On October 19, the Consumer Financial Protection Bureau (“CFPB”) proposed the long-awaited “Personal Financial Data Rights Rule” (“Proposed Rule”) that would govern consumers’ and data collectors’ access to personal financial information from financial sources. It provides resources to organizations through open banking. The CFPB’s stated goals for the Proposed Rule are to increase competition in the banking and consumer finance industry and to protect consumer data by creating a safe, secure, reliable, and competitive “data access framework.”one The Proposed Rule would be implemented under Section 1033 of the Dodd-Frank Consumer Financial Protection Act of 2010.2 It is under what CFPB Director Rohit Chopra described as “dormant authority” in prepared remarks accompanying the release.3
Data access
Director Chopra argued that a lack of data access in consumer banking and finance prevents consumers from easily switching providers, even if they are unhappy with interest rates and quality of service. Before the Federal Communications Commission adopted new policies requiring wireless phone number portability, it equated the bureaucratic difficulty of switching banks with that of the wireless phone industry.
Director Chopra notes that the Proposed Rule would establish “standards for data access,” whereby financial institutions subject to the rule would be required to provide consumers with access to their financial data, including their transaction history.4 The CFPB’s stated goals for this rule include providing new financial providers with a more complete financial picture to consider when offering products to consumers, and consumers to more easily leave underperforming providers.5 If adopted, implementation of these requirements will occur in phases, requiring larger financial institutions to comply before smaller institutions.6
Data security and control
The Proposed Rule also aims to move the market away from reliance on screen scraping as a means of accessing personal financial data from financial institutions. It will also introduce new data storage and access restrictions. Companies will be required to “establish and maintain systems that can receive data access revocation requests, track time-limited authorizations, and delete data when necessary due to revoked authorizations, expired authorizations, or because retaining the data is no longer reasonably necessary.”7
Third-party data usage restrictions
Director Chopra also stated that the Proposed Rule would address perceived data privacy concerns by imposing prohibitions on the use of personal data by third-party recipients; this includes using data for targeted advertising, selling data to data brokers, and using data to train artificial intelligence to manipulate consumers. behaviour.8
The CFPB is accepting comments on the proposal until December 29, 2023, with a goal of finalizing the rule by Fall 2024.
Analysis
The Proposed Rule, if implemented, would significantly change the legal and business dynamics between consumers, traditional financial institutions, technology platforms, and third-party users of consumer data. The proposal is significant and requires companies to review their consumer and data compliance policies as well as their commercial regulations. Given the impact of federal consumer protection laws on state laws and the growing interest in data privacy laws at the state level, states are also likely to adopt or modify their approaches to the consumer data rights discussed in this document. Proposed Rule.
1 Consumer Financial Protection Bureau, 12 CFR Parts 1001 and 1033, Case No. CFPB-2023-0052, Establishing Required Rules Concerning Personal Financial Data Rights (October 19, 2023).
2 ID.
3 Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule, Consumer Financial Protection Bureau (October 19, 2023).
4 Consumer Financial Protection Bureau, 12 CFR Parts 1001 and 1033, Case No. CFPB-2023-0052, Establishing Required Rules Concerning Personal Financial Data Rights (October 19, 2023).
5 ID.
6 “CFPB Proposes Rules to Jumpstart Competition and Accelerate Transition to Open Banking, Consumer Financial Protection Bureau” (October 19, 2023).
7 Consumer Financial Protection Bureau, 12 CFR Parts 1001 and 1033, Case No. CFPB-2023-0052, Establishing Required Rules Concerning Personal Financial Data Rights (October 19, 2023).
8 Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule, Consumer Financial Protection Bureau (October 19, 2023).
