On October 27, 2022, the Consumer Financial Protection Bureau (the "CFPB") issued an outline of proposals and alternatives under consideration (the "Outline")1 for its rulemaking to implement section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. § 5533 ("Section 1033"). Section 1033 requires covered persons within the meaning of the Consumer Financial Protection Act of 2010 ("CFPA")2 to provide to consumers upon request information in the covered person's control or possession concerning the consumer's financial product or service with the covered person.3 Under the Small Business Regulatory Enforcement Fairness Act of 1996 ("SBREFA"), the CFPB is required to convene a small business review panel to collect advice and recommendations from small entity representatives.4 The Outline is intended to facilitate that process by providing an overview of the proposals being considered by the CFPB.

The Outline is the latest in the CFPB's steps toward promulgating a rule to implement Section 1033, following its February 2020 symposium with industry stakeholders and its November 2020 Advance Notice of Proposed Rulemaking ("ANPR").5 The CFPB will still need to promulgate a proposed rule, go through a formal comment period and put forward a final rule. The Outline provides insight on the CFPB's development of the rule and is thus a valuable tool to the broader market of providers of consumer financial products and services.

The Outline is divided into seven sections, which can be organized into two general categories: (i) substantive requirements including who is subject to the rule, to whom they must provide information and what information they must provide; and (ii) procedural requirements including how information should be made available, thirdparty obligations and record retention guidelines.6 Here, we focus on both the substantive and procedural requirements while providing commentary on the impact of the proposals from an industry perspective.


Who Is Covered by the Rule?

At the outset, the CFPB is considering limiting those subject to the rule to entities that meet either the definition of "financial institution" under Regulation E7 or "card issuer" under Regulation Z8 (collectively, "Covered Data Providers"). The Outline indicates that the CFPB intends to prescribe rulemaking that will subject other covered persons to Section 1033 in the future (e.g., government benefit accounts, other providers of credit products). Specifically, under the CFPB's current proposal:

  • Financial institutions would include banks, credit unions and other persons that directly or indirectly hold an account of a consumer and persons that issue an access device and agree with a consumer to provide electronic fund transfer ("EFT") services. The financial institution would only be a Covered Data Provider with regard to qualifying accounts and access devices it issues.
  • Card issuers would include persons that issue credit cards and their agents with respect to the card. A card issuer would only be a Covered Data Provider with respect to a "credit card account under an open-end (not home-secured) consumer credit plan"; however, a card issuer that does not hold consumer credit card accounts but that issues credit cards would be a Covered Data Provider with respect to the consumer credit card transactions it processes.

The CFPB may consider exemptions to the rule for certain financial institutions or card issuers, based on factors such as asset size and/or the number of accounts, but the Outline does not provide any specific proposals in this regard.


  • Smaller financial institutions or those less active in the consumer product space should consider whether to advocate during the formal rulemaking process for exemptions from the eventual proposed rule.
  • However, entities not subject to the current rulemaking should nevertheless remain attuned to the requirements because the CFPB has indicated an interest in eventually expanding the scope of covered persons subject to the rule.

To Whom Must Information Be Made Available?

Section 1033 requires that Covered Data Providers make information available to consumers including individuals and agents, trustees or representatives acting on behalf of an individual consumer (referred to as "third parties").9 However, a Covered Data Provider is only required to make the information available if it believes the party has authorization.

Evidence Reflecting Consumer Authorization

The CFPB is considering proposing that a Covered Data Provider be required to make information available to a consumer if it can reasonably authenticate the consumer's identity and reasonably identify the information requested.

Evidence Reflecting Third Parties' Authorization

To protect against fraudulent attempts by third parties to access consumer data, the CFPB is considering proposing that a Covered Data Provider would only need to make information available, upon request, when it receives (i) information sufficient to authenticate the identity of the third party, (ii) evidence of consumer authorization (discussed directly below) and (iii) information identifying the scope of information requested.

The CFPB expects to set specific standards through which a Covered Data Provider can determine which third parties are authorized to act on behalf of a consumer. The Outline lays out three components of sufficient third-party authorization: (1) an "authorization disclosure" provided by a third party to the consumer; (2) the consumer's informed, express consent to the key terms of access contained in the disclosure; and (3) a certification statement.

Authorization Disclosure. The authorization disclosure would need to disclose the general categories of information to be accessed, the name of the Covered Data Provider and accounts to be accessed, the duration and frequency of access, and how the user can revoke access. The disclosure would also need to describe the terms of use of the information, such as the intended recipients of the information (including any downstream parties) and the purpose for accessing the information. In terms of timing, the CFPB is considering requiring the disclosure to be provided close in time to when the information is requested (seemingly eliminating the possibility of satisfying this standard with an advance, blanket authorization).

Consumer Consent. The third party would be required to obtain consent from the consumer in written or electronic form, evidenced by the consumer's signature or electronic equivalent and may also be required to mail or electronically send a copy of the signed consent to the consumer.

Certification Statement. The third party would need to certify that it will abide by certain obligations regarding use, collection and retention of the consumer's information. (See Third-Party Obligations section below).


  • The disclosure and consent pieces of the authorization process could help ensure consumer authorization is informed and explicit.
  • Market participants may wish to consider whether any of the authorization requirements are extraneous or overly burdensome. For example, the certification statement may be redundant, as the Outline elsewhere recommends having collection, use and retention rules. Requiring disclosure close in time to when the information would be needed may also be burdensome for time-sensitive disclosures when consumers may be slow to consent.

To view the full article click here


1 Outline of Proposals and Alternatives Under Consideration, October 27, 2022, available at https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022- 10.pdf.

2 The CFPA defines "covered persons" as "(A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person." 12 U.S.C. § 5481(6).

3 In addition, under Section 1033, the CFPB must prescribe standards applicable to covered persons to promote the development and use of standardized formats for information to be made available to consumers. See 12 U.S.C. § 5533(d); Outline p.3.

4 The CFPB expects that outside of the financial industry, affected entities will include software publishers, data hosting services, payroll services and credit bureaus (among others). Outline p. 52.

5 See our previous discussion of the ANPR here.

6 The seven sections in the Outline are: (i) coverage of data providers who would be subject to the proposals; (ii) recipients of information; (iii) types of information covered; (iv) how/when information would need to be made available; (v) third-party obligations; (vi) record retention guidelines; and (vii) implementation period.

7 12 CFR 1005.2(i).

8 12 CFR 1026.2(a)(7).

9 The Outline does not address how requests for information should be treated when accounts are owned by multiple consumers, including when only one of the consumers requests information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.