Press Releases

McHenry Highlights Similarities Between CFPB’s 1033 Proposal & Republicans’ Data Privacy Act of 2023
Urges revision of key secondary data provisions that would stifle innovation and harm consumers

Washington, December 18, 2023 -

The Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), sent a comment letter to Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra in response to the CFPB’s notice of proposed rulemaking that would implement Section 1033 of the Dodd Frank Wall Street Reform Act and Consumer Financial Protection Act of 2010. The proposed rule makes significant strides in updating existing data privacy regulations to meet the technological needs of the rapidly expanding financial services ecosystem. Additionally, Chairman McHenry is urging Director Chopra’s Bureau to revisit provisions within the proposed rule that would unduly restrict the use of secondary data, stifling innovation and ultimately harming consumers.

Read Chairman McHenry’s letter to Director Chopra here.

Read key excerpts from the letter below: 

“I write regarding the Consumer Financial Protection Bureau (CFPB)’s notice of proposed rulemaking (NPRM), Docket No. 2023-0052, which implements Section 1033 of the Dodd Frank Wall Street Reform and Consumer Financial Protection Act of 2010. I appreciate the CFPB’s work on the issue of data portability and open banking. Technological advances in our financial system have produced products and services that benefit consumers in numerous ways. Many of these products and services are predicated on accessing consumer data. Yet our statutes, regulations, and guidance have not kept pace with technology. The Gramm Leach Bliley Act (GLBA) has not been updated substantively in more than twenty years and Section 1033 was enacted more than a decade ago. It is time that Congress and the executive branch act to ensure our data privacy and security laws empower and protect consumers consistent with innovation.

Proposed Rule Makes Significant Strides

“The NPRM issued by the CFPB on October 19, 2023, makes significant strides in updating our privacy regulations. For example, the proposed rule includes requirements that consumers be made aware of where their data is held and how it is used. It would require that authorized third parties take certain steps to safeguard consumer data and ensure consumers are able to terminate the collection and use of their data in a more expedited fashion.

Recognized Exceptions to Consumer Control 

“Consumers must be empowered to make smarter decisions about the financial services and products they use. However, this control should be balanced with certain exceptions that protect proprietary information; protect the safety and soundness of our financial system; and allow law enforcement to investigate financial crimes. 

“The proposed rule recognizes the need to protect ‘confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors from disclosure. This type of proprietary information is integral to a financial institution developing credit models and is fundamental to the broader credit market. The disclosure of confidential commercial information would be harmful to the safety and soundness of the financial system and the goals of section 1033.

Concerns with the Proposed Rule

“Notwithstanding the above, I have concerns that certain provisions of the rule would have negative, unintended consequences. The proposed rule unreasonably restricts secondary uses of consumer data, which will ultimately harm not just consumers, but the financial system more generally. We must ensure that our regulatory regimes do not create the perverse incentive of moving American innovation offshore.

“To that end, the CFPB should revisit the use of secondary data for such purposes, implementing either an opt in or opt out regime, as is included in other data protection laws, and the use of anonymized data for those purposes.

Permanence of Data Privacy Protections

“As I conveyed to you at our recent Committee hearing on November 29, 2023, at which you testified, to ensure our data privacy policy is not subject to the whims of any given administration, I believe it’s critical that we make law—not just regulation. I hope we can work constructively on this issue moving forward so Americans’ financial data privacy is protected for the long term.”


Print version of this document