The CFPB Looks to Increase Competition Through Open Banking

Written by: Cynthia R. Boehmer & Aidan Hallerman

On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) proposed a new Personal Financial Data Rights Rule that it hopes will increase competition in the financial sector. This is the CFPB’s first attempt to exercise its authority under Section 1033 of the Dodd-Frank Bill which requires the CFPB to implement rules for data sharing and data protection. If enacted, the regulation would hasten the transition to open banking. Under current guidelines, consumers might encounter difficulties in the face of attempting to switch from one financial institution to the next.

This new law is seen by the CFPB as a step towards eliminating many of the deeply tangled causes of “sticky banking.” By granting customers more power and protections from bad service, while giving smaller “community-based banks” the opportunity to appeal to a new swath of people, better products and services emerge.

What Is a Covered Entity & What Data Applies

The rule would require certain financial institutions (as defined under Reg E), card issuers (as defined under Reg Z), or any other person who controls or possesses information concerning a covered consumer, financial product, or service to provide data portability and data access rights to consumers and authorized third parties (collectively referred to as “data providers”).

Covered data is defined as transaction information, including historical transaction information such as account a balance, amount, date and type of payment, payment initiation information, terms and conditions, and basic account information. Confidential commercial information, data used to combat fraud, data protected by other sources of law, and data that is not retrievable in ordinary course of business are exempted from the definition of covered data.

New Obligations for Data Providers

Data providers would be required to maintain a customer interface, as well as establish and maintain a developer interface, to allow consumer and third parties access to data in a machine-readable file that can be retained or transferred for processing in a separate system. A fee or other charges cannot be imposed to access this data. The data interface must also allow the provider to receive and respond to requests for covered data and develop a security program that protects data consistent with Section 501 of the Gramm-Leach-Bliley Act (GLBA). It also serves to limit data providers allowing third parties to access data with a user’s credentials – a practice known as screen scraping. In addition to the security program, data providers would be required to establish and maintain written policies and procedures to promote consumer access to their data.

New Obligations for Data Providers

Authorized third parties would be required under the new rule to implement safeguards around the collection, use, and retention of data. Third parties would be required to:

1. Express informed consent. Third parties would be required to provide consumers with clear and conspicuous disclosure that contains the following:
   1. Name of third party authorized to access covered data;
   2. Name of data provider that controls or possesses the covered data that the party seeks to access;
   3. Brief description of the product or service that the consumer required and a statement that the third party will collect, use and retain the consumer’s data only for the purpose of provided that product or service;
   4. Categories of covered data that will be accessed;
   5. Certification that the party will comply with legal obligation relating to data security, data accuracy, and its collection, use and retention of data;
   6. Description on how the consumer can revoke consent.

2. Limit the collection, use, and retention of covered data to what is reasonably necessary to provide the requested product and service. The regulation specifically states that targeting advertising, cross-selling of other products or services, and the sale of covered data is not a part of or reasonably necessary to the provision of the product or service.
3. Adopt policies and procedures to ensure data accuracy. The third party will have the flexibility to determine its policies and procedures considering the size, nature, and complexity of its activities. The policy and procedures should be periodically reviewed and updated to ensure their effectiveness.
4. Allow consumers to control their data. The third party must make it easy for consumers to obtain a copy of the disclosure and provide an easy method of revocation.

What Standards Apply?

As with other laws, this regulation does not provide details on technical standards for compliance with the CFPB, reasoning that such standards would not be able to keep pace with changes in the market and technology. The CFPB suggests that compliance with applicable industry standards issued by a fair, open, and inclusive standard-setting body would indicate compliance with the regulation. This would be a body that meets specific requirements for openness, balance of decision-making power, and due process, as well as appeals, consensus, and transparency. The Bureau requested comments on the approach it should take to determine which standard-setting bodies to utilize, along with guidance on how to ensure that the standards are consistent with the provisions of the final rule.

Compliance Deadlines

Once the final rule is published in the Federal Register, data providers will be required to comply with its requirements on a staggered schedule based on asset and revenue thresholds.

Compliance would be within the following timeframe of the date of publication in the Federal Register:

1. 6 months for depository institutions that hold at least $500 billion in assets, and for non-depository institutions that generated at least $10 billion in revenue in the prior calendar year or are projected to generate $10 billion in the current calendar year.
2. 1 year for depository institutions that hold between $50 billion and $500 billion in assets and for all other non-depository institutions.
3. 5 years for depository institutions that hold between $850 million and $50 billion in assets.
4. 4 years for depository institutions that hold less than $850 million in assets.

Next Steps

The comment period for the proposed regulation ended on December 29^th and CFPB Director Rohit Chopra stated that it intends to finalize the rule by Fall 2024. The accelerated pace of this rulemaking process is consistent with the high importance the CFPB has placed on providing consumers more control and minimizing the ability of companies to take customers for granted.

This law echoes some of the tenets of the privacy laws that states enacted over the past few years, allowing consumers more control over their data and how it is used. Many of these laws have exempted those organizations that must comply with the Gramm-Leach-Bliley Act (GLBA) or possess GLBA data. It appears that the CFPB is looking to fill in those gaps with its own regulation.

There are some concerns over the high cost of compliance, given the need to develop the APIs necessary for accessing consumer data. These APIs also come with their own subsequent security concerns. Some of the entities that collect, store, and sell consumer information are not subject to the same data security and privacy standards as financial institutions, potentially putting the data at risk for a cyberbreach. Although the regulation is not expected to be final until later this year, this new law will have a significant impact on an organization’s consumer data and privacy programs. It is advisable to review how your organization collects and uses data and what changes may be needed when the law goes into effect.

If you have any questions or concerns about preparing for this new regulation, reach out to our Regulatory Compliance team today!