On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released a proposal on Personal Financial Data Rights (the “Proposed Rule”). The Proposed Rule, intended to accelerate a shift towards open banking in the United States,1 establishes a comprehensive regulatory framework providing consumers and their authorized third parties with rights to receive structured, consistent and timely access to consumers’ personal financial data held by financial institutions and by imposing limitations on authorized third parties’ collection, use and retention of that data.
The Proposed Rule implements Section 1033 of the Dodd-Frank Act,2 which requires a covered person to, upon request, make available to a consumer information concerning products or services obtained by the consumer, including information about the consumer’s account or transactions, in electronic form, subject to rules published by the CFPB. Comments on the Proposed Rule will be accepted through December 29, 2023.
Background
Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act states that, “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.”
The CFPB had taken several preliminary steps to implement Section 1033, such as issuing requests for information and an advance notice of proposed rulemaking.3 However, the Proposed Rule is the first detailed explanation of how the CFPB envisions Section 1033 operating.
Who would be required to comply with a final rule?
The Proposed Rule identifies three primary actors in the personal financial data ecosystem: data providers, authorized third parties and data aggregators.
- Data providers are card issuers, financial institutions, or other entities that control or possess information concerning a covered consumer financial product or service that the consumer obtained from the data provider. Although Section 1033, by its terms, applies to all consumer financial products or services under the Dodd-Frank Act,4 the Proposed Rule contemplates initially limiting the scope of covered consumer financial products or services (and thus, entities that are considered data providers) to (i) Regulation E accounts, (ii) Regulation Z credit cards and (iii) payment facilitation services from a Regulation E account or Regulation Z credit card. The CFPB noted the initial scope of coverage is intended to prioritize some of the most beneficial use cases of personal financial data access; however, the CFPB intends to extend coverage to other consumer financial products and services, including products such as mortgage, auto and student loans, in future rulemakings.
- Authorized third parties are third parties that have satisfied the authorization requirements under the Proposed Rule and are thus permitted to access covered data on behalf of a consumer.
- Data aggregators are entities that are retained by authorized third parties as service providers to assist with accessing covered data on behalf of a consumer.
What kinds of data must be made available under the rule?
A data provider is required to make covered data available to a consumer and an authorized third party. Under the Proposed Rule, covered data means, as applicable:
- Transaction information, including at least two years of historical transaction information;
- Transaction information includes amount, date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges.
- The consumer’s account balance;
- Information to initiate payment to or from a Regulation E account, which may, for a tokenized account, include the tokenized identifiers and routing numbers to initiate an ACH transaction;
- Terms and conditions of the account;
- Terms and conditions include the applicable fee schedule, any annual percentage rate or annual percentage yield, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement.
- Upcoming bill information, including information about third-party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider; and
- Basic account verification information, which is limited to the name, address, email address, and phone number associated with the product or service.
In providing covered data, the data provider must make available the most recently updated data that it has at the time of a request. Notably, the Proposed Rule provides that a data provider must make available information on debit card transactions that have been authorized, but have not yet settled.
Data providers are not required to make available (i) confidential commercial information, including algorithms used to derive credit scores or other types of risk scores; (ii) information collected for the sole purpose of preventing fraud or money laundering, or for detecting or reporting other potentially unlawful conduct; (iii) information required to be kept confidential under other applicable law, provided that the exception does not apply to the consumer’s own information merely because it is subject to privacy protections; or (iv) information that is not retrievable in the ordinary course of business.
How must the data be made available?
Data providers are required both to maintain consumer interfaces (e.g., online banking), as well as to establish and maintain developer interfaces (e.g., application programming interfaces (APIs)) through which the data provider receives and responds to requests from authorized third parties. For specific requests, data providers must also make available machine-readable files containing covered data suitable for loading into a consumer or an authorized third party’s own systems. Data providers are prohibited from charging fees to either consumers or authorized third parties to access the interfaces.
The Proposed Rule would prohibit the common practice of “screen scraping,” in which a third party obtains a consumer’s login credentials and uses those credentials to access a financial institution’s online banking or similar interface, and to automatically “scrape” the information presented. Instead, data providers would be required to make covered data available in a standardized format (either set forth in a qualified industry standard, discussed below, or in another widely used format) and would be prohibited from sharing credentials between the consumer and developer interfaces.
In addition to providing standardized access to covered data, developer interfaces must meet certain minimum performance standards—such as thresholds for response times and downtime—and must be covered by an information security program that satisfies the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Framework (for financial institutions subject to the GLBA) or the FTC’s Safeguards Rule (for financial institutions not subject to the GLBA). Data providers are required to establish and maintain reasonable written policies and procedures, appropriate for the size, nature and complexity of the data provider’s activities, to achieve the objectives of the Proposed Rule.
What restrictions apply to third parties’ access to and use of the data?
For a third party to become an authorized third party capable of accessing covered data on behalf of a consumer, it must first obtain the consumer’s “express informed consent” by obtaining a signed authorization disclosure (which may be electronic) that is clear, conspicuous, and segregated from other materials and provides:
- The names of the third party and the data provider for which access is sought;
- A description of the service to be provided by the third party, and the categories of data that will be accessed;
- A certification that the third party will comply with specific obligations (discussed below) related to collection, use and retention of data, access to data, data accuracy, and data security; and
- A description of the process through which the customer can revoke the third party’s access.
A data provider may reasonably deny a third party access to covered data based on risk management concerns. For a denial to be reasonable, it must be directly related to a specific risk of which the data provider is aware, such as the failure to maintain adequate data security, and must be applied in a consistent and non-discriminatory manner. A data provider has a reasonable basis for denying access if:
- A third party does not present evidence that its data security practices are adequate, or
- A third party does not make available certain information authenticating its identity.
Authorized third parties are subject to a number of obligations related to their access to covered data on behalf of a consumer, including:
- Restrictions on collection, use and retention. Authorized third parties must limit collection, use and retention of covered data to only what is reasonably necessary to provide the requested product or service (i.e., the service identified in the authorization disclosure). In particular, authorized third parties are prohibited from using covered data for targeted advertising or cross-selling, and from selling covered data. Authorized third parties are required to limit collection, use, or retention of covered data to one year, subject to annual reauthorization by the consumer, and to no longer use or retain information after authorization expires and is not renewed.
- Requirements to ensure data accuracy. Authorized third parties must maintain policies and procedures to ensure that the authorized third party accurately receives data from data providers and that any data relayed to another third party is done so accurately.
- Information security requirements. Similar to the requirements for developer interfaces described above, systems for the collection, use or retention of covered data must be covered by an information security program that satisfies the GLBA Safeguards Framework (for those financial institutions subject to the GLBA) or the FTC’s Safeguards Rule (for those financial institutions not subject to the GLBA).
- Communication requirements. Authorized third parties must ensure that the consumer is informed as to the status of their authorization. An authorized third party must make available to the third party a copy of the authorization disclosure, provide contact information for the third party in case the consumer has questions, and, upon request, provide specific information regarding the third party’s collection and use of the consumer’s information.
- Revocation requirements. Authorized third parties must provide a means for the consumer to easily revoke the third party’s access to covered data and, upon such revocation, must (i) notify the data provider and any data aggregator or other third party recipients of covered data and (ii) no longer collect, use or retain covered data under the prior authorization.
As with data providers, authorized third parties are required to maintain reasonable written policies and procedures to ensure compliance with certain requirements, including ensuring data accuracy, responding to consumer information requests and retaining records to evidence compliance with the Proposed Rule.
Where an authorized third party uses a data aggregator to assist in accessing covered data, the data aggregator must be disclosed in the authorization disclosure, and the data aggregator must comply with the conditions and obligations described above. Notwithstanding the involvement of a data aggregator, the authorized third party remains responsible for compliance.
How does the rule incorporate (or seek to establish) industry standards?
Notably, the Proposed Rule does not set forth detailed technical standards for compliance. The CFPB acknowledged that such detailed standards would not be able to keep pace with changes in the market and technology. Instead, the Proposed Rule leans on compliance with qualified industry standards to satisfy certain requirements (e.g., the requirement to provide covered data in a standardized format), or to indicate that a requirement has been satisfied (e.g., whether performance is commercially reasonable). Notwithstanding these references, however, the Proposed Rule in certain situations establishes fairly specific minimum thresholds for compliance. For example, although the Proposed Rule provides that a proper response from a developer interface must be “provided by the interface within a commercially reasonable time” and that meeting the performance specifications of a qualified industry standard is an indication of such compliance, the proposal provides that a response time more than 3,500 milliseconds (3.5 seconds) cannot be considered commercially reasonable.
For a standard to be accepted as a qualified industry standard, it must be issued by a standard-setting body that is “fair, open and inclusive,” which the Proposed Rule defines as one that meets specific requirements for openness, balance of decision-making power, due process and appeals, consensus, and transparency, and that has been recognized by the CFPB as an issuer of qualifying industry standards. The CFPB has requested comments on the approach it should take to determining whether and when a standard-setting body should be recognized and intends to provide subsequent guidance on this point.
When must a covered person comply with the rule?
Once a final rule is published in the Federal Register, data providers would be required to comply with its requirements on a staggered schedule based on asset and revenue thresholds, and whether the data provider is a depository institution or a nondepository institution. Compliance would be required within:
- 6 months, for depository institutions that hold at least $500 billion in assets or for nondepository institutions that generated at least $10 billion in revenues in the prior calendar year, or are projected to generate $10 billion in the current calendar year;
- 1 year, for depository institutions that hold between $50 billion and $500 billion in assets and for all other nondepository institutions;
- 2.5 years, for depository institutions that hold between $850 million and $50 billion in assets; and
- 4 years, for depository institutions that hold less than $850 million in assets.
What are the next steps for the rule?
Comments to the Proposed Rule are due on or before December 29, 2023, and CFPB Director Chopra has stated that the CFPB intends to finalize the rule by Fall 2024.5 Although this is an accelerated timeline for a rule of this magnitude and complexity, the timing is consistent with the level of importance the CFPB has placed on the Proposed Rule and—potentially more importantly—the deadline to finalize the rule without it being subject to being overturned using the Congressional Review Act’s disapproval procedure by a new Congress following the 2024 elections.
1 See CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking, CFPB (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/.
2 12 U.S.C. § 5533.
3 See Required Rulemaking on Personal Financial Data Rights (Oct. 31, 2023), https://www.consumerfinance.gov/personal-financial-data-rights/.
4 12 U.S.C. § 5533(a).
5 Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule/.