On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) issued an advance notice of proposed rulemaking (ANPR) with respect to a new consumer financial data portability rule mandated by Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act. Broadly speaking, the rule is intended to allow consumers to port their banking and financial services information easily should they wish to exercise more choice over their banks and financial service providers. This CFPB appears committed to promoting a decentralized and intensely competitive market in consumer financial services. To that end, the rule will require covered entities to make consumer information available to their customer about the financial products and services they have provided to the customer. 

The CFPB rule is expected to provide a US analogue to the regulatory mandates that underpin the open banking ecosystems in the UK, EU, and elsewhere. Although open banking has developed in the US, it has done so in a bottom-up, non-uniform way, largely driven by consumer demand and implemented via screen scraping and one-to-one data access agreements. The CFPB aims to improve data access, accuracy, and security by replacing screen scraping, in which third parties use consumer credentials to access information, with secure portals hosted by financial institutions that provide no-cost, standardized data to consumers and authorized third parties. 

Although the CFPB’s Section 1033 rulemaking has now progressed to the proposed rulemaking stage, it is important to also keep an eye on the CFPB’s parallel rulemaking under the Fair Credit Reporting Act (FCRA). The FCRA rulemaking, although in its very early stages, would extend the compliance net of the FCRA to include not only traditional credit bureaus but data brokers and other alternative data vendors who are collecting, processing and aggregating consumers’ financial and other data for use by rental companies, lenders, employers and other businesses in making eligibility decisions. The FCRA rulemaking could potentially give consumers a line of sight and more control over how their data is being collected, assembled and shared to entities making decisions about them. It is the CFPB’s objective that the Section 1033 and FCRA modernization rulemaking will dovetail to empower consumers to better understand and make choices about their finances.

1. Who Has to Make Data Available?

The proposed rule would apply to all of the following entity types, termed “data providers”:

• Depository institutions and any other person that either:
  • Directly or indirectly holds a Regulation E account, as defined in 12 CFR § 1005.2(b)(1), which includes demand checking accounts, savings accounts, and prepaid accounts as defined in 12 CFR § 1005.2(b)(3)(i)); or 
  • Issues an access device¹ and agrees with the consumer to provide electronic fund transfer services
• Credit card issuers as defined in Regulation Z (12 CFR § 1026.2(a)(7))
• Payment intermediaries that facilitate payments from a Regulation E account, as defined in 12 CFR 1005.2(b)(1), or a Regulation Z credit card account, as defined in 12 CFR § 1026.2(a)(15)
• Any other person that controls or possesses information regarding any of the above-listed products or services obtained from that person.

The rule expressly provides that digital wallet providers are covered. Notably, the rule will not apply to depository institutions that have not established a consumer interface (i.e., a consumer account portal) as of the rule’s compliance date. The CFPB has indicated that it intends to apply consumer data access requirements to additional categories of financial products and services in subsequent rulemakings.

2. What Data Must be Made Available?

The rule would require data providers to make the following data available through their consumer and developer interfaces, to the extent that it is retrievable by the data provider in the ordinary course of business:

• Transaction information going back at least 24 months, including the amount, date, payment time, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges;
• Account balance;
• Information to initiate a payment to or from a Regulation E account (including account and routing number, which may be tokenized or non-tokenized);
• Terms and conditions of the product or service, including fee schedule, APR or APY (as applicable), rewards program terms, overdraft opt-in status, and whether an arbitration agreement applies;
• Upcoming bill information; and
• Basic account verification information, which includes only the name, address, email address, and phone number associated with the product or service.

The rule provides limited exceptions for, among other things, confidential information of the data provider, such as proprietary algorithms, and information collected solely for fraud prevention purposes. The latter does not include name and basic account verification information.

3. What are the Mechanics of Provisioning Data to Consumers and Third Parties? 

The rule would require depository institutions that have a consumer interface as of the applicable rule compliance date (see Section 6 below) to host interfaces through which consumers and authorized third parties can request covered data. The developer interface must meet certain requirements, which are intended to promote standardization and usability. The CFPB is not, however, proposing to prescribe a single data format for covered data or to provide a database or processing capability.

Upon specific request, data providers must make data available to consumers and third parties in a machine-readable format that can be retained and transferred to other information systems. Additionally, data providers’ developer interfaces must make data available in a standardized format, a requirement that is deemed met if the data is provided in a format that is set forth in a “qualified industry standard”² or is “widely used by the developer interfaces of other similarly situated data providers with respect to similar data and is readily usable by authorized third parties.” 

The developer interface must also perform to a “commercially reasonable” level, which means, at a minimum, a 99.5% rate of proper responses³ provided within 3,500 milliseconds (excluding downtime for which the data provider gave reasonable notice to all third parties authorized to access the interface). Additionally, the rule prohibits data providers from imposing “unreasonable” access caps or rate limits on third party requests.⁴ Frequency restrictions are permissible only to the extent the third party requests pose an “unreasonable burden on the data provider’s developer interface and impact the interface’s availability to other third party requestors.” Any such restrictions must be applied in a manner that is non-discriminatory and consistent with the data provider’s reasonable written policies and procedures. 

With respect to both the “commercially reasonable” performance requirement and the prohibition on “unreasonable” access caps, the rule treats conformity with a qualified industry standard as an indicator of compliance but not a safe harbor. As noted above, conformity with a qualified industry standard does provide a safe harbor with respect to the requirement to provide data in a standardized format. Additionally, with respect to commercially reasonable performance, alignment with performance levels of similarly situated data providers’ interfaces is an indicator of compliance.

Data providers must maintain information security programs that meet the standards of the Gramm-Leach-Bliley Act (GLBA), regardless of whether subject to GLBA enforcement by a banking regulator or the Federal Trade Commission (FTC). It is important to note that the FTC has announced it has approved an amendment to its GLBA Safeguards Rule that will require non-bank financial institutions to report data breaches to it when they discover that “information affecting 500 or more people has been acquired without authorization.” Although as of this writing the amendment has not yet been published in the Federal Register, once it is, it will take effect one-hundred-eighty days after its publication.⁵ Earlier this year the FTC began enforcing “unauthorized disclosures of consumer information” as “breaches” under its authority under Section 5 of the FTC Act as well as under its Health Breach Notification Rule.⁶ As a result, non-bank financial institutions should use this opportunity to evaluate how any of their digital or other online and apps may be using, collecting or processing consumers’ data or may result in the sharing of that information with third parties.

4. What is Required of Third Parties Seeking Access to Consumer Information?

The rule requires data providers to grant access to their developer portals to authorized third parties. To become authorized, a third party must seek access on behalf of a consumer in order to provide a product or service that the consumer requested. Additionally, the third party must: 

• Maintain an “authorization disclosure” that:
  • Is signed by the consumer; and
  • Contains a certification by the third party that the third party will limit its use (and sharing) of data to what is reasonably necessary to provide the consumer’s requested product or service (which may not include cross-selling, sale of data, or targeted marketing);
  • States the categories of covered data that will be accessed; and
  • Describes how the consumer may revoke consent.
• Maintain a data security program that complies with the GLBA or the FTC’s Safeguards Rule under the GLBA, as applicable;
• Require parties with whom the third party shares data to contract to comply with specified obligations under the rule;
• Establish reasonable policies and procedures to ensure that consumers can obtain specified information about the third party’s data practices (including names of parties with whom information was shared); and
• Notify the data provider, any data aggregator, and other third parties with whom it has shared the consumer’s covered data when the consumer revokes consent.

A consumer’s consent automatically terminates after one year, and the third party must obtain a new one no later than the termination date. If the authorization is not renewed, the third party must stop collecting data and may not continue using previously collected data unless use of data remains “reasonably necessary” to provide the consumer’s requested product or service or the data is required to be retained by law or is necessary to prevent fraud.

The rule also addresses third parties’ use of data aggregators to access and process consumer data. Third parties using data aggregators must disclose the name of the data aggregator and the services it will provide in the consumer authorization disclosure. Additionally, data aggregators must certify their agreement to restrictions on use of the consumer’s data before accessing it. The certification must be included in the consumer authorization disclosure or provided to the consumer separately by the data aggregator. Looking ahead, it will be important to see how the CFPB’s proposed FCRA regulations get drafted to understand how these two important rulemaking initiatives can potentially reshape the consumer finance ecosystem.

5. When May a Data Provider Deny Access to a Third Party?

The CFPB’s rule acknowledges the tension between data providers’ legal obligations to safeguard consumer data and the commercial incentive they have to maintain exclusive access, on the one hand, and third parties’ legitimate interest in accessing data on the other. This issue is particularly complex in the US, where there is no centralized credentialing system for non-banks and thus no bright line criteria for determining which third parties should have access. 

In the ANPR, the CFPB proposes that a data provider does not violate the general requirement to make data available if it issues a “reasonable” denial based on risk management concerns. To be reasonable, the denial must be necessary to comply with federal data privacy laws or directly related to a specific risk of which the data provider is aware, including, but not limited to lack of evidence of adequate data security practices or failure of the third-party to make specified information about itself publicly available⁷ in both human-readable and machine-readable formats. By requiring third parties to make data available in machine-readable format, the CFPB intends to facilitate data providers’ automated evaluation of third party authorization requests.

The CFPB’s commentary to the rule encourages private development of accreditation systems for third parties and requests comment on how the CFPB could support such efforts. However, the CFPB does not suggest that it is considering maintaining a list of authorized third parties. The closest the CFPB comes is to request comment on whether it should publish a list of links to third parties’ websites where required information about them is disclosed or require data providers to notify the CFPB when they approve or deny third party access requests. The CFPB commentary indicates that the latter would be used by the CFPB as a market monitoring tool rather than being made public.

Finally, a data provider can deny access if it does not receive minimum data required to fulfill the request. The rule specifies the minimum data requirements for both consumer and third-party data requests. All access denials must be accompanied by a statement of the type of information for which access was denied and a reason for the denial.

6. Compliance Dates

The rule provides for staggered compliance dates from six months to four years after publication of the final rule. The applicable compliance date for a data provider depends on its total assets and revenue. Depositories with at least $500 billion in total assets and non-depositories with at least $10 billion in revenue in the previous year (or projected for the current year) are subject to the earliest compliance date. It is unclear how a phased in series of compliance deadlines will affect consumers’ choices in the market place or smaller entities if consumers find themselves picking between larger entities who have come into compliance and smaller entities who have not yet been mandated to do so.

7. What Will Happen Next?

Agencies typically use ANPRs to preview a proposed rule and gain additional public input prior to issuing a notice of proposed rulemaking, which gives interested parties the opportunity to comment at an earlier stage of a rule’s development. The ANPRM requests comment on many questions of significance to the industry, including, for example:

• Whether non-depositories (in addition to depositories) that do not have consumer interfaces as of the applicable rule compliance date should be exempt from the rule;
• Which other financial products and services should be subjected to data portability requirements under a subsequent rulemaking;
• The appropriateness of the CFPB’s proposed standards for determining whether a standard-setting body is open, fair and inclusive (and thus able to issue qualified industry standards on which covered data providers may rely for a compliance safe harbor);
• How and when the CFPB should formally recognize a standard-setting body as open, fair and inclusive;
• Whether the CFPB should expressly prohibit data providers from engaging in activity that they know or should know is likely to interfere with access by consumers or authorized third parties, including providing information in an unusable format;
• Whether allowing data providers to provide tokenized account and routing numbers is appropriate and useful in preventing fraud; 
• Whether the CFPB should specify the amount of downtime that a data provider can exclude when calculating its compliance with the minimum 99.5% response rate; 
• Whether rate limits or access caps imposed by data providers should be presumptively unreasonable; and
• What evidence regarding a third party’s data security practices would give a data provider reasonable basis to determine access.

Interested parties have an opportunity to influence the CFPB’s approach to these key issues by submitting comments on or before December 29, 2023.

8. What Should Non-bank Financial Services Companies Do Now?

For non-bank financial institutions who themselves or through a network of vendors collect consumers’ non-public information, the rulemaking activity at the CFPB under Section 1033 and the FCRA as well as the FTC’s expansion of its GLBA Safeguards Rule to include a breach notification requirement when there is an “unauthorized sharing” of consumers’ information with third parties, this is a critical time to review consumer permissions and disclosures to assure they are up to date with their data collection, processing and sharing practices. In addition, a review of documented policies and procedures relating to the collection, use, processing and disclosure of consumer data – whether directly or by third party vendors -- is important to assure that consumer data is being safeguarded as both the CFPB and FTC expect. Finally, these regulatory initiatives underscore the importance for non-bank financial institutions and their vendors to conduct testing to assure that the organization’s data loss prevention practices align with any privacy promises it makes to the public.

________

1 “Access device” means a card, code, or other means of access to a consumer's account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.12 CFR § 1005.2(a)(1).
2 The rule defines “qualified industry standard” to mean a standard issued by standard-setting body that is fair, open, and inclusive. The rule establishes several factors for determining whether a standard-setting body meets these criteria.
3 A proper response is a response, other than an error message provided during scheduled downtime, that either fulfills the query or explains why the query was not fulfilled, is consistent with the data provider’s reasonable policies and procedures, and is provided within a commercially reasonable amount of time (not more than 3,500 milliseconds).
4 With respect to consumer requests, data providers are not permitted to impose any restriction on frequency.
5 See, https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches?utm_source=govdelivery
6 See, FTC GoodRx enforcement action from February 1, 2023, which resulted in a $1.5 million fine against GoodRx “for failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies.” https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising
7 The rule interprets this requirement to mean that the information must be at least as publicly available as it would be if posted on a public website.

[View source.]