CFPB Issues Final Rule Regarding Revisions to Privacy Act Implementation

The CFPB issued a final rule that makes limited revisions to the CFPB’s regulations that establish the procedures used by the public to obtain records from the Bureau under the Privacy Act of 1974 (Privacy Act). The revisions change the definition of “Chief Privacy Officer” (CPO) to align the CPO’s authorities and responsibilities to the CFPB’s Senior Agency Official for Privacy. The revisions also create an additional method for a requester to verify their identity when submitting a Privacy Act request to the CFPB.

The term “Chief Privacy Officer” now has the definition of “the Senior Agency Official for Privacy of the CFPB or any CFPB employee to whom the Senior Agency Official for Privacy has delegated authority to act under this part.” The CFPB revised the definition to reflect its reorganization and align the authorities and responsibilities to the Chief Privacy Officer.

Further, the final rule revises the requirements for members of the public to provide proof of identity to access CFPB records pursuant to the Privacy Act. Members of the public now have three ways to personally identify themselves and one way for third parties to identify them. The Bureau makes this revision to facilitate electronic or remote identity proofing and authentication in accordance with the CASES Act of 2019 and the Office of Management and Budget’s implementing guidance, “Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act.”

The final rule took effect on September 1, 2021, after the rulemaking process, which started in July of 2011. The CFPB issued the final rule pursuant to its authority under title X of the Dodd-Frank Act, and the Privacy Act of 1974. No notice of proposed rulemaking was required under the Administrative Procedure Act because this rule relates solely to agency procedure and practice.