On October 19, the Consumer Financial Protection Bureau (CFPB) issued its highly anticipated notice of proposed rulemaking under Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA). The proposed Personal Financial Data Rights Rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ accounts, establish obligations for third parties accessing a consumer’s data, and provide basic standards for data access. Notably, the proposed rule only provides for narrow exceptions, such as community banks and credit unions that have no digital interface with their customers. The CFPB is currently accepting comments on the proposed rule until December 29, 2023.
As discussed here, on October 27, 2022, CFPB Director Rohit Chopra announced his intent to move forward with the rulemaking as part of the financial services industry’s movement toward “open banking,” In last week’s press release announcing the proposed Section 1033 rulemaking, Director Chopra emphasized that “we are proposing a rule to give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices.” The proposed rule were designed by the CFPB to, “foster a data access framework that is (1) safe, by ensuring third parties are acting on behalf of consumers when accessing their data, including with respect to consumers’ privacy interests; (2) secure, by applying a consistent set of security standards across the market; (3) reliable, by promoting the accurate and consistent transmission of data that are usable by consumers and authorized third parties; and (4) competitive, by promoting standardization and not entrenching the roles of incumbent data providers, intermediaries, and third parties whose commercial interests might not align with the interests of consumers and competition generally.”
Some highlights from the proposed rule include:
- Access to data.Covered persons include entities providing asset accounts subject to the Electronic Funds Transfer Act, credit cards subject to the Truth in Lending Act, and related payment facilitation products and services “from a Regulation E account or Regulation Z credit card.” Covered persons must make personal financial data available, at no charge to consumers, through dedicated, secure digital interfaces.
- Covered data includes transaction information, account balance, payment-initiation information to or from a Regulation E account, terms and conditions, upcoming bill information, and basic account verification information.
- Covered persons would not be permitted to charge fees or charges to recoup the costs associated with establishing or maintaining digital interfaces.
- The CFPB plans to issue supplemental rulemakings with respect to other consumer financial products and services, such as mortgage, automobile, and student loans.
- A right to share data. Consumers would have the right to grant authorized third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts.
- The data must be provided in an “electronic form usable by consumers and authorized third parties.”
- Third parties would not be allowed to collect, use, or retain data for secondary uses, such as advertising or marketing purposes.
- Third parties that are data aggregators transmitting consumer-authorized data to end users for permissible purposes under the Fair Credit Reporting Act (FCRA), such as for underwriting loans, are considered consumer reporting agencies. It is still unclear how this rulemaking will overlap with the CFPB FCRA rulemaking.
- A right to provide authorization and revoke consent. Consumers would have the right to provide authorization to third parties to access their data as well as to revoke access to their data.
- To obtain consumer authorization, a third party must provide:
- the name of any third parties accessing data;
- the name of the data provider;
- a brief description of the product or service for which data access is reasonably necessary;
- the categories of covered data to be accessed;
- a certification to certain minimal obligations with respect to such data;
- a description of the revocation mechanism; and
- the name of any data aggregators assisting in accessing the data.
- The proposal currently does not provide for any opt-in consent mechanism for secondary uses of consumer data.
- Upon revocation, the proposed rule would require that data access end immediately, and the consumer’s data be deleted.
- Access to data would also be limited to one year, absent reauthorization by the consumer.
- To obtain consumer authorization, a third party must provide:
- A move away from screen scraping. The proposed rule would prevent data providers from relying on screen scraping to comply with the proposal.
- Instead, data providers would be required to establish developer interfaces that would make data available in a machine-readable, standardized format and could not allow a third party to access the system using consumer interface credentials.
- The CFPB has not yet determined how it will recognize standard-setting bodies that will develop qualified industry standards.
- A requirement for written policies and procedures. Data providers and authorized third parties would be required to “establish and maintain written policies and procedures” to implement the objectives of the proposed rule and to “ensure retention of records that are evidence of compliance.”
- Third parties, even if not financial institutions, would be required to establish data security programs that comply with the Gramm-Leach-Bliley Act Safeguards Rule.
- Tiered compliance dates.
- Tier One: approximately six months after the date of publication of the final rule in the Federal Register, for depository institution data providers that hold at least $500 billion in total assets and nondepository institution data providers that generated at least $10 billion in revenue in the preceding calendar year or are projected to generate at least $10 billion in revenue in the current calendar year.
- Tier Two: approximately one year after the date of publication of the final rule in the Federal Register, for depository institutions that hold at least $50 billion in total assets but less than $500 billion in total assets nondepository institutions that generated less than $10 billion in revenue in the preceding calendar year and are projected to generate less than $10 billion in revenue in the current calendar year.
- Tier Three: approximately two and a half years after the date of publication of the final rule in the Federal Register, for depository institutions that hold at least $850 million in total assets but less than $50 billion in total assets.
- Tier Four: approximately four years after the date of publication of the final rule in the Federal Register, for depository institutions that hold less than $850 million in total assets.
With comments by stakeholders being presently due no later than December 29, 2023, the CFPB is currently expected to issue the final rule in the fall of 2024.