blog

What to Know: CFPB Anticipated to Finalize Rule on Personal Financial Data Rights This Month

Weston Loyd
img

What’s Happening

At the end of October, the Consumer Financial Protection Bureau (CFPB) is expected to issue a final rule implementing Section 1033 of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). If finalized as proposed, this long-awaited rule – referred to by some as an “open banking” rulemaking – would require data providers, including banks, to share consumers’ data with several different third parties. 

CBA supports the underlying principles of open banking and how they may enhance the consumer experience. Nevertheless, CBA has filed a comment letter that raises concerns about the Bureau’s inaccurate assertion that the Section 1033 rulemaking, and open banking in general, are necessary to increase competition in the marketplace. In our comment letter, CBA raised concerns about several fundamental premises of the CFPB’s rulemaking, ranging from the CFPB’s inadequate justifications for the rulemaking; the CFPB’s statutory authority; important deviations from other jurisdictions’ approach to similar issues; and the CFPB’s flawed cost-benefit analysis.

Momentarily setting aside those more fundamental concerns, we want to highlight a few of the many issues that CBA will be looking for in the CFPB’s Final Rule that may impact our members.

What to Look for in the Final Rule

  1. Compliance Timelines. CBA will be looking to see whether the CFPB gives industry sufficient time to appropriately comply with the new rule’s many requirements. As proposed in the notice of proposed rulemaking (NPRM) issued in October 2023, the largest depository institutions would be required to comply with the final rule within six months after publication. CBA has consistently cautioned that these timelines are not feasible, even for the most sophisticated institutions, and that a compliance date of at least two years from issuance of a final rule for the largest institutions would be more appropriate. 
  1. Sharing of Payments Information. CBA will be reviewing the categories of data swept into the final rule to determine whether the CFPB has removed the requirement that payment initiation information be shared. CBA has cautioned the CFPB against including the sharing of payment initiation information in the scope of its rulemaking. Sharing this information may make third parties an increased target for data breaches and compromised credentials could be used to initiate fraudulent transactions. 
  1. Fee Prohibitions. CBA will be examining whether the CFPB’s proposed prohibition on recovering costs remains in the final rule. If the NPRM is finalized as proposed, institutions would be prohibited from imposing any fees or charges on third parties accessing customer data. CBA has emphasized that data providers should be allowed to recover costs of development and maintenance of the new interfaces for accessing data through reasonable and proportional fees to third parties and data aggregators accessing consumer data. Indeed, European regulators have expressly clarified that such “reasonable compensation from data users” would be appropriate in their versions of “open banking” regulation. 
  1. Minimum Performance Specifications. CBA will review the final rule to determine if the CFPB has removed or altered its onerous minimum performance specifications.  In the NPRM, the CFPB set out various highly-specific performance requirements for the interface third parties will be using to access consumer data. For example, the interface would need to have a response time of no more than 3,500 milliseconds and a response rate no less than 99.5 percent. CBA had cautioned the CFPB against setting numerical standards for technologies in the final rule. 
  1. Secondary Use Limitations. CBA will be looking to see whether the CFPB has expanded, narrowed, or removed the proposed rule’s limitations on secondary use of data. The NPRM proposed to prohibit the secondary use of consumer data by third parties for targeted advertising, cross-selling of other products or services, and the sale of data. Even understanding how to determine what constitutes “primary” or “secondary” use is still an area where industry has broadly sought clarity from the CFPB. 
  1. Institution Carve Outs. Upon release of the final rule, members should determine whether any institutional carve outs have been added. The NPRM did not contain a carve out from obligations under a final rule for small financial institutions. Instead, the proposal contained a staggered set of compliance deadlines, in which the smallest institutions would have four years to comply.  

Issues CBA Has Expressed Concerns About, but Does Not Expect to be Addressed in the Final Rule

  1. Screen Scraping Prohibition. The NPRM did not contain an express prohibition of screen scraping, which is when a third party uses consumer credentials to log into a consumer’s account to retrieve data. CBA has long advocated for the practice of screen scraping to be sunsetted. However, it would be a significant deviation from the NPRM if the final rule were to contain an express prohibition of screen scraping. 
  1. Liability Framework. The NPRM presupposed that existing liability frameworks, specifically the Electronic Fund Transfer Act and its implementing regulation, Regulation E, along with bilateral contracts, would be adequate for allocating liability among all of the new parties that would be accessing consumer data. CBA has continuously cautioned that this is not correct. Particularly in light of the rising rates of scams and fraud, current protections do not sufficiently map onto third parties and data aggregators, who are the parties with the greatest ability to prevent consumer harm stemming from access to their data. 
  1. Scope of Coverage. In our response to the NPRM, CBA recommended that the CFPB broaden the scope of coverage for not just asset accounts and credit card accounts, but also to credit products like auto loan accounts and non-bank credit alternatives, like Buy Now Pay Later products and Electronic Benefit Transfer cards.

What’s Next

CBA has consistently sought to ensure a durable, efficient, and practicable rule implementing Section 1033 of the Dodd-Frank Act. Upon the release of the final rule next month, CBA will share with members a summary of the significant developments in the rule and host a webinar to answer member questions on the rule.   

CBA Advocacy

  • To read CBA’s July 2024 letter with several other trades to the CFPB urging the CFPB to expand the timeframes for compliance with the final rule, click HERE.
  • To read CBA’s May 2024 op-ed on the CFPB’s authority to advance “open banking” through Dodd-Frank Act Section 1033, click HERE.
  • To read CBA’s recommendations to the CFPB to strengthen its open banking rulemaking from January 2023, click HERE.
  • In a blog released earlier this year, CBA outlined how the Bureau’s anti-competitive approach to implement Section 1033 could put the safety of consumers and the security of the sensitive financial data at risk. To learn more, click HERE.
  • To read CBA’s comment letter responding to the Section 1033 SBREFA Outline, click HERE
  • CBA and several other financial trade groups also submitted a petition to the CFPB in August 2022 urging the Bureau to examine all large data aggregators and users for compliance through the requirements outlined in the Section 1033 rulemaking. To read the full petition, click HERE.

Stay
Connected

    Sign up to receive our updates.