November 14, 2024
On November 12, the Consumer Financial Protection Bureau (“CFPB”) published a report called “State Consumer Privacy Laws and the Monetization of Consumer Financial Data” that took an uneven look at how Federal financial privacy laws fare compared to the comprehensive privacy laws that eighteen states have enacted in recent years. The financial services industry in the United States has had privacy laws dating back to 1970 (i.e., the Fair Credit Reporting Act (“FCRA”) was passed in 1970) that govern how nonpublic personal information of a financial nature may and may not be accessed, collected, shared, and sold. Recent updates aside, the last major financial privacy law enacted was the Gramm-Leach-Bliley Act (“GLBA”) in 1999, which was at the dawn of internet shopping and e-commerce. While there have definitely been updates to both GLBA and the FCRA and the various regulations that spawn from them, there has not been a new federal financial privacy law introduced in the past twenty-five years.
Meanwhile, the state privacy laws that have been passed, while comprehensive in nature (meaning that they address privacy rights and obligations generally and regardless of the sector in which the data is being collected or shared), nevertheless often exempt financial institutions regulated by GLBA. And, the CFPB thinks that this exemption may be improper and may leave many loopholes through which financial institutions may be able to drive trucks. To understand this, we are first going to look at what criticisms the CFPB has of the current laws, and then we will get into the sometimes fanciful conclusions the CFPB draws from them.
In the report, the CFPB points out that GLBA uses an opt-out mechanism, instead of a more privacy-protective opt-in mechanism. Specifically, when a financial institution governed by GLBA engages in the activity of sharing information with non-affiliated third parties, then customers have the right to “opt-out” of that kind of sharing. But, keep in mind that the opt-out process is cumbersome to operationalize because the opt-out has to be exercised only after the customer relationship has been formed, and then customers may either opt-out during an initial period of time or “a consumer may exercise the right to opt out at any time.” 12 CFR § 1016.7(f)(5)(iii)(C), this is the CFPB’s version of Regulation P, implementing GLBA. This means that in reality, almost all financial institutions governed by GLBA do not share information with non-affiliated third parties. So, this criticism seems to be a bit of a red herring.
Keeping in mind that the CFPB has had the ability to update its Regulation P (i.e., each federal banking agency and the Federal Trade Commission (FTC) have promulgated a separate Regulation P that is customized to address its regulated audience) since 2011 and has only put into place a few small changes, the report points out that there is no central repository for customers to indicate that they do not want their information shared, so they have to opt-out from EACH financial institution. Central repositories like the FTC’s Do Not Call list have problems of their own, and again, because of the awkward nature of the GLBA opt-out, most financial institutions do not share information with non-affiliated third parties, so this criticism also seems to be swimming with the red fishes.
Finally, the CFPB points to the Government Accountability Office expressing “concerns that some financial institutions are abusing Regulation P’s model notice option to mask just how much data they collect on consumers and all the ways they allow that information to be used, including by firms far removed from the products and services the financial institution provides.” Why the CFPB itself does not have better information than the GAO about whether this kind of thing is actually happening is curious, given its supervision powers. But, more importantly, for anyone who has ever worked with the “model notice” required under Regulation P, the notice has been confusing since its inception. Yours truly has personally addressed this problem over and over again with the regulators, including with the CFPB and the FTC, and not only to no avail, but worse also to no real understanding from the regulators as to why the model notice just does not work. And yet, this is the one criticism of GLBA in the report that actually sticks.
We should now move to what the CFPB sees as being the big, bad result of the existing financial privacy laws – while recognizing that financial data includes transactional information, account numbers and such, the report also states that “[f]inancial data can also include information that financial institutions compile using third-party products and services, such as a consumer’s credit score or a consumers’ web browsing history tracked through cookies, pixels, beacons, and related technology. Further, financial data can include the insights about a consumer’s behavior that their financial transactions reveal, such as details about what products and services consumers utilize, how much they are spending on these products and services, and where consumers are purchasing them.”
Never mind that the use of credit scores is highly regulated and restricted under the FCRA. Also, if a financial institution were to either use “insights about a consumer’s behavior” to make decisions about an individual consumer or to sell such insights so that others could make decisions about an individual consumer, then the financial institution would then have to comply with the FCRA in numerous additional ways, and if they get it wrong, then there is a private right of action under the FCRA. No, it seems that the biggest thing the CFPB doesn’t like is the possibility that financial institutions could use the data to create marketing profiles describing characteristics of broad swathes of consumers and make some money from that generic information.
So, what would the CFPB like instead? Obviously, the CFPB would like not just the generic swathes of data to be made available to anyone and everyone, but the CFPB have required financial institutions governed by GLBA to freely hand over all of the protected financial information to third-parties under their Open Banking Rule (read about that here), and all for free, and all regardless of whether those third parties or the consumers whose data will have to be shared are in any of the 18 states with comprehensive privacy laws. The new state laws do have some meaningful protections for consumers, but the main reason that those laws exempt financial institutions governed by GLBA is because financial services data is too complex for a generic privacy law to address responsibly, and money movement occurs across state lines in the blink of an eye. Only a new Federal financial privacy law would be appropriate to fill in whatever gaps, real or perceived, there might be, and in the meantime, it is relatively rare for laws to last as long as GLBA and the FCRA have lasted, and they have both stood the test of time.
Currently, each filer under the SEC’s EDGAR system has a single set of access codes that permits access to the filer’s EDGAR account and the holder(s) of those access codes to make SEC filings on its behalf. Anyone responsible for making filings for a filer – which can include third-party service providers and internal stakeholders – is provided with that same set of codes. This has created the security issues you would expect: since not all of the access codes are required for every EDGAR function, over the course of decades, it is easy to lose track of who has which access codes; the only way to make really sure a terminated employee’s (or any other person that is no longer authorized by the filer) access is cut off is to reset certain of the access codes for a filer; and if anyone ever makes an unauthorized filing, there is no way for the EDGAR system to identify which of the potentially numerous people with filing access submitted it.
In an effort to modernize that arrangement, the SEC is introducing EDGAR Next, a new approach to EDGAR access where every person who wishes to use the EDGAR system to submit filings will need to have an individual account through Login.gov. When a filer first requests EDGAR filer access, it will be required to identify a minimum of two account administrators (or one account administrator for an individual (i.e., natural person) filer or single-member company) who will have the power to submit filings and to add and remove other account administrators and individual users who will have the power to submit filings for the filer. These account administrators will also have the power to delegate filing authority to other companies, like third-party service providers, who will have their own account administrators and users who can make filings on behalf of the filer.
The EDGAR Next system will require an annual confirmation that the people given access and filing authority on behalf of such filer are correct and that the contact information that the SEC has on file for the filer is accurate, which confirmation can be made by any of the account administrators. Failure of a filer to provide the confirmation after a three-month grace period will result in such filer’s access to EDGAR being deactivated and such filer would thereafter be required to re-submit a Form ID to the SEC to regain access.
The transition period to EDGAR Next begins on March 24, 2025. From that date forward, anyone seeking EDGAR access for a new filer will be required to do so through the new system where account administrators and any other relevant parties are identified; existing filers have the ability to voluntarily transition to the new system or can continue using the existing system for filings and account access up until September 15, 2025, at which point filing access will only be available through EDGAR Next.
To prepare for the transition to EDGAR Next, companies with filing obligations should:
- Identify account administrators and users with a focus on assigning responsibility for annual confirmation requests and establishing a process for onboarding and deleting account administrators and users as is necessary or appropriate to reflect business group composition changes.
- Identify all affiliated or related entities with filing obligations, keeping in mind that take-downs from a shelf registration statement may have CIKs that will also need to be transitioned.
- Gather the access codes necessary for the EDGAR Next transition for each filer.
- Identify everyone who currently has the filer’s access codes, including vendors, and coordinate with them to ensure they will have appropriate access after transitioning the filer to EDGAR Next. Advise them to set up an account with Login.gov prior to the transition period if they have not done so already.
In Policy Statement 24/14 (“PS 24/14”) the UK’s Financial Conduct Authority (“FCA”) has set out a “simpler and more timely post-trade transparency regime” for bonds and certain derivative transactions.
Based on evidence that the current regime has not delivered meaningful enhancements to transparency or impacts on price formation, the FCA has introduced new rules to recalibrate the regime through changing:
- the scope of the instruments subject to transparency – the new rules will mean that only those classes of financial instruments which are systemically important will be subject to mandatory post-trade transparency. These include bonds traded on UK trading venues and certain OTC derivatives subject to the clearing obligation. In addition, those instruments will be subject to a large-in-scale threshold above which pre-trade transparency can be waived and trading venues and investment firms can defer post-trade transparency;
- trading protocols for which pre-trade transparency is required – pre-trade transparency will now only be required for continuous auction order book, quote-driven trading systems and periodic auction trading systems meaning that trading which is based on bilateral negotiation or on quotes provided on request will not be subject to pre-trade requirements;
- the thresholds for deferring publication of details of large in scale transactions and the length of deferrals in order to calibrate these more accurately. There will now be a 15-minute maximum delay permitted for package and portfolio trades, but all others will remain subject to a maximum delay of five minutes;
- the definition of exempt transactions – the exemption for inter-fund transfers will remain, subject to a new definition, and there will also be a new definition of give-up and give-in trades that are exempt from post-trade reporting;
- the contents of post-trade reports’ fields and flags; and
- the definition of “systematic internaliser.”
Next steps
The new transparency rules will come into force on 1 December 2025.
The UK’s Financial Conduct Authority ("FCA") is proposing to extend the payment optionality it has proposed for institutional investors to pooled funds, including UCITS management companies, full scope UK Alternative Investment Fund Managers ("AIFMs"), small authorised UK AIFMs and residual collective investment scheme operators and investment platform providers.
Earlier this year, the FCA finalised new rules to allow investment firms purchasing research for segregated mandates to bundle those payments with purchases of execution services (see our note on this here). In CP24/21, the proposal to extend this payment option for other asset managers mirrors that afforded to investment firms, and will similarly sit alongside the methods already available which include payment from the firm’s own resources or from a dedicated research payment account. Asset managers will also be required to meet the same requirements to take up this option, including:
- establishing a written policy on joint payments;
- formulating a research budget based on expected amounts of third-party research and having a cost allocation structure that operates fairly;
- periodically assessing value for money;
- taking responsibility for the operation and administration of research payment accounts; and
- making appropriate disclosures to investors about joint payments.
Next steps
Responses are due by 16 December 2024.