On October 19, 2023, the Consumer Financial Protection Board (“CFPB”) released a proposed rule that, if enacted, would grant consumers greater access rights to the data their financial institutions hold. Under the proposed Personal Financial Data Rights Rule (the “Proposed Rule”), bank customers nationwide would have privacy rights similar to what is afforded under the dozen state privacy laws that have been enacted in recent years. Comments on the Proposed Rule are due on or before December 29th of this year, while the Proposed Rule would likely go into effect in the fall of 2024.
The Proposed Rule would provide consumers the right to request information related to their account transactions, balances, and third-party bill payments from their financial institutions. Consumers may also request the information used to initiate ACH transactions, information regarding the terms and conditions of the financial products and services (such as applicable fee schedules, APRs, and rewards program terms), and basic account verification information. Notably, the access right excludes information that would constitute confidential business information. Information concerning mortgages, auto loans, and student loans are similarly out of scope of the Proposed Rule, although the CFPB has indicated its intent to broaden the Proposed Rule’s coverage in future rulemaking. Financial institutions must make covered data available in a readily usable electronic form to the consumer and, if applicable, a third-party authorized by the consumer (such as a competing financial institution) upon request at no cost.
The Proposed Rule signals the first step toward the implementation of regulations aimed at “open banking” that were initially required under the 2010 Dodd-Frank Act and is the first proposal to implement Section 1033 of the Consumer Financial Protection Act (the “CFPA”). Under the CFPA, the CFPB was tasked with implementing personal financial data sharing standards and protections (refer to Ballard Spahr’s Consumer Finance Monitor articles and podcast regarding Section 1033 rulemaking here, here, here, and here). By facilitating access to consumers’ personal information and removing certain bureaucratic hurdles currently involved with switching to a new financial services provider, CFPB Director Rohit Chopra noted the Proposed Rule “will help accelerate the shift” to a more decentralized financial market structure while guarding consumers’ personal data against abuse and misuse.
Although there will be operational costs, the CFPB believes that the Proposed Rule would actually foster competition by benefitting smaller financial institutions, fintechs, and startups. For example, the ability to transfer consumer transaction history with greater ease, speed, and efficiency may cut down on administrative costs the smaller players in the industry and startups face when onboarding new customers. According to CFPB Director Chopra, “jumpstarting competition in banking and consumer finance” will lead to companies incentivized to provide better customer service and products. Future rulemaking that widens the scope of the Proposed Rule to include other types of covered data will, as CFPB Director Chopra pointed out, “continue to foster more competition and consumer choice throughout the market.”
The Proposed Rule would also prohibit companies from using consumer account data for purposes other than providing the requested services and products. Financial institutions would therefore be prohibited from using the subject data for targeted advertising and marketing purposes or to sell to data brokers. Upon termination of the customer relationship, financial institutions would be required to delete subject data in its possession (subject to applicable law and retention requirements). Screen scraping—a form of data collection used by companies that requires the use of log-in credentials—would also be prohibited.
Not surprisingly, financial institutions reactions are mixed. American Bankers Association President and CEO Rob Nichols issued a statement that simultaneously commended the Proposed Rule for uniting the banking industry’s and the CFPB’s common goal of “enhancing consumers’ access to their financial data and allowing them to share it safely with companies of their own choosing” while also expressing concerns over the scope of the Proposed Rule, whether it adequately addresses liability, and implementation costs. Nichols also questioned whether the CFPB’s parallel efforts at amending the Fair Credit Reporting Act created ambiguity under the Proposed Rule.
Consumer Bankers Association (CBA) President and CEO Lindsey Johnson released a statement noting that the CBA “looks forward to working with” the CFPB to develop a final Section 1033 rule that fosters access to consumers’ own personal financial data and provides uniform protection of such data across banks and non-banks. Similarly, Paige Pidano Paridon, senior associate general counsel for the Bank Policy Institute, a nonpartisan public policy, research and advocacy group representing US banks, issued a statement on the Proposed Rule calling for the CFPB to “prioritize data security in its rulemaking process, put an end to unsafe practices like screen scraping, and require fintechs to adhere to the same data privacy and security standards that already apply to banks.”
While the Proposed Rule attempts to establish a framework by which access to third party financial products and services is easier and the collection practices of consumer financial data is further regulated, whether the Proposed Rule will accomplish all of the goals outlined in Director Chopra’s statement is yet to be determined.
Those who wish to comment on the proposed rule have until December 29, 2023 to do so. The CFPB has indicated its intent to finalize the rule by the fall of 2024. Compliance dates will vary depending on the asset size and type of financial institution.