The Consumer Financial Protection Bureau (CFPB) recently announced new rules to strengthen oversight over consumer financial information and place more limits on data brokers. The new rules — the Personal Financial Data Rights Rule (Open Banking Rule) and the Proposed Rule on Data Broker Practices — will change the face of financial data management.

Across a wide spectrum of the financial industry – from credit unions to fintech companies and data brokers – now have new data access, privacy, consent, lineage, auditability, and reporting requirements. Compliance with these new CFPB requirements will be a massive operational and technical issue for most companies.

Below is a breakdown of the unique issues that arise with the new CFPB guidelines and how impacted organizations need to rethink their data lineage, privacy controls, automation, and auditing strategies.

The Personal Financial Data Rights Rule (Open Banking) 

The Personal Financial Data Rights Rule from the CFPB seeks to enable consumers to manage, access, and share financial information with third-party providers. Financial institutions have to offer data access, portability, and privacy protection with total control over who has seen the data and when.

Key Challenges and Strategies: Data Access and Portability

Banks and financial institutions must allow consumers to migrate their financial information to third parties. Institutions will need to demonstrate when, how, and why consumer data was passed. They must also protect consumer information and only share the consented data. 

Automated ETL (Extract, Transform and Load) can help institutions collect consumer financial information across diverse sources (CRMs, payment systems, loan management systems) and turn it into common formats for easier management and tracing. This will also support lineage, crucial to providing regulators a full audit trail. Integration with Open Banking APIs and being able to integrate data with third parties directly will be essential.

Role based access is an important control to ensure only authorized users and systems are accessing defined data, and being able to mask or encrypt PII helps when making consumer data anonymous when it is provided to third parties.

The New Data Broker Rules 

The CFPB’s revised data broker rules expand the scope of the Fair Credit Reporting Act (FCRA) and includes Credit Rating Agencies. Data brokers who purchase, sell, or process consumer data now have to respect consumer privacy, consent, and deletion rights.

Key Challenges and Strategies: Data Deletion Requests 

Under this new rule, brokers will need to comply with consumer data deletion requests.  Data brokers must guarantee only explicit consent to share consumer data. Regulators are now demanding an audit trail of who and with whom consumer data was shared. 

Automating data deletion workflows helps organizations automatically detect and delete every reference to a consumer’s data in databases, data warehouses, and third-party data lakes. Being able to purge workflows on request ensures that databases are automatically cleansed, duplicates removed, and consumer records deleted when CFPB requests data deletions. 

Marking and categorizing consumer data and grouping it according to privacy policies and access levels enables data to be more easily managed and deleted when needed. Also, data masking blocks access to non-PII data from third parties to support access and anonymization requirements.  

Being able to track data as it is processed across databases and APIs provides the ability to demonstrate with certainty to regulators how, where and when data was used. All of these capabilities support the regular reporting that can be submitted directly to the CFPB.

Supporting Data Privacy, Consent, and Portability

Both CFPB regulations are focused on consumer consent, privacy management, and data portability. Businesses must now allow consumers to have control over their data and know where it is being shared.

Key Challenges and Strategies: Consent Tracking 

Consumers must be able to cancel their consent to sharing data. They need to have access to and the ability to export their personal data in common formats. This means multiple data silos Data must be synchronized with new consumer consent.  

Visualizing consumer consent data and monitoring change requests over time will be crucial for compliance and reporting.  Organizations will need to have clean data change logs supported by data lineage metadata to provide a full audit trail.

Having data management tools that integrate with REST APIs will make it easier to export consumer data to other banks or fintech providers as needed. The ability to export data in multiple formats, such as CSV, JSON, or XML, allows integration with third-party programs. It will also be important to sync consent updates between multiple data warehouses so that consumer data is removed from the system when consent is revoked. 

Assuring Perpetual Compliance with CFPB Audit & Reporting Requirements. 

In the long term, CFPB compliance will require businesses to consistently be transparent, demonstrate compliance, and issue regulators demand reports. This means organizations must adopt audit-friendly data lineage, be able to produce reports on-demand that capture a wide variety of variables, and be able to spot errors early to triage mishandling, validate missing or incorrect data, and proactively address the issues before auditors discover them.  

Meeting The Consumer Data Privacy New World Order Head On 

The new CFPB data privacy, consumer consent, and broker practices are significant hurdles for financial institutions. Compliance requires data governance, real-time audits, and data sharing. Pentaho’s entire product portfolio — from Pentaho Data Integration (PDI), Pentaho Data Catalog (PDC), and Pentaho Data Quality (PDQ) — meets these issues through data privacy, portability, and auditability.

With Pentaho’s data integration, lineage management, and consent management functionality, financial companies can meet the CFPB’s regulations and reduce the risk of non-compliance fines. Contact our team to learn more!