(a) Denials related to risk management. A data provider does not violate the general obligation in § 1033.201(a)(1) by denying a consumer or third party access to all elements of the interface described in § 1033.301(a) if:

(1) Granting access would be inconsistent with policies and procedures reasonably designed to comply with:

(i) Safety and soundness standards of a prudential regulator, as defined at 12 U.S.C. 5481(24), of the data provider;

(ii) Information security standards required by section 501 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801; or

(iii) Other applicable laws and regulations regarding risk management; and

(2) The denial is reasonable pursuant to paragraph (b) of this section.

(b) Requirements for reasonable denials. A denial is reasonable pursuant to paragraph (a)(2) of this section if it is:

(1) Directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and

(2) Applied in a consistent and non-discriminatory manner.

(c) Indicia bearing on reasonable denials. Indicia bearing on the reasonableness of a denial pursuant to paragraph (b) of this section include:

(1) Whether the denial adheres to a consensus standard related to risk management;

(2) Whether the denial proceeds from standardized risk management criteria that are available to the third party upon request; and

(3) Whether the third party has a certification or other identification of fitness to access covered data that is issued or recognized by a recognized standard setter or the CFPB.

(d) Conditions sufficient to justify a denial. Each of the following is a sufficient basis for denying access to a third party:

(1) The third party does not present any evidence that its information security practices are adequate to safeguard the covered data; or

(2) The third party does not make the following information available in both human-readable and machine-readable formats, and readily identifiable to members of the public, meaning the information must be at least as available as it would be on a public website:

(i) Its legal name and, if applicable, any assumed name it is using while doing business with the consumer;

(ii) A link to its website;

(iii) Its Legal Entity Identifier (LEI) that is issued by:

(A) A utility endorsed by the LEI Regulatory Oversight Committee, or

(B) A utility endorsed or otherwise governed by the Global LEI Foundation (or any successor thereof) after the Global LEI Foundation assumes operational governance of the global LEI system; and

(iv) Contact information a data provider can use to inquire about the third party's information security and compliance practices.