On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) unveiled a proposed rule to implement Section 1033 of the Dodd-Frank Act. This section mandates that entities subject to it should provide consumers access to information about financial products or services they have acquired from these entities, in accordance with rules set by the bureau.

The proposed rule aims to ensure that specific financial institutions, card issuers, and payment facilitation providers grant consumers access to their data, including transaction information. It also establishes obligations to safeguard consumers’ interests for these entities, as well as authorized third parties that collect and use this data.

The Rule’s Application

The proposed rule’s applicability would primarily extend to “data providers,” which typically refers to financial institutions offering consumer deposit accounts under the Electronic Funds Transfer Act (EFTA), credit card issuers subject to the Truth in Lending Act (TILA), and entities offering related payment facilitation services. Consequently, most banks, digital wallet providers, and neobanks would be covered, while entities without consumer-facing digital banking interfaces would be excluded from coverage at the rule’s compliance date.

Data Covered

Under the proposal, data providers would need to offer consumers and authorized third parties access to “covered data,” encompassing 24 months of transaction data, certain account details (e.g., account balance, upcoming bills, basic account verification), information required for payments, and terms and conditions of the account or card (such as APR and reward program terms). Certain types of information, like confidential commercial data, data collected for fraud prevention, information required by law to remain confidential, and data not retrievable in standard business operations, would be exempt from the rule’s requirements.

Obligations of Data Provides to Make Covered Data Available

To comply with the proposed rule, data providers must maintain consumer interfaces and developer interfaces for data access. They cannot impose fees on consumers or authorized third parties for these interfaces and must disclose developer interface information publicly. The rule also dictates that data providers:

• Should not rely on screen scraping, a practice that uses consumer credentials for data retrieval.
• Provide data in a standardized format based on industry standards or widely used formats.
• Authenticate third parties and consumers, ensure consumer authorization, and confirm data request scope.
• Maintain a “commercially reasonable” level of performance for their developer interfaces.
• Apply an information security program in line with the Gramm-Leach-Bliley Act (GLBA) or relevant Federal Trade Commission (FTC) requirements.

Obligations on Third Parties Authorized to Access and Collect Consumers’ Data

The proposed rule also imposes obligations on authorized third parties that collect consumers’ data. These third parties must obtain consumers’ express informed consent, limit data collection, use and retention, and implement data security programs compliant with GLBA or FTC requirements. They are also required to reauthorize data collection after one year or delete previously collected data unless necessary for providing the requested service.

Role of Data Aggregators with Respect to Collection of Covered Data

Data aggregators, typically fintech companies, can be used by third parties to access covered data, subject to disclosure and certification requirements. Data aggregators must certify their compliance with the rule’s data access conditions and restrictions, and authorized third parties remain responsible for ensuring compliance with authorization procedures.

Next Steps

The CFPB’s Director, Rohit Chopra, has expressed that the proposed rule is designed to promote competition in banking and consumer finance while safeguarding personal financial data. This aligns with the CFPB’s ongoing focus on competition and data protection. The proposed rule establishes clear record-keeping requirements to facilitate supervision and enforcement, involving not only the CFPB but also other government agencies, including state regulators.

Entities within the rule’s scope should assess how it may impact their processes. Those outside the current scope should also pay attention, as the CFPB intends to expand the rule’s coverage in future rule-making. The CFPB is seeking comments on various aspects of the rule, and comments are due by December 29, 2023, with the aim of finalizing the rule by the fall of 2024.