It’s been a busy year for the Consumer Financial Protection Bureau (CFPB) and its efforts to expand its data collection authority under the Dodd-Frank Act.
From Section 1071’s small-business loan data collection and reporting requirements to Section 1033’s provisions on sharing consumer financial data, the CFPB has used its rulemaking authority to create onerous new requirements for community banks—and ICBA has been pushing back throughout.
ICBA’s biggest victory came in October, in partnership with the Independent Bankers Association of Texas (IBAT) and Texas First Bank, when the U.S. District Court for the Southern District of Texas expanded its injunction delaying implementation of Section 1071 of the Dodd-Frank Act to all community banks and covered institutions in the U.S. until after the Supreme Court decides on the constitutionality of the CFPB’s funding structure in CFPB v. CFSA. A decision in that case is expected in the Supreme Court’s spring 2024 term.
Opposing Section 1071
ICBA has long opposed the 1071 small-business data collection and reporting requirements. As ICBA noted in March 2023, when the CFPB finalized its rule, this ruling goes beyond the intent of Congress, collecting more than double the number of congressionally mandated data points and creating an onerous burden for community banks. It also has an overly broad definition of small businesses, defining them as those with more than $5 million in gross annual revenue.
This ruling goes beyond the intent of Congress, collecting more than double the number of congressionally mandated data points and creating an onerous burden for community banks.
While the CFPB heard ICBA’s repeated requests throughout the rulemaking process to stagger implementation dates and includes a phased-in implementation approach, it still doesn’t provide enough time for financial institutions to implement the complex data collection effort. ICBA has told the CFPB that it needs to provide at least three years for financial institutions to comply to allow for good-faith compliance.
Community banks also need a 12-month grace period after the compliance date because the rule will impose an entirely new compliance environment for many.
ICBA staunchly opposes 1071 data collection and encourages the CFPB to:
Exclude community banks with assets of $1.3 billion or less
Define small businesses as those with $1 million or less in gross annual revenue
By ensuring more than 90% of small-business loans are captured, ICBA believes these updates will allow the CFPB to meet Dodd-Frank Act objectives while limiting the rule’s negative impact on small-business access to credit.
ICBA is working with policymakers to enact relief from 1071. In October, the Senate passed an ICBA-advocated resolution to nullify the CFPB’s 1071 small-business data collection and reporting requirements by a vote of 53–44. The House Financial Services Committee also voted 29–21 to advance a similar resolution blocking the 1071 rule.
Challenging Section 1033 rulemaking
In October, the CFPB released a proposal to implement standards for sharing consumer financial data under Section 1033 of the Dodd‑Frank Act, which gives consumers the right to access their financial records in electronic form. The proposal staggers compliance deadlines according to four tiers based on data providers’ size, technology and use of third-party service providers and legacy systems. Compliance dates would range from six months to four years after publication of the final rule in the Federal Register.
ICBA fully supports consumers’ rights to have access to their own information and supports responsible financial services innovation. However, ICBA has concerns about consumer privacy and data security.
The proposed rule would require community banks to make certain data relating to consumer transactions and accounts available to consumers and authorized third parties. ICBA is concerned that nonbank entities—which access customer information and store bank login credentials—don’t take the same care in protecting consumer privacy and data as community banks do. These nonbank entities that access customer account data are the weak link, posing a real threat of data breaches and consumer harm, and should be the focus of the CFPB’s proposal.
ICBA communicated initial concerns in a comment letter in January, soon after the CFPB announced plans to implement the rule. ICBA remains opposed to 1033 data collection efforts, encouraging the CFPB to limit data requirements that might harm consumers and banks, create safe harbors for community banks and focus on holding nonbank entities to the same level of data standards as community banks.
The road ahead
ICBA will continue to make its case to the CFPB on Section 1033, submitting additional feedback advocating for community banks. Comments on the proposal are due by Dec. 29.
In addition, ICBA will continue to be a voice for all community banks and pursue 1071 relief via legislative, judicial and regulatory channels action while encouraging the CFPB to use its authority to exempt community banks from onerous data collection requirements.