At the Money 20/20 fintech conference, Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra announced his intent to move forward with the CFPB’s rulemaking under Section 1033 of the Consumer Financial Protection Act as part of the financial services industry’s movement toward “open banking,” a concept that involves the use of APIs that provide direct access to a financial institution’s data, enabling third-party developers to build applications and services around such data. Specifically, Chopra stated that the upcoming CFPB rules will likely contain provisions: (1) requiring financial institutions that offer transaction accounts to set up secure methods, like APIs, for data sharing; (2) stopping incumbent institutions from improperly restricting access when consumers seek to control and share their data; and (3) exploring safeguards to prevent excessive control or monopolization by a handful of firms. Today, the CFPB released an Outline of Proposals and Alternatives Under Consideration for industry participants to weigh in on the Section 1033 rulemaking. The CFPB will be accepting written feedback from stakeholders through January 25, 2023.
Chopra described the impetus for the new rule as part of an intentional shift by the CFPB away from “fine print” privacy notices and toward procompetitive regulation. “While not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition. If successful, it will also reduce the ability for incumbents to build moats and for middlemen to serve as gatekeepers. It will provide big advantages to those who provide the best products, service quality, and rates.”
According to Chopra, the benefits of moving toward open banking include:
- More bargaining leverage for individuals and nascent firms;
- Individuals who want to switch providers would be able to transfer their account history to a new company.
- Nascent firms would be able to use data permissioned by consumers to improve upon and customize, to provide greater access, and to develop products and services.
- Better security of personal financial data;
- If a firm is required to make a person’s financial information available to them, or to a third-party acting on the consumer’s behalf, via a secure method, some privacy problems like screen scraping could be mitigated.
- More switching and incentives for better service;
- Individuals could walk away from their financial provider for whatever reason without worrying about the hassle of resetting direct deposits or automatic payments.
- A competitive market would lead to unbundling where companies compete on individual products, rather than relying on captive customers.
- More switching would lead to greater efforts by firms to maintain or win customer loyalty.
- When consumers authorize transfers of their personal financial data, new providers would immediately know the products and services that could best fit their new customers’ needs.
- Large incumbents would find their customers to be less “sticky” and easier to “poach.” They’d also find it harder to impose “junk fees” and harvest personal financial data for their exclusive use.
- The ability for financial companies to find new ways to underwrite and score with less bias.
- Lending could move back to real-world data about someone’s ability to pay back a loan and this could eliminate bias and reliance on credit scores and other proxies.
The proposed rules will be limited to deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts, but Chopra noted that, “while we expect to cover more products over time, we are starting with these ones.” Chopra hopes that the new rule “will be able to facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” Chopra also indicated that the new rule may reach beyond consumer access to financial records, but could touch on areas, including data monetization restrictions, purpose limitations, data deletion requirements, data ownership, as well as replacing existing privacy regimes, such as the Gramm-Leach-Bliley Act.
The proposed rules being considered, amongst other things, would:
- Require a defined subset of Dodd-Frank Act covered persons that are data providers to make consumer financial information available to a consumer or an authorized third-party.
- Require a potential “authorized third-party” to: (1) provide an “authorization disclosure” to inform the consumer of key terms of access; (2) obtain the consumer’s informed, express consent to the key terms of access contained in the authorization disclosure; and (3) certify to the consumer that it will abide by certain obligations regarding collection, use, and retention of the consumer’s information.
- Require covered data providers to make available the following categories of information with respect to covered accounts:
- Periodic statements;
- Information regarding prior transactions and deposits that have not yet settled;
- Information about prior transactions not typically shown on periodic statements or online financial account management portals;
- Online banking transactions that the consumer has set up but that have not yet occurred;
- Account identity information; and
- Other information, including consumer reports obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer; fees that the covered data provider assesses on its consumer accounts; bonuses, rewards, discounts, or other incentives that the covered data provider provides to consumers; and information about security breaches that exposed a consumer’s identity or financial information.
- Ensure that data providers transmit consumer information accurately through third-party access portals, by requiring covered data providers to implement reasonable policies and procedures to ensure data accuracy, establish performance standards, and prohibit covered data provider conduct that would adversely affect the accurate transmission of consumer information, or some combination of the above.
- Limit third-parties’ collection, use, and retention of consumer information to what is reasonably necessary to provide the product or service the consumer has requested.
- Authorized third-parties would be required to provide consumers with a simple way to revoke authorization at any point, consistent with the consumer’s mode of authorization.
- The CFPB is considering proposals that would limit third-parties’ secondary use of consumer-authorized information and would require deletion of consumer information that is no longer reasonably necessary to provide the consumer’s requested product or service.
- The CFPB is also considering proposals to require authorized third-
parties to implement data security standards and maintain reasonable policies and procedures to ensure the accuracy of the data that they collect and use.
Consumer Bankers Association (CBA) President and CEO Lindsey Johnson issued a statement in support of the proposed rulemaking: “CBA long has supported expanding consumers’ access and control of their personal financial data. We look forward to continuing to work with the Bureau on developing a well-founded, durable final rule that promotes competition, spurs innovation, and provides consumers the certainty of knowing their financial data is safe and secure.” In August 2022, the CBA joined other industry trade groups in petitioning the CFPB to “ensure that data aggregators and data users that are larger participants in the aggregation services market — not just banks and credit unions — are examined for compliance with applicable federal consumer financial law, especially the requirements of the forthcoming 1033 rulemaking, including the substantive prohibitions on the release of confidential commercial information.”
In addition to considering any written feedback, the CFPB will be convening a panel of small businesses to hear from small banks and financial companies who will be providers of data, the small banks and financial companies who will ingest the data, and the intermediary data brokers that will facilitate data transfers. Following these discussions, a report about the input received will be published during the first quarter of 2023, which will inform the proposed rule that Chopra plans to issue later in 2023. According to the timeline laid out by Chopra, the CFPB will move forward with implementation when the final rule is issued in 2024.