On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking to implement Section 1033 of the Dodd-Frank Act. Section 1033 of Dodd-Frank requires covered persons to make available to a consumer information about a financial product or service that a consumer has obtained from such person, subject to rules implemented by the office.
The proposed rule would require certain financial institutions, card issuers, and other payment facilitation providers to make consumer data, including transaction data, more readily available to consumers and authorized third parties. It would also impose consumer protection obligations on these entities, as well as third parties authorized to collect and use that data.
Who would be required to provide data under the standard?
The proposed rule would apply to โdata providersโ; generally, financial institutions that offer consumer deposit accounts subject to the Electronic Funds Transfer Act (EFTA), credit card issuers subject to the Truth in Lending Act (TILA), and entities that offer related payments. facilitation products and services. As a result, most banks would be covered, as would digital wallet providers and neobanks. Entities without consumer-oriented digital banking interfaces, as of the date of compliance with the standard, would be excluded from coverage.
What data would be covered by the standard?
Under the proposal, data providers would be responsible for providing consumers and third parties with authorized access to "covered data," which would include 24 months of transaction data, certain account information (e.g., account balance, upcoming invoices, basic account verification), information to initiate payment to and from accounts, and the terms and conditions under which the account or card was provided (e.g., APR, rewards program terms, etc.).
Confidential business information, information collected solely to prevent fraud, money laundering and other illegal conduct, information that is required by law to be kept confidential, and information that cannot be recovered in the normal course of business would not be subject to the requirements of the rule.
How would data providers be required to make covered data available?
The proposal would require data providers to maintain consumer interfaces and establish and maintain developer interfaces to allow consumer and third-party access to data.
The proposed rule would prohibit data providers from imposing fees or charges on consumers or authorized third parties for establishing and maintaining (or making data available through) interfaces. It would also require vendors to publicly disclose (for example, on a website) the developer's interface and contact information to facilitate access and provide a method for addressing questions.
Importantly, with respect to their developer interfaces, the proposed rule would also require data providers to:
- Do not rely on screen scraping, a technology that leverages consumer credentials to log into accounts and retrieve data, meaning such interfaces would likely take the form of application program interfaces (APIs).
- Make the covered data available in a standardized format based on โqualified industry standardsโ or in a format โwidely used by the developer interfaces of other data providers in similar situations with respect to similar data and [that] It is easily usable by authorized third parties.โ
- Make the data available, through such interfaces, after obtaining sufficient information to authenticate the third party and the consumer, confirming that the third party has obtained the consumer's authorization and verifying the scope of the data request.
- Do not unreasonably restrict the frequency with which they accept and respond to data requests.
- Ensure that your developer interfaces operate at a โcommercially reasonableโ level, including that such interfaces have a response rate to data access requests, calculated in accordance with the rule, of at least 99.5%.
- Apply an information security program to the interface that complies with the Gramm-Leach-Bliley Act (GLBA) or, if not subject to GLBA, the information security program requirements of the Global Safeguards Rule. Federal Trade Commission (FTC).
What obligations would be imposed on third parties authorized to access and collect consumer data?
The proposed rule would require authorized third parties to implement safeguards around the collection, use and retention of such data. To access covered consumer data, the proposed rule would require, for example, authorized third parties:
- Provide the consumer with a complete authorization disclosure.
- Certify to the consumer โ within the authorization disclosure โ that the third party agrees to limit the collection, use and retention of covered data, and apply to that collection, use and retention a GLBA-compliant information security program, or, if not subject to GLBA, the information security requirements of the FTC Safeguards Rule.
- Obtain the consumer's โexpress informed consentโ to key access terms through a signed authorization disclosure, either electronically or in writing.
- Provide the consumer with a signed or otherwise agreed-upon copy of the authorization disclosure and the third party's contact information if they have any questions.
As reflected by the certification requirement identified above, the proposed rule would only allow third parties to collect, use, and retain data as โreasonably necessaryโ to provide the consumer with the requested product or service. Third parties would therefore be prohibited from using data for most other purposes, including targeted advertising, cross-selling products or services, or selling to data brokers.
Additional limitations on authorized third parties include the requirement to obtain consumer reauthorization to continue collecting data after one year. Third parties that do not obtain reauthorization must delete previously collected data, unless that data is reasonably necessary to provide the product or service requested by the consumer.
What role do data aggregators play (and what obligations do they have) with respect to the collection of covered data?
The proposed rule would also allow third parties to use โdata aggregatorsโ (generally fintechs) to access covered data, subject to disclosure and certification requirements. The authorization disclosure presented by a third party to the consumer should identify the aggregators used by the third party.
Like authorized third parties, data aggregators would also need to certify to the consumer (either as part of the authorized third party disclosure or separately) that they agree to comply with the rule's data access conditions and restrictions. However, the authorized third party would ultimately be responsible for compliance with the authorization procedures of the proposed rule.
Looking to the future
CFPB Director Rohit Chopra said that the proposed rule aims to "accelerate much-needed competition and decentralization in banking and consumer finance" while providing "robust data protections to prevent misuse and abuse of personal financial data." This comment, and the rule itself, align with the CFPB's constant refrain to the industry about the consumer benefits of increased competition within banking markets while ensuring robust controls to protect consumer data . This includes CFPB commitments to pursue insufficient data protection or security as a violation of the Consumer Financial Protection Act's prohibition of unfair, deceptive, or abusive acts and practices. Indeed, the press release accompanying the proposed rule takes the same aggressive tone the industry has come to expect from the CFPB, with references to eliminating โdata hoardingโ and empowering consumers to access information without junk fees.
The rule also establishes clear recordkeeping requirements designed to facilitate oversight and enforcement of compliance with the rule not only by the CFPB, but also by โfederal and state banking regulators, state attorneys general, and other government agencies that oversee to data providers.โ
Entities that fall within the scope of the proposed rule should take note and begin to evaluate how it could impact their processes. For example, entities that the rule would treat as authorized third parties may want to consider the potential implications of needing to align their information security practices with the FTC Safeguards Rule if they are not subject to the GLBA.
Those entities that are currently outside the scope of the proposed rule should also pay attention. As highlighted in the press release, this is only the first proposal to implement Section 1033. The โCFPB intends to cover additional products and services in future rulemaking.โ To that end, the CFPB is seeking comments on whether electronic benefit transfer (EBT) cards, which would otherwise be exempt from EFTA coverage, should be included in the scope of the proposed rule and also whether historical information should be available for more categories of data covered. .
In terms of next steps, comments on the proposed rule are due by December 29, 2023. The office stated that it will seek to finalize the rule by fall 2024.
Join us for a webinar to discuss the latest updates on the CFPB's proposed open banking rule. Register here.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/SVNWMRJZCNOSLPLTCMUKM644TQ.jpg?w=75&resize=75,75&ssl=1 "Wall St Week Ahead Frazzled U.S. stock investors eye frothy Treasury market as Fed looms")
