On October 19, 2023, the CFPB released a report proposed rule If finalized in its current form, this would require covered financial institutions to offer consumers and authorized third parties options for access and portability of their financial data. The CFPB’s proposed rule, called the “Personal Financial Data Rights” rule, would implement Section 1033 of Title X of the Dodd-Frank Act, a provision of law enacted by Congress more than a decade ago that remains in effect.
Inside Press release announcing the proposed ruleCFPB Director Rohit Chopra emphasized the CFPB’s goal of increasing competition and facilitating the transition to open banking. “With the right consumer protections in place, the transition to open and decentralized banking can strengthen competition, improve financial products and services, and avoid unnecessary fees,” Chopra said. “Today, we are proposing a rule that will give consumers the power to move away from poor service and choose financial institutions that offer the best products and prices.”
Separately prepared statementsDirector Chopra said the CFPB “will attempt to finalize the rule by next fall.” He also emphasized the importance of the proposed rule. “Over time, I expect that our work to mobilize this dormant authority, accelerate competition, and promote decentralization in finance will help put trillions of dollars in the pockets of American families and allow small-player startups to compete head-to-head with big market players,” he said.
In Section 1033 of Titleone and also directed the CFPB to issue rules establishing standards to encourage the development and use of standardized data sharing formats.2
The CFPB has taken several steps to develop rules to implement Section 1033, beginning with its 2016 Request for Information. Among other steps, the CFPB has issued a set of related guidance. Consumer protection principles in October 2017; preliminary notice of proposed rulemaking in October 2020; and related Small Business Review Panel report April 2023.
With the issuance of the proposed rule, the CFPB has taken one of the final steps in the Section 1033 rulemaking process. As Director Chopra noted in his prepared remarks, the CFPB will now collect comments on the proposed rule through December 29, 2023, and then issue a final rule implementing Section 1033, likely in the fall of 2024.
The CFPB’s proposed Personal Financial Data Rights Rule aims to provide consumers with the right to access their financial data and the right to share that data with others, including other financial service providers. But this is no small task. And actually the CFPB’s proposed rule is relatively complex.
- Scope – Data Providers and Third Parties. The proposed rule would create obligations for “data providers” and “authorized third parties.” Subject to the exclusion of “non-consumer interface depository institutions,” “data provider” shall include any “financial institution” as that term is defined in 12 CFR 1005.2(i) (Register E); any “card issuer” as defined in 12 CFR 1026.2(a)(7) (Act Z); and “any other person who controls or has information regarding a covered consumer financial product or service that the consumer obtains from that person.” “Authorized third party” would include “any third party that complies with the authorization procedures” specified in the proposed rule.
- Scope – Financial Product or Service in Scope. The proposed rule would create obligations related to “any covered financial product or service.” A “covered financial product or service” shall include any “account” as defined in 12 CFR 1005.2(b) (Reg. E); any “credit card” as defined in 12 CFR 1026.2(a)(15)(i) (Act Z); and Any product or service that facilitates “payment from a Regulation E account or Regulation Z credit card.”
- Scope – Data Covered. The proposed rule would create obligations regarding “covered data.” Subject to certain noted exceptions, “covered data” includes transaction information, account balance, payment initiation information to or from a Regulation E account, terms and conditions, upcoming billing information and basic account verification information.
- Data Provider Obligation – Data Access. Subject to certain exceptions, a data provider to provide an authenticated consumer, an authorized third party, or a data collector acting on behalf of an authorized third party with the most recently updated covered data that is under the data provider’s control or possession with respect to any covered consumer. will be required. The financial product or service that the consumer obtains from the data provider. Covered data will need to be provided “in an electronic form usable by consumers and authorized third parties.” The data provider will not be permitted to impose any fees or charges on the consumer or authorized third party in connection with any data access request.
- Data Provider Obligation – Developer Interface and Data Security. A data provider will be required to establish a “developer interface” through which it can receive and respond to requests for covered data and to protect that developer interface with an information security program that meets applicable rules promulgated pursuant to Gramm-Leach-Bliley. To behave.
- Data Provider Obligation – Written Policy and Procedures. A data provider would be required to “establish and maintain written policies and procedures reasonably designed to handle objections” to the proposed rule and “ensure the retention of records evidencing compliance.”
- Authorized Third Party Liability – Limitations on Processing. An authorized third party’s collection, use and retention of covered data will be limited to what is “reasonably necessary to provide the product or service the consumer has requested.” Targeted advertising, cross-selling of other products or services, and the sale of covered data will not be “part of or reasonably necessary for any product or service.” And the third authorized party will be required to “limit the period of collection of covered data to a maximum period of one year after the consumer’s last authorization.”
- Authorized Third Party Liability – Data Security. An authorized third party must protect the systems it uses to collect, use and store covered data with an information security program that meets applicable rules promulgated pursuant to the Gramm-Leach-Bliley Act.
- Authorized Third Party Liability – Written Policies and Procedures. To ensure that an authorized third party provides consumers with the necessary information, it will be required to “establish and maintain written policies and procedures reasonably designed to ensure that covered data is accurately received from a data provider and provided accurately to another third party.” providing information and “ensuring that records are maintained that evidence compliance.”
- Phased Application. Larger data providers3 While they would be subject to the proposed rule’s requirements sooner than smaller institutions, community banks and credit unions without a digital interface would be exempt.
The CFPB’s proposed rule implementing Section 1033, if finalized in its current form, could accelerate the transition to open banking and increase competition among certain types of financial services providers. But it would also create a new and potentially burdensome regulatory regime. Covered financial services providers should closely review the proposed rule, evaluate whether it would create business opportunities or risks, and consider whether investments in existing technology and operations would facilitate compliance with the proposed rule.
Stakeholders must submit comments on any aspect of the proposed rule by December 29, 2023.
1. 12 USC § 5533(a) (“Subject to rules established by the Bureau, a covered person shall, upon request, make available to the consumer information within the covered person’s control or possession that relates to the consumer financial product or service offered to the consumer. Any processing shall include Information obtained from such covered person, including information regarding the transaction sequence or account, including costs, charges, and usage data. The information will be made available in an electronic form that consumers can use.”).
2. 12 USC § 5533(d) (“The Bureau shall prescribe standards applicable to covered persons for the purpose of encouraging the development and use of standardized information formats that will be made available, including the use of machine-readable files, to consumers under this part.”) .
3. Depositary institution data providers that hold at least $500 billion in total assets and non-custodial institution data providers that have generated at least $10 billion in revenue in the prior calendar year or are projected to generate at least $10 billion in revenue in the current calendar year.
* Special thanks to Tessa Cierny and Zeba Pirani for their valuable contributions to this GT Alert.
˘ He was not accepted into the legal profession.
The content of this article has been prepared to provide a general guide on the subject. Expert advice should be sought regarding your particular circumstances.