CFPB Proposes New Rules on Personal Financial Data Access

CFPB Proposes New Rules on Personal Financial Data Access

On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) released its Proposed Rule on Personal Financial Data Rights (“Proposed Rule”) issued under Section 1033 of the Consumer Financial Protection Act of 2010, for public comment.  The CFPB proposes to establish a framework for consumers that would allow them to authorize third-parties to safely collect their personal financial data and enable access to products and services provided primarily by Fintechs and aims to empower consumers by allowing them to easily choose the best financial products and services and to improve consumer control over their financial data and prevent companies from misusing it.

Key Features of the Proposed Rule: (a) enhanced consumer control; (b) standardized data access; (c) data security measures; (d) scope and compliance; and (e) potential implications.

The CFPB said the Proposed Rule on Personal Financial Data Rights represents a pivotal step towards empowering consumers with greater control over their financial data. By establishing clear guidelines and standards, the rule aims to foster innovation in financial services while ensuring robust protections for consumer information.

Affected Parties Under the Proposed Rule.

The Proposed Rule would change how consumer financial data is accessed and used.  This will establish obligations governing banks’ and nonbanks’ provision to consumers and authorized third-parties of certain data relating to consumers’ transactions, accounts, and third-parties’ access to consumer data. The affected parties of the Proposed Rule are the subset of “covered persons” that are entities providing asset accounts subject to the Electronic Fund Transfer Act and Regulation E, credit cards subject to the Truth in Lending Act and Regulation Z, and related payment facilitation products and services.

• Affected Parties.  The Proposed Rule targets “covered persons” such as banks, credit card issuers, digital wallet providers, and other entities offering consumer financial products or services. These entities would be obliged to provide consumers and authorized third-parties with certain data related to transactions, accounts, and other financial services.

• Covered Data Providers.  This category includes financial institutions, card issuers, digital wallet providers, and other entities that possess or control consumer financial data. These providers must have a “consumer interface” to receive and distribute covered data electronically to consumers and authorized third-parties.

• Definitions Clarified:

• Consumer. Refers to individuals, including those using trusts for tax or estate planning.

• Third-Party. Any entity other than the consumer or data provider seeking access to covered data.

• Authorized Third-Party. Entities accessing consumer data on behalf of the consumer, complying with specified authorization procedures.

• Data Aggregator. Entities retained by authorized third-parties to facilitate access to covered data, subject to consumer-certified conditions.

• Exceptions and Compliance. Depository institutions without a consumer interface by the compliance date are exempted from being covered data providers. The rule emphasizes consumer privacy and control over their financial information, ensuring transparency and secure data handling practices.

• Implications for Consumers. If enacted, the Proposed Rule aims to enhance consumer control and choice in managing their financial data. It seeks to standardize data access across financial services while protecting consumer privacy rights and promoting innovation in fintech.

Proposed Covered Products, Services, and Data Under the Proposed Rule.

The Proposed Rule outlines which consumer financial products and services fall under its regulatory scope, along with the specific data that may be accessed and shared. Here are the key points simplified:

• Covered Consumer Financial Products or Services. Under the Proposed Rule, covered consumer financial products or services include:

• Accounts. Such as checking, savings, or other consumer asset accounts primarily used for personal, family, or household purposes.

• Credit Cards. Defined broadly to include any card or single credit device used for obtaining credit, including hybrid prepaid cards.

• Payment Facilitation. Services enabling payments from accounts regulated under Regulation E or credit cards under Regulation Z.

• Covered Data. The Proposed Rule defines covered data that may be accessed and shared by financial institutions and other covered entities. This includes:

• Transaction Information. Payment details, dates, types, pending status, payee information, rewards, and fees.

• Account Balances.

• Payment Initiation Information.

• Terms and Conditions. Fee schedules, APR/APY rates, rewards program details, overdraft coverage, and arbitration agreements.

• Upcoming Bills. Scheduled third-party payments and upcoming consumer obligations.

• Basic Account Verification. Limited to essential consumer information like name, address, email, and phone number.

• Exclusions from Covered Data.  Not all data falls under the Proposed Rule’s scope. Excluded data categories include:

• Confidential Commercial Information.

• Fraud Prevention and Detection Data.

• Information protected by other legal provisions.

• Data inaccessible in the ordinary course of business.

• Implications for Consumers. If enacted, the Proposed Rule aims to standardize access to and protection of consumer financial data, ensuring transparency and control for consumers while promoting secure data practices across the financial sector.

Key Requirements Proposed for Covered Data Providers Under the Proposed Rule.

The Proposed Rule could significantly impact how financial data is accessed and managed. Here’s a simplified breakdown of what these regulations mean for covered data providers and their interactions with consumers and authorized third-parties:

• Making Covered Data Accessible. Covered data providers must make consumer financial data available in electronic form upon request. This includes transaction details, account balances, payment information, terms and conditions, and basic verification data. The data must be accessible through designated consumer or developer interfaces in a standardized format. However, access can be denied if there are valid risk management concerns.

• Exceptions to Data Accessibility. There are specific exceptions where data providers may withhold information, such as protecting confidential commercial information, preventing fraud or money laundering, complying with legal confidentiality requirements, or when data retrieval is not feasible in normal business operations.

• Interface Standards and Performance. Data providers must establish and maintain interfaces that meet standardized format, security, and performance requirements. These interfaces must be accessible and responsive, with performance metrics publicly disclosed. Responses to consumer and third-party requests must adhere to specified response rates and industry standards.

• Responding to Requests. Providers must respond promptly to requests for covered data from consumers and third-parties, ensuring authentication and authorization procedures are met. Denials must be documented and communicated promptly, citing reasons such as risk concerns or technical issues.

• Prohibited Fees. Providers cannot charge fees for establishing or maintaining required interfaces, or for responding to data requests as mandated by the Proposed Rule.

• Information Accessibility and Disclosure. Providers must make identifying information accessible to the public in both human-readable and machine-readable formats. They are also required to disclose details about their developer interfaces and minimum performance standards.

• Policies, Procedures, and Record Retention: Providers must maintain written policies and procedures to ensure compliance with the Proposed Rule, accurate data availability, and record retention.

• Security Safeguards. Data providers and third-parties must implement robust information security programs compliant with applicable regulations, such as those under the Global Financial Stability Act (“GLBA”) or Safeguards Rule. This includes entities regulated by federal banking agencies and non-bank financial institutions.

• Implementation Challenges. Entities not yet compliant with GLBA’s security requirements may face challenges in implementing the proposed regulations, such as multifactor authentication, encryption of customer information, and continuous monitoring of security controls.

Key Provisions Proposed for Authorized Third-Parties and Data Aggregators Under the Proposed Rule.

The Proposed Rule will affect authorized third-parties and data aggregators, aiming to enhance consumer control and security over financial data. Here’s a simplified overview of the proposed provisions:

• Authorization Procedures. Authorized third-parties must obtain explicit consumer consent to access covered data. This includes providing a detailed authorization disclosure outlining the data to be accessed, the purpose, and the duration of access. Consumers must sign this disclosure electronically or in writing.

• Third-Party Obligations. Third-parties must adhere to strict obligations, including limiting data collection, maintaining accurate data transmission policies, and implementing robust information security programs compliant with the Gramm Leach Bliley Act. They must also provide consumers with copies of authorization disclosures and mechanisms to easily revoke data access.

• Limitations on Data Use. The Proposed Rule restricts third-parties from using covered data for purposes beyond what was authorized by the consumer. This includes targeted advertising, cross-selling, or data sales, ensuring that data is used solely for the intended product or service.

• Data Collection and Retention Limits. Third-parties are required to limit the collection of consumer data to what is necessary for the authorized service. Data retention is capped at one year unless reauthorized by the consumer annually. This ensures that data is not held longer than necessary for service provision.

• Use of Data Aggregators. Third-parties can utilize data aggregators to access covered data, provided aggregators comply with authorization procedures and consumer disclosures. Aggregators must certify their adherence to data access conditions directly to consumers.

• Record Retention. Both third-parties and data aggregators must maintain records demonstrating compliance with the Proposed Rule for a minimum of three years after obtaining consumer authorization.

Transactional Issues.

The Proposed Rule could significantly impact data access agreements and practices in the financial sector. Here are the key points to consider:

• Renegotiation of Agreements. The Proposed Rule may necessitate the renegotiation of existing data access agreements among data providers, aggregators, and third-parties. This is crucial to ensure compliance with the new regulatory obligations and to manage associated risks effectively.

• Data Provider/Data Aggregator Relationship. There is ambiguity in the Proposed Rule regarding the relationship between data providers and data aggregators. While it focuses on consumer access to data from providers, clarity on these relationships is essential for the smooth functioning of the open banking ecosystem.

• Limits on Data Use. The Proposed Rule imposes restrictions on how third-parties, including aggregators, can use and retain consumer data. It prohibits uses such as targeted advertising or cross-selling unless explicitly authorized by the consumer. This deviation from current practices underscores the need for consumer consent in data use.

• Impact on Back-End Deals. Section 421(c)(3) of the Proposed Rule allows covered data to be used for processing consumer-requested services. However, its implications for back-end deals, such as acquiring or processing networks, remain unclear and warrant further examination.

Applicability of Other Laws.

As the CFPB proposes new rules on financial data access, it’s important to understand how existing laws apply:

• Electronic Fund Transfer Act (“EFTA”). Under the proposed rule, consumers retain their rights under the EFTA to address errors with their financial institutions regarding unauthorized transfers. This includes obligations for institutions like digital wallet providers and neobanks to resolve errors promptly. While consumers are protected from liability under EFTA and Regulation E, institutions may seek reimbursement through private network rules and contracts. The CFPB’s proposed measures aim to enhance data security and privacy, encouraging safer practices in data sharing.

• Fair Credit Reporting Act (“FCRA”). When consumer data pertains to creditworthiness and is used for permissible purposes under the FCRA, such as loan underwriting, data aggregators are subject to FCRA regulations if they assemble or evaluate such data for third-party reports. This regulation ensures that entities engaging in credit reporting activities adhere to strict standards to protect consumers’ financial information.

Enforcement and Liability.

The Proposed Rule aims to enforce compliance in data privacy by the CFPB, with some provisions subject to private causes of action under state or common law.

• Certification Requirements. Under the Proposed Rule, third-parties and data aggregators are required to certify their compliance with specific provisions, including authorization disclosures and maintaining written policies. These certifications empower consumers and regulators to enforce obligations through state consumer protection laws or common law in cases of non-compliance. This ensures that breaches of compliance can lead to legal repercussions under applicable regulations.

• Consumer Protections. While the Proposed Rule emphasizes certification as a tool for enforcement, it does not directly allocate liability among participants in cases of fraud, breaches, or stolen credentials. This means that data providers, third-parties, and data aggregators must still navigate liability issues amongst themselves under state and federal laws. Each participant remains responsible for complying with their legal obligations despite the overarching consumer protection framework.

Effective Dates.

The CFPB proposes that the effective date occur 60 days after the date of the final rule’s publication in the Federal Register, with staggered compliance dates for data providers ranging from six months to four years, based on data providers’ asset size or revenue:

Public Feedback and Implementation.

Before finalizing the rule, the CFPB invites public comments to refine and improve the proposed framework. Once implemented, the rule will have staggered compliance dates ranging from six months to four years based on the size and nature of the data provider.

The proposed regulations pose challenges and opportunities for data providers, aggregators, and third-parties alike. Navigating these changes will require careful consideration of contractual obligations, compliance measures, and potential impacts on business operations. Understanding these regulatory frameworks is crucial as the financial industry evolves with new data sharing practices. It is crucial for stakeholders to stay informed and adapt their practices to align with the evolving regulatory landscape.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.