many consumers, online account credentials, including choose as well as messages to encourage
however, maintain accounts with user name and password, and other savings. These companies may use
several financial service providers. As a forms of authentication such as algorithms that rely on permissioned
result, by the late 1990s, market knowledge-based security questions. account data to determine how much a
participants began to offer consumers Depending on the product or service,
consumer can afford to save or, at the
services that depended, at least in part, consumers may be asked to permit
transaction level, to ‘‘round-up’’
on broader, consumer-permissioned access only to a single account with an
transaction amounts to the next dollar
access to data across a consumer’s individual company or financial
and save the remainder.
institution, or to multiple accounts held
financial accounts—sometimes • Budgeting analysis and advice:
by a number of financial institutions
combined with other information about Many providers allow consumers to set
and other companies.
the consumer. Traditional account budgets and analyze their spending
Typically, consumers provide their
providers like banks have been the account credentials for a particular activity based on the classification of
predominant users of such consumer company or financial institution where transaction data into categories like
account data. By obtaining data about they hold an account. Those credentials entertainment, food, and health care.
the consumers’ other accounts, banks are then used to obtain their account Some services send a mobile or email
and other traditional market notification when a consumer is over-
participants have been able to 14 As far back as 2001, the Office of the budget or close to being over-budget.
Comptroller of the Currency (OCC) issued guidance Consumers may be provided with other
11 12 U.S.C. 5533(a). The Dodd-Frank Act defines to depository institutions under its supervision budgetary advice based on analysis of
‘‘covered person’’ in detail at 12 U.S.C. 5481(6). The about using third parties to provide data aggregation their transaction data, including
Act defines a ‘‘consumer’’ as ‘‘an individual or an services. See Office of the Comptroller of Currency,
agent, trustee, or representative acting on behalf of OCC Bulletin 2001–12, Bank-Provided Account comparisons with peer groups.
an individual.’’ 12 U.S.C. 5481(4). Aggregation Services (February 28, 2001), available
12 See id., 5533(c), & 5533(b)(4). Section 1033 at https://www.occ.gov/news-issuances/bulletins/ 17 For example, Yodlee, an account aggregator,
sradovich on DSK3GMQ082PROD with NOTICES
contains a number of other exceptions. See 2001/bulletin-2001-12.html#. reports that 75 percent of the data it aggregates from
5533(b)(1)–(3). In addition, it requires the Bureau to 15 See, e.g., https://www.mint.com/terms (‘‘The
over 14,500 sources is collected through structured
prescribe standards to promote the development Mint Service is a personal finance information feeds from its financial institution customers and
and use of standardized formats for information to management service that allows you to consolidate other financial institutions. See Envestnet, 2015
be made available to consumers, including through and track your financial information. The Mint Annual Report, at 14 (Feb. 29, 2016), available at
the use of machine readable files. See 5533(d). Service is provided to you by Intuit without http://ir.envestnet.com/
13 See, e.g., Aite Group, Personal Financial charge[.]’’) Intuit is Mint’s parent company. phoenix.zhtml?c=235783&p=irol-IRHome. Yodlee
Management: A Platform for Customer Engagement 16 This RFI generally uses the terms ‘‘account was an independent company until it was acquired
(Feb. 24, 2010). aggregation’’ or ‘‘aggregation.’’ by Envestnet in 2015.
VerDate Sep<11>2014 16:52 Nov 21, 2016 Jkt 241001 PO 00000 Frm 00012 Fmt 4703 Sfmt 4703 E:\FR\FM\22NON1.SGM 22NON1](https://thefederalregister.org/doc/81_FR_84031/page/3.svg)
![Federal Register / Vol. 81, No. 225 / Tuesday, November 22, 2016 / Notices 83811
data to them? Do consumer financial SUMMARY: The Bureau of Consumer (unless otherwise stated), though some
account providers perform any ongoing Financial Protection (CFPB) is issuing completion dates may vary. Please
vetting of account aggregators or its thirteenth edition of its Supervisory submit any questions or comments to
permissioned parties? If so, for what Highlights. In this issue of Supervisory CFPB_Supervision@cfpb.gov.
purposes and using what procedures? Highlights, we report examination 2. Supervisory Observations
What are the associated impacts to findings in the areas of auto
consumers and to other parties? originations, automobile loan servicing, Recent supervisory observations are
17. What industry standards currently debt collection, mortgage origination, reported in the areas of automobile loan
exist, in development or otherwise, to student loan servicing, and fair lending. origination, automobile loan servicing,
enable consumer-permissioned access to As in past editions, this report includes debt collection, mortgage origination,
financial account data? information about a recent public mortgage servicing and student loan
enforcement action that was a result, at servicing. Worthy of note are the
Potential Market Developments beneficial practices centered on good
least in part, of our supervisory work.
18. What changes are or may be The report also includes information on compliance management systems (CMS)
expected to happen to any market recently released examination found during the period under review in
practice described in response to procedures and Bureau guidance. the areas of automobile loan origination
questions 1 through 17, why, and with DATES: The Bureau released this edition
(2.1.1), debt collection (2.3.7), and
what impacts to consumers, consumer of the Supervisory Highlights on its Web mortgage origination (2.4.1).
financial account providers, site on October 31, 2016. 2.1 Automobile Origination
permissioned parties, and account
FOR FURTHER INFORMATION CONTACT: The Bureau’s rule defining larger
aggregators? Responses to this question
Adetola Adenuga, Consumer Financial participants in the auto loan market
may be integrated into responses to
Protection Analyst, Office of went into effect in August 2015.1 The
questions 1 through 17 if commenters
Supervision Policy, 1700 G Street NW., consequence was that the Bureau now
prefer.
20552, (202) 435–9373. has supervisory authority over auto
19. What changes should happen to
any market practice described in SUPPLEMENTARY INFORMATION: lending not only by the largest banks,
response to questions 1 through 18, 1. Introduction but also by various other large financial
why, and with what impacts to companies. Examinations completed in
In this thirteenth edition of the period under review focused on
consumers, consumer financial account
Supervisory Highlights, the Consumer assessing CMS and automobile
providers, permissioned parties, and
Financial Protection Bureau (CFPB) financing practices to determine
account aggregators? Responses to this
shares recent supervisory observations whether entities are complying with
question also may be integrated into
in the areas of automobile loan applicable Federal consumer financial
responses to questions 1 through 17 if
origination, automobile loan servicing, laws.
commenters prefer.
20. Are ‘‘industry standard’’ practices debt collection, mortgage origination,
mortgage servicing, student loan 2.1.1 CMS Strengths
that provide consumers with data access
comparable to that envisioned by servicing and fair lending. The findings During the period under review at one
section 1033 of the Dodd-Frank Act reported here reflect information or more entities, examiners determined
likely to be broadly adopted by obtained from supervisory activities that the overall CMS of their automobile
consumer financial account providers, completed during the period under loan origination business was strong for
permissioned parties and account review. Corrective actions regarding its size, risk profile, and operational
aggregators in the absence of regulatory certain matters remain in process at the complexity. These institutions
action? If not, how will ‘‘industry time of this report’s publication. effectively identified inherent risks to
CFPB supervisory reviews and consumers and managed consumer
standard’’ practices be insufficient?
examinations typically involve compliance responsibilities. They
What marketplace considerations are
assessing a supervised entity’s maintained: Strong board and
likely to bear on such developments?
compliance with Federal consumer management oversight; policies and
Generally, how will the advent of
financial laws. When Supervision procedures to address compliance with
standard practices for consumer-
examinations determine that a all applicable Federal consumer
permissioned access to consumer
supervised entity has violated a statute financial laws relating to automobile
financial account data affect
or regulation, Supervision directs the loan origination; current and complete
competition and innovation in various
entity to implement appropriate compliance training designed to
consumer financial service markets?
corrective measures, such as refunding reinforce policies and procedures;
Dated: November 14, 2016. moneys, paying of restitution, or taking adequate internal controls and
Richard Cordray, other remedial actions. Recent monitoring processes with timely
Director, Bureau of Consumer Financial supervisory resolutions have resulted in corrective actions where appropriate;
Protection. total restitution payments of and processes for appropriately
[FR Doc. 2016–28086 Filed 11–21–16; 8:45 am] approximately $11.3 million to more escalating and resolving consumer
BILLING CODE 4810–25–P than 225,000 consumers during the complaints and analyzing them for root
review period. Additionally, CFPB’s causes, patterns or trends.
supervisory activities have either led to These entities also showed strength in
BUREAU OF CONSUMER FINANCIAL
sradovich on DSK3GMQ082PROD with NOTICES
or supported two recent public their oversight programs for service
PROTECTION enforcement actions, resulting in over providers. In particular, they defined
$28 million in consumer remediation processes that outlined the steps to
Supervisory Highlights: Fall 2016 and an additional $8 million in civil assess due diligence information, and
AGENCY: Bureau of Consumer Financial money penalties. their oversight programs varied
Protection. This report highlights supervision- commensurate with the risk and
related work generally completed
ACTION: Supervisory highlights; notice.
between May 2016 and August 2016 1 12 CFR 1090.108.
VerDate Sep<11>2014 16:52 Nov 21, 2016 Jkt 241001 PO 00000 Frm 00015 Fmt 4703 Sfmt 4703 E:\FR\FM\22NON1.SGM 22NON1](https://thefederalregister.org/doc/81_FR_84031/page/6.svg)
Document Created: 2018-02-14 08:29:05
Document Modified: 2018-02-14 08:29:05
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice and request for information. | |
| Dates | Comments must be received on or before February 21, 2017. | |
| Contact | For general inquiries, submission process questions or any additional information, please contact Monica Jackson, Office of the Executive Secretary, at 202-435-7275. | |
| FR Citation | 81 FR 83806 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR