On October 19, 2023, the Consumer Financial Protection Bureau
(CFPB) issued a notice of proposed rulemaking to
implement Section 1033 of the Dodd-Frank Act. Section 1033 of
Dodd-Frank requires covered persons to make information concerning
a financial product or service that a consumer has obtained from
such person available to the consumer, subject to rules implemented
by the bureau.
The proposed rule would require that certain financial
institutions, card issuers and other payment facilitation providers
make consumer data – including transaction data – more
readily available to consumers and authorized third parties. It
also would place consumer protection obligations on these entities,
as well as on third parties authorized to collect and use that
data.
Who would be required to provide data under the rule?
The proposed rule would apply to “data providers”
– generally, financial institutions that offer consumer
deposit accounts subject to the Electronic Funds Transfer Act
(EFTA), credit card issuers subject to the Truth in Lending Act
(TILA) and entities that offer related payment facilitation
products and services. As a result, most banks would be covered, as
would digital wallet providers and neobanks. Entities without
consumer-facing digital banking interfaces, as of the rule’s
compliance date, would be excluded from coverage.
What data would be covered by the rule?
Under the proposal, data providers would be responsible for
providing consumer and authorized third-party access to
“covered data,” which would include 24 months of
transaction data, certain account information (e.g., account
balance, upcoming bills, basic account verification), information
to initiate payment to and from accounts, and the terms and
conditions under which the account or card was provided (e.g., APR,
reward program terms, etc.).
Confidential commercial information, information collected
solely to prevent fraud, money laundering, and other unlawful
conduct, information required by law to be kept confidential, and
information that cannot be retrieved in the ordinary course of
business would not be subject to the rule’s requirements.
How would data providers be obligated to make covered data
available?
The proposal would require that data providers maintain consumer
interfaces and establish and maintain developer interfaces to allow
consumer and third-party access to data.
The proposed rule would prohibit data providers from imposing
any fees or charges on consumers or authorized third parties for
establishing and maintaining – or making data available
through – the interfaces. It also would require providers to
publicly disclose (e.g., on a website) developer interface and
contact information to facilitate access and provide a method to
address questions.
Importantly, with respect to their developer interfaces, the
proposed rule also would require that data providers:
- Not rely on screen scraping – a technology that leverages
consumer credentials to log into accounts to retrieve data, meaning
such interfaces would likely take the form of application program
interfaces (APIs). - Make covered data available in a standardized format based on
“qualified industry standards,” or in a format
“widely used by the developer interfaces of other similarly
situated data providers with respect to similar data and [that] is
readily usable by authorized third parties.” - Make data available, through such interfaces, after obtaining
information sufficient to authenticate the third party and
consumer, confirming that the third party has obtained consumer
authorization and verifying the scope of the data request. - Not unreasonably restrict the frequency with which they accept
and respond to data requests. - Ensure their developer interfaces perform at a
“commercially reasonable” level – including that
such interfaces have a data access request response rate,
calculated consistent with the rule, of at least 99.5%. - Apply an information security program to the interface that
complies with the Gramm-Leach-Bliley Act (GLBA) or, if not subject
to the GLBA, the information security program requirements of the
Federal Trade Commission’s (FTC) Safeguards Rule.
What obligations would be imposed on third parties authorized
to access and collect consumers’ data?
The proposed rule would require authorized third parties to
implement safeguards around the collection, use and retention of
such data. In order to access consumers’ covered data, the
proposed rule would, for example, require authorized third parties
to:
- Provide the consumer with a comprehensive authorization
disclosure. - Certify to the consumer – within the authorization
disclosure – that the third party agrees to limit the
collection, use and retention of covered data, and apply to that
collection, use and retention a GLBA-compliant information security
program or, if not subject to the GLBA, the information security
requirements of the FTC Safeguards Rule. - Obtain the consumer’s “express informed consent”
to key terms of access through a signed authorization disclosure,
either electronically or in writing. - Provide the consumer with a signed copy or otherwise agreed to
copy of the authorization disclosure and the third party’s
contact information in case of any questions.
As reflected by the certification requirement identified above,
the proposed rule would only permit third parties to collect, use
and retain data as “reasonably necessary” to provide the
consumer with the requested product or service. Third parties would
therefore be prohibited from using data for most other purposes,
including for targeted advertising, cross-selling products or
services, or sale to data brokers.
Additional limitations on authorized third parties include a
requirement to obtain reauthorization from consumers to continue to
collect data after one year. Third parties that fail to obtain
reauthorization would be required to delete previously collected
data unless that data is reasonably necessary to provide the
product or service requested by the consumer.
What role do data aggregators play – and what obligations
do they have – with respect to the collection of covered
data?
The proposed rule also would allow third parties to use
“data aggregators” – generally fintechs –to
access covered data, subject to disclosure and certification
requirements. The authorization disclosure presented by a third
party to the consumer would need to identify any aggregators used
by the third party.
Like authorized third parties, data aggregators also would need
to certify to the consumer – either as part of the authorized
third party’s disclosure or separately – that they agree
to comply with the rule’s data access conditions and
restrictions. The authorized third party, however, would ultimately
be responsible for compliance with the proposed rule’s
authorization procedures.
Looking ahead
CFPB Director Rohit Chopra stated that the
proposed rule is meant to “accelerate much-needed competition
and decentralization in banking and consumer finance” while at
the same time providing “strong data protections to prevent
misuse and abuse of personal financial data.” This commentary,
and the rule itself, align with the continued CFPB refrain to
industry about the consumer benefits of increasing competition
within the banking markets while ensuring robust controls in
protecting consumer data. This includes commitments from the CFPB to pursue insufficient
data protection or security as a violation of the Consumer
Financial Protection Act’s prohibition on unfair, deceptive or
abusive acts and practices. Indeed, the press release accompanying the proposed
rule adopts the same aggressive tone the industry has come to
expect from the CFPB, with references to eliminating “data
hoarding” and empowering consumers to access information
absent junk fees.
The rule also establishes clear record requirements designed to
facilitate supervision and enforcement of compliance with the rule
not just by the CFPB, but also by “Federal and State banking
regulators, State attorneys general, and other government agencies
that supervise data providers.”
Entities that come within the scope of the proposed rule should
take note and begin to evaluate how it might impact their
processes. For example, entities that the rule would treat as
authorized third parties may want to consider the potential
implications of needing to align their information security
practices to the FTC’s Safeguards Rule if not subject to the
GLBA.
Those entities currently outside the scope of the proposed rule
should also pay attention. As highlighted in the press release,
this is just the first proposal to implement Section 1033. The
“CFPB intends to cover additional products and services in
future rulemaking.” To that end, the CFPB is seeking comment
on whether electronic benefit transfer (EBT) cards, otherwise
exempt from EFTA coverage, should be included in the scope of the
proposed rule and also whether historical information should be
made available for more categories of covered data.
In terms of next steps, comments on the proposed rule are due on
or before December 29, 2023. The bureau stated that it will seek to
finalize the rule by fall 2024.
Please join us for a webinar to discuss the latest updates
concerning the CFPB’s proposed open banking rule. Register here.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
