As we reported last week, the Consumer Financial Protection Bureau (“CFPB”) released a proposed rule addressing “personal data financial rights.” Comments are due on December 29, 2023. Please review last week’s post for a general overview of the proposed rule. This week’s installment discusses the entities that would be required to comply with the provisions of the rule, should it be adopted as proposed.
The proposed rule focuses on ensuring that open banking is prioritized initially with respect to electronic payments. The scope of consumer financial products and services governed by the proposed rule includes “Regulation E accounts” (i.e., demand deposit (checking) accounts, savings accounts and prepaid cards accounts), “Regulation Z credit cards” (i.e., credit cards, charge cards and hybrid prepaid cards), as well as any service that allows for the facilitation of payments using Regulation E accounts or Regulation Z credit cards. Accordingly, the entities intended to be governed by the proposed rule include not only financial institutions, but also “any other person that controls or possesses information” concerning the covered consumer financial products or services. This means that even if the entity does not maintain financial accounts itself and merely provides services to facilitate payments, or to allow consumers to better optimize their spending through the use of personal financial management tools, then that entity would need to comply with the rule. The proposed rule provides one example of a non-bank entity that would be governed, specifically stating, “a digital wallet provider is a data provider.” 1033.120(c)(3).
While the proposed rule purports to extend to non-banks providing services such as digital wallets, it also covers not just financial institutions, but also all entities deemed to be “card issuers” for purposes of Regulation Z, the implementing regulation for the Truth In Lending Act. It is important to remember that the definition of “card issuer” in Regulation Z extends far beyond just the “person that issues a credit card.” It also includes any entity considered to be the agent of the person that issues a credit card. 12 C.F.R. 1026.2. While the Official Staff Commentary to this section of Regulation Z remarks that “merely providing services relating to the production of credit cards or data processing for others . . . does not make one the agent of the card issuer,” the definition of card issuer does pull in a wide variety of fintechs and other companies that are under contract with the person that issues the card to provide services supporting the card.
Importantly, the obligations applicable to data providers cover only “covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.” 1033.211. The emphasized language is taken directly from the Consumer Financial Protection Act, 12 U.S.C. 5533(a). The CFPB’s only statements regarding whether a data provider, such as a fintech supporting a credit card issuing bank (i.e., which would be deemed to be a card issuer), is also a party from whom the consumer “obtained the credit card” for purposes of the obligations relating to covered data are 1) the conclusion that the catch-all provision of the definition of data provider (i.e., any other person that controls or possesses information regarding the covered product or service) is intended to “cover all consumer-facing entities involved in facilitating the transactions” and 2) the observation that “adopting a broad definition could help avoid creating unintentional loopholes as the market evolves.”
The proposed rule also covers two other sets of entities and imposes separate obligations on them. “Authorized third parties” are those entities who “seek access to covered data from a data provider on behalf of a consumer” so that they can provide a product or service the consumer requested. 1033.401. Authorized third parties are required to: 1) provide an authorization disclosure; 2) certify that they will limit the “collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service”; and 3) only use the data for servicing or processing the product or service requested (as well as to satisfy legal process, etc.). In counterpoint to the definition of “data provider,” “authorized third parties” do not provide the covered consumer financial products and services, but instead act upon that data to provide separate products and services. Today, these third parties can receive the data and use it in keeping with the terms of their privacy policy. Under the proposed rule, these third parties would only be able to use the data to provide their product and services, regardless of the terms of their privacy policy.
The final set of entities that would be covered by the proposed rule are so-called “data aggregators.” Data aggregators are entities that are “retained by and [that provide] services to the authorized third party to enable access to covered data.” In sum, data aggregators must be disclosed by name to consumers within the authorization disclosure provided to them by authorized third parties and are also required to limit their use of the covered data, in the same manner as authorized third parties are required to limit their use.
Stay tuned for two more parts on this proposed rule in the coming weeks – one installment will discuss the technology aspects of the rule, and another installment will look at how this proposed rule would work with existing laws like Regulation E, the Fair Credit Reporting Act and Gramm-Leach-Bliley.
