Friday, November 11, 2022

FYI: CFPB On Schedule With Consumer Data Privacy Rights Rulemaking Process

The Director of the Consumer Financial Protection Bureau (CFPB) recently announced at a fintech conference that the CFPB "will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act . . . [to] provide for personal financial data rights for Americans".


As background, § 1033[1] of the Consumer Financial Protection Act, a/k/a, the Dodd-Frank Act, generally allows a consumer access to transactional information that a business holds related to products or services that were provided to the consumer.


Specifically, § 1033(a) provides:


Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.


Of course, the rulemaking process under § 1033 was actually "launched" six years ago when the CFPB issued a Request for Information, which was followed by an Advance Notice of Proposed Rulemaking in 2020 that received 100 comments.




Director Chopra's announcement was aligned with the Spring 2022 Unified Agenda that indicated the CFPB would issue a Small Business Regulatory Enforcement Fairness Act Outline ("Outline") in November 2022.  In fact, the CFPB ended up slightly ahead of schedule, issuing the Outline on Oct. 27.


The purpose of the Outline is "to assess the impact on small entities that would be directly affected by the proposals under consideration prior to issuing a proposed rule regarding section 1033."  The CFPB will convene a Small Business Review Panel to request and receive feedback from small entity representatives, and others may submit comments by Jan. 25, 2023.




The Outline consists of 149 questions on these topics:


-  Coverage of data providers subject to the proposals under consideration

-  Recipients of information

-  The types of information a covered data provider would be required to make available

-  How and when information would need to be made available

-  Third party obligations

-  Record retention obligations

-  Implementation period

-  Potential impacts on small entities




The CFPB is proposing rules that would require a defined subset[2] of covered persons[3] that are data providers[4] to make consumer financial information available to a consumer or an authorized third party.[5],[6],[7],[8]


The CFPB is beginning with these covered persons, in part, "because they both implicate payments and transaction data," noting, however, that it "intends to evaluate how to proceed with regard to other data providers in the future."


Initially, as proposed, the rules would apply to this subset of covered persons:


Financial institutions with consumer "accounts" as defined in Regulation E,[9] such as banks, credit unions and other entities holding consumer asset accounts; and

"Card issuers" as defined in Regulation Z.[10]


Regarding entities that meet the Regulation E definition, the CFPB identifies:


-  Banks and credit unions that directly or indirectly hold a consumer asset account (including a prepaid account);

-  Other persons that directly or indirectly hold an asset account belonging to a consumer (including a prepaid account); and

-  Persons that issue an access device and agree with a consumer to provide electronic fund transfer (EFT) services (including mobile wallets and other electronic payment products).


Regarding entities that meet the Regulation Z definition, the CFPB identifies:


-  Issuers of a credit card account under an open-end (not home-secured) consumer credit plan (as defined in Regulation Z § 1026.2(a)(15)(ii)), i.e., a credit card account under an open-end (not home-secured) consumer credit plan is any open-end credit account that is accessed by a credit card; and

-  Issuers that do not hold consumer credit card accounts, but that issue credit cards, such as by issuing digital credential storage wallets, notwithstanding that those transactions rely on consumer credit card accounts held at another entity.


The CFPB is also considering exempting some data providers from a requirement to make data available via data portals based on thresholds, such as asset size of activity level.




The CFPB is proposing that "a covered data provider would satisfy its obligation to make information available directly to a consumer by making the information available to the consumer who requested the information or all the consumers on a jointly held account."  This section includes a discussion of third-party authorization requirements.




The CFPB proposes covered data providers would make available the following types of information:


-  Periodic statement information for settled transactions and deposits, such as generally appear for asset and credit card accounts;

-  Information regarding prior transactions and deposits that have not yet settled, such as transaction histories commonly made available through online management portals;

-  Other information about prior transactions not typically shown on periodic statements or portals, such as data from payment networks;

-  Online banking transactions that the consumer has set up but that have not yet occurred, such as with bill pay services;

-  Account identity information, but balancing it with concerns about fraud, privacy, and security; and

-  Other information, such as:

          -  Consumer reports from consumer reporting agencies, such as credit bureaus, obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer;

          -  Fees that the covered data provider assesses in connection with its covered accounts;

          -  Bonuses, rewards, discounts, or other incentives that the covered data provider issues to consumers; and

          -  Information about security breaches that exposed a consumer's identity or financial information.




Regarding direct access to information by consumers, the CFPB proposes that "a covered data provider would be required to make available information if it has enough information to reasonably authenticate the consumer's identity and reasonably identify the information requested."  Also, with proper authentication, that "covered data providers would be required to allow consumers to export the information covered by the proposals under consideration in both human and machine-readable formats."


The CFPB seeks input regarding consumer identity authentication, fees, included data elements, and data formats.


Related proposals regarding third-party access include:


-  Third-party portals that do not require an authorized third party to possess or retain consumer credentials;

-  Requirements to promote the availability, security, and accuracy of information made available to authorized third parties, including establishment of a general framework under which industry-set standards and guidelines can further develop;

-  Third-party portal requirements related to factors affecting the quality, timeliness, and usability of the information;

-  Required policies and procedures or performance standards to ensure that the transmission of information through the covered data provider's third-party access portal does not introduce inaccuracies;

-  Requirements to make information available to a third party only upon receipt of a third party's authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party's identity; and

-  Requirements and restrictions regarding the provision of information to third parties that is known to be inaccurate.




Here, the CFPB's proposals relate to the obligations of third parties, including:


-  Prohibiting the collection, use, or retention of consumer information beyond what is reasonably necessary to provide the product or service the consumer has requested;

-  Limitations on duration and frequency of information access;

-  Limitations on third parties' secondary use of consumer-authorized information;

-  Deletion of consumer information that is no longer reasonably necessary to provide the consumer's requested product or service, or upon the consumer's revocation of the third-party's authorization;

-  Compliance with the Safeguards Rule or Safeguards Guidelines, or development and implementation of security programs based on the third party's size and complexity and the nature of the data;

-  Requiring policies and procedures to ensure the accuracy of information collected and used;

-  Requiring periodic reminders to consumers on how to revoke authorization; and

-  Requiring a mechanism to request information about the extent and purposes of the authorized third party's access.




The CFPB is seeking feedback on its proposal for "record retention requirements for covered data providers and authorized third parties to demonstrate compliance with certain requirements of the rule."




The CFPB is seeking "input on an appropriate implementation period for complying with a final rule," and how the timeframe may need to take into consideration smaller entities' ability to operationalize the requirements.




A major part of this section is devoted to quantifying the number of small entities that may be affected by the proposals. The CFPB provides estimates for the following:


Small Depository Firms

Commercial Banking and Savings Institutions

Credit Unions

Small Nondepository Firms

Software Publishers

Data Processing, Hosting, and Related Services

Sales Financing

Consumer Lending

Real Estate Credit

Financial Transactions Processing, Reserve, and Clearinghouse Activities

Other Activities Related to Credit Intermediation

Investment Banking and Securities Dealing

Securities Brokerage

Commodities Contracts Brokerage

Payroll Services

Custom Computer Programming Services

Credit Bureaus




The concepts and proposals in the Outline are similar to the consumer rights contained in the data privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut, with one major difference: there is no exemption for data or entities subject to the Gramm-Leach-Bliley Act.  Thus, businesses that fit the definition of a covered data provider and have previously relied in whole or in part on those GLBA exemptions should monitor this rulemaking closely and consider the new compliance challenges it will pose.


[1]  12 U.S.C. § 5533.


[2] "Covered data provider means a financial institution, as defined in Regulation E (EFTA), or a card issuer, as defined in Regulation Z (TILA), who is a data provider."  Outline, p. 66


[3] "The term 'covered person' means: (A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person."  12 U.S.C. § 5481(6).


[4] A "data provider" means a covered person, as defined under the Dodd-Frank Act (12 U.S.C. 5481(6)), with control or possession of consumer financial information. Outline, p. 66.


[5] "Third party refers, generally, to data recipients or data aggregators." Outline, p. 68.


[6] "Data recipient means a third party that uses consumer-authorized information access to provide (1) products or services to the authorizing consumer or (2) services used by entities that provide products or services to the authorizing consumer." Outline, p. 66.


[7] "Data aggregator (or aggregator) means an entity that supports data recipients and data providers in enabling consumer-authorized information access." Outline, p. 66.


[8] "Authorized third party means a third party who has followed the procedures for authorization described in part III.B.2." Outline, p. 66.


[9] "'Account' means a demand deposit (checking), savings, or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes." 12 C.F.R. § 1005.2(b)(1).


[10] "Card issuer means a person that issues a credit card or that person's agent with respect to the card." 12 C.F.R. § 1026.2(a)(7).




Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320

Fax: (312) 284-4751

Mobile:  (312) 493-0874



Admitted to practice law in Illinois




Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC



CONFIDENTIALITY NOTICE:  This communication (including any related attachments) may contain confidential and/or privileged material.  Any unauthorized disclosure or use is prohibited.  If you received this communication in error, please contact the sender immediately, and permanently delete the communication (including any related attachments) and permanently destroy any copies.

IRS CIRCULAR 230 NOTICE:  To the extent that this message or any attachment concerns tax matters, it is not intended to be used and cannot be used by any taxpayer for the purpose of avoiding penalties that may be imposed by law.



Monday, November 7, 2022

FYI: Cal App Ct (4th Dist) Upholds Dismissal of Challenges to PACE Loans

The California Court of Appeal, Fourth Appellate District, recently held that a group of senior citizen consumers were required to pursue administrative remedies before suing private companies to challenge their tax assessments billed under the state's Property Assessed Clean Energy program (PACE).


In so ruling, the Fourth District upheld the trial court's dismissal of several putative class action complaints seeking "tax refunds, an injunction against future tax assessments, and removal of tax liens" relating to PACE loans.


A copy of the opinion is available at:  Link to Opinion


California enacted PACE as a method for homeowners to finance energy and water conservation improvements. A PACE debt is created by contract and secured by the improved property. But like a tax, the installment payments are billed and paid as a special assessment on the improved property, resulting in a first-priority tax lien in the event of default.


Classes of consumers in multiple putative class actions who were over 65 years old and entered into PACE contracts sued private companies who either made PACE loans to the consumers, were assigned rights to payment, and/or administered PACE programs for municipalities. The consumers alleged that the PACE financing was actually, and should have been treated as, a secured home improvement loan. The consumers also asserted that the companies engaged in unfair and deceptive business practices by violating consumer protection laws, including California Civil Code section 1804.1(j), which prohibits taking a security interest in a senior citizen's residence to secure a home improvement loan.


The defendant companies demurred to the complaints on the sole ground that the consumers failed to allege they first exhausted administrative remedies.


Generally, "a party must exhaust administrative remedies before resorting to the courts." Plantier v. Ramona Municipal Water Dist. (2019) 7 Cal.5th 372, 383. Additionally, the California Constitution gives the legislature exclusive control over the procedure under which a taxpayer may recover certain tax payments. Article XIII, section 32 provides: "After payment of a tax claimed to be illegal, an action may be maintained to recover the tax paid, with interest, in such manner as may be provided by the Legislature." It also specifies that "[t]he Legislature shall pass all laws necessary to carry out [its] provisions." Cal. Const., art. XIII, § 33.


​​Taxpayers have the right to challenge an inaccurate or illegal tax assessment and to claim a refund of taxes. The process is initiated by an application for assessment reduction under Civil Code section 1603, subdivision (a), which provides: "A reduction in an assessment on the local roll shall not be made unless the party affected . . . files with the county board a verified, written application showing the facts claimed to require the reduction and the applicant's opinion of the full value of the property." Under section 1610.8, the board may "cancel[ ] improper assessments." An order for refund cannot be made unless a verified claim is filed under section 5097. Lastly, the taxpayer may file an action in the superior court to recover a tax that the board has refused to refund after a duly filed claim. § 5140.


The trial court agreed with the defendant companies, sustained the demurrers without leave to amend, and entered a judgment of dismissal. The consumers timely appealed.


On appeal, the consumers primarily contended that they were not required to pursue administrative remedies because they had sued only private companies and did not challenge the municipal tax process involved. Instead, the complaints sought tax refunds, an injunction against future tax assessments, and removal of tax liens. Relying on Oakland v. California Construction Co. (1940) 15 Cal.2d 573 (Oakland), the consumers asserted that a "request by private party property owners for the return of money paid out on a void contractual obligation [is] not a challenge to an assessment lien" and, therefore, does not require that they first exhaust administrative remedies.


The Fourth District disagreed and held that, for the purposes of applying the exhaustion rule, the PACE assessments can only be treated as taxes. This is because, under Revenue and Taxation Code section 4801, "taxes" include "assessments collected at the same time and in the same manner as county taxes." § 4801; see Kahan v. City of Richmond (2019) 35 Cal.App.5th 721, 737. Therefore, despite their assertions to the contrary, the Court concluded that the consumers did challenge their property tax assessments.


The Fourth District also found the California Supreme Court's ruling in Oakland to be materially distinguishable because that case did not involve a challenge to any tax. Rather, the city of Oakland sought to void street improvement contracts based on a contractor's alleged fraud during the bidding process. Oakland, supra, 15 Cal.2d at pp. 574‒575.


The consumers also argued that the exhaustion rule only applies to lawsuits against the government. They found support for this view in section 5140, which provides that the "person who paid the tax" is authorized to bring a refund action against "a county or a city" to recover tax the county or city has refused to refund.


However, the Fourth District determined that this argument was foreclosed by the California Supreme Court's decision in Loeffler. In that case, the court held that consumers had to first exhaust administrative tax remedies before bringing an action under the Unfair Competition Law to challenge a retailer's alleged misrepresentation about whether a sale of hot coffee was subject to sales tax. Loeffler, 58 Cal.4th at pp. 1092, 1134. The California Supreme Court explained that the question of taxability had to be first decided administratively, followed by judicial review of the agency's decision. Id. at p. 1127. An injunction prohibiting retailers from collecting sales tax "could indirectly reduce the flow of tax revenue in the future" and thus involved policies the exhaustion rule was intended to address. Id. at p. 1131.


Similarly here, the Fourth District concluded that the consumers' PACE assessments undoubtedly would be affected by the adjudication of the complaints. The consumers alleged that the PACE loans were "void at inception for illegality" and the resulting security interest (i.e., a property tax lien) was also unlawful and "void." Because the tax rested exclusively upon the validity of the PACE financing, a judgment that the debt and security interest were illegal and void would negate the sole basis of the tax assessment.


The consumers also asked the Fourth District to apply a broad exception to exhaustion on the grounds that "no purpose would be served" by requiring the board to consider a pure legal issue — whether consumer protection statutes apply to these PACE loans.


A limited exception to the exhaustion rule has generally been recognized where " 'the administrative agency cannot provide an adequate remedy' and 'when the subject of a controversy lies outside the agency's jurisdiction.' " Williams & Fickett, supra, 2 Cal.5th at p. 1274. But in this case, the Fourth District concluded that an adequate remedy did exist because, by statute, the board "shall" refund property tax that is erroneously or illegally assessed. § 5096, subds. (b), (c).


Lastly, the consumers asserted that the Fourth District should still rule on whether they have stated a valid claim on the merits. However, because the demurrers were limited to whether the consumers had failed to exhaust administrative remedies, the Appellate Court held that the issue of whether the consumers' substantive claims had merit was not before it.


Accordingly, the Fourth District affirmed the judgment of the trial court.



Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct:  (312) 551-9320
Fax: (312) 284-4751

Mobile:  (312) 493-0874


Admitted to practice law in Illinois




Alabama   |   California   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC



NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:


Financial Services Law Updates




The Consumer Financial Services Blog