Newsroom

March 16, 2023

CFPB seeks insights into data broker practices

CFPB logoThe CFPB issued a request for information (RFI) Wednesday to better understand data broker business practices, including those that contribute to consumer harms or abuses. While credit unions do not act as data brokers, NAFCU will review the RFI and provide comments to the CFPB as it relates to the bureau’s implementation of section 1033 of the Dodd-Frank Act.

The RFI defines data brokers as firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties, such as those that specialize in preparing employment background screening reports and credit reports.

The request noted that “[g]overnment agencies, technology and privacy experts, financial institutions, consumer advocates, and others have identified numerous consumer harms and abuses related to the operation of data brokers, including significant privacy and security risks, the facilitation of harassment and fraud, the lack of consumer knowledge and consent, and the spread of inaccurate information.” The bureau indicated it will use feedback from the RFI to inform its statutory duties, including planned rulemaking under the Fair Credit Reporting Act.

Under section 1033, the CFPB has avidly monitored the aggregation services market and has since identified the main participants as consumers, data holders, data users, and data aggregators. The bureau acknowledged that while the use of consumer financial data by these participants could lead to improved and innovative consumer financial products, there are still several data privacy and security concerns to consider.

Last year, NAFCU and other trades raised concerns about data aggregators as they “hold a tremendous amount of consumer financial data” and consumers are likely unaware of how data is collected, stored, or shared. The groups called on the CFPB to subject data aggregators to similar supervision as financial institutions to ensure they are complying with applicable laws.

NAFCU has advocated for the implementation of section 1033 in a way that ensures the security of consumer financial data and that provides a level playing field between credit unions and fintech companies. NAFCU previously sent a letter to the CFPB stating “the extent to which nonbank technology companies are gathering and exchanging potentially sensitive transaction information raises unique privacy concerns which the Bureau should address through direct supervision before proceeding with any effort to implement section 1033.”