[co-authors: Luke Hamel, Andrew Kliewer]

On October 17, 2023, the Consumer Financial Protection Bureau (CFPB) published a long-awaited notice of proposed rulemaking for its Proposed Financial Data Rights Rule, implementing Section 1033 of the Dodd-Frank Act.

Section 1033 grants the CFPB the authority to require providers of consumer financial services to share the financial data they collect on their customers. The proposed rule would require providers to share consumer data such as transaction history, account balance, and upcoming billing with customers themselves or third parties that the customers designate. This process of mandatory data sharing is known informally as “open banking.” CFPB Director Rohit Chopra claims the rule will “supercharge competition” by enabling consumers to “walk away from bad service and choose the financial institutions that offer the best products and prices.”

Although the proposed rule is in the midst of a comment period and subject to change before being finalized, covered data providers, particularly depository institutions and credit card issuers, should begin to familiarize themselves with what their obligations to share consumer data could look like under a final rule. Potential data recipients should also consider their responsibilities under the proposal. Here are several key considerations for businesses regarding the proposed rule:

What entities are covered?

The proposed rule divides obligations between financial institutions required to share consumer data (data providers) and entities receiving the data (authorized third parties).

The proposal defines data providers as consumer-facing financial institutions offering deposit accounts subject to Regulation E, credit card issuers subject to Regulation Z, and products or services that facilitate payments from entities in either of these two categories.

Entities offering any of these services as of the effective date of the regulation would be considered data providers obligated to share information under the proposal, including most consumer banks, credit card issuers, and digital wallets. However, entities that do not already maintain a “consumer interface” as of their applicable compliance deadline would be exempt from the proposal’s data-sharing requirements.

The proposal defines authorized third parties as entities seeking access to covered data. This definition encompasses data recipients, which are the end users of consumer data, and data aggregators serving as intermediaries between data recipients and data providers.

What are the obligations of data providers?

The proposed rule would require data providers to develop a “consumer interface” and a “developer interface.” These obligations are best thought of as: (1) a requirement to build out a user interface for individual consumers to access their financial data, and (2) an application programming interface, or API, to store and share covered data for use by other authorized third parties.

Given that maintaining a consumer interface is a threshold requirement to fall within the bounds of the proposal, the compliance burden for the consumer interface should be minimal. Data providers must simply ensure that their portals meet the requirements of the proposal, mainly that covered data are available in a machine-readable format downloadable by the consumer.

Data providers face more substantial requirements for the developer interface. Under the proposal, providers must ensure that covered data are available to authorized third parties in a machine-readable, standardized format. They must additionally prevent third parties from accessing the developer interface using any credentials that a consumer could use to access the consumer interface, such as a digital username and password. This functions as the CFPB’s primary way of discouraging screen scraping, a less secure means of gathering data.

The CFPB anticipates that this requirement will be the most onerous and costly for data providers to comply with. The proposal would bar data providers from charging any fees to either consumers or authorized third parties for accessing consumer data through the API.

Finally, the proposed rule would also require that data providers establish and maintain policies that evidence their compliance with the proposed rule. Data providers would be required to retain records for a minimum of three years after responding to a consumer or third-party request for data. All other records would be subject to a “reasonableness” test in determining retention length, weighing the “size, nature, and complexity” of the data provider and its activities. The CFPB has indicated that it will identify particular examples of records that need to be retained, irrespective of the data and data provider’s characteristics, upon the rule’s final publication in the Federal Register.

What are the obligations of authorized third parties?

While the main burdens of the proposed rule fall on data providers, there are several requirements that authorized third parties ought to be aware of.

The most direct requirements of the proposed rule for authorized third parties relate to how they use or store information. Authorized third parties would be required to clearly disclose to consumers that they will only “collect, use, and retain the consumer's data to the extent reasonably necessary to provide the consumer's requested product or service.” This will come in the form of a clear and conspicuous authorization disclosure that would require consumers to opt in.

The consumer’s opt-in authorization granting the authorized third parties access to the consumer’s information would expire in one year unless the consumer subsequently renews the authorization. Consumers may also revoke permission at any time, and recipients would be prohibited from using covered data for other commercial purposes without consent.

While data recipients would generally be responsible for releasing the authorization disclosure to consumers, they would additionally be responsible for naming in the authorization disclosure any data aggregators that will assist them in accessing covered data. The disclosure must include a brief description of the services that the data aggregator will provide.

Data aggregators must nevertheless certify to the consumer that they agree to the conditions in the authorization disclosure before accessing the consumer’s data. In the event that a consumer withdraws their consent to access the covered data, the data recipient would be responsible for notifying the data aggregator of the consumer’s revocation.

The proposed rule does not, on its face, prohibit screen scraping by authorized third parties. For data that are not required to be transmitted via the developer interface, or in instances where the data providers themselves may be exempted from the requirements of the proposed rule, authorized third parties may still find screen scraping to be the only means of collecting relevant data. The CFPB has stated that it would monitor whether data providers are “blocking screen scraping without a bona fide and particularized risk management concern.”

What are the important deadlines?

After the rule is finalized and published in the Federal Register, data providers will be subject to staggered compliance dates dependent on the nature, assets, or revenue of the data provider.

• Depository institutions with assets greater than $500 billion or nondepository institutions with revenues greater than $10 billion will have six months from the final rule’s publication in the Federal Register to comply.
• Depository institutions with assets between $50 billion and $500 billion and nondepository institutions with less than $10 billion in revenues will have one year to comply.
• Depository institutions with assets between $850 million and $50 billion will have two and a half years to comply.
• Depository institutions with less than $850 million in assets will have four years to comply.

Conclusion

As entities consider compliance obligations under the proposal, they should be aware that it is not the final iteration of the rule. Interested parties can submit comments on the proposal until December 29, 2023, after which the CFPB will read through comments and potentially modify the rule before it is finalized.

Already, commentators have questioned how the proposal might interact with another recently announced CFPB rulemaking, where the CFPB seeks to revamp the obligations of credit reporting agencies under the Fair Credit Reporting Act. In particular, data aggregators should pay attention to intersecting obligations under the two proposals. The CFPB notes in the Personal Financial Data Rights proposal that it will consider data aggregators to be credit reporting agencies when they regularly collect data that bears on a consumer’s creditworthiness and furnish that data to lenders.

Consumer advocacy groups have also expressed concerns that the proposal’s definition of data provider is too narrow and fails in particular to capture data from financial services used by low-income Americans, such as electronic benefit transfer providers. Director Chopra noted in remarks accompanying the proposal’s release that the CFPB intends to expand the definition of data providers in future rulemaking. To that end, lenders not covered by the proposal in its current form should pay attention to the final proposal released by the CFPB, as well as future statements and rulemakings.

Director Chopra has stated the CFPB intends to finalize the rule in fall of 2024.

[View source.]