On October 19, the Consumer Financial Protection Bureau (CFPB) issued its highly anticipated notice of proposed rulemaking to implement Section 1033 of the Dodd-Frank Act. The Personal Financial Data Rights Rule would require depository and non-depository entities, including providers of payment facilitation services, to make available to consumers and authorized third parties certain data relating to the consumers’ accounts. The rule would also establish consumer protection obligations on these parties to access and use a consumer’s data.

The Bureau Looks to Increase Competition for Banking Services

In an accompanying statement, CFPB Director Rohit Chopra stated that the proposed rule would accelerate a shift toward “open and decentralized banking” which can “supercharge competition, improve financial products and services, and discourage junk fees.” The Bureau has emphasized that the rule would allow people to “break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”

Who’s Covered?

The proposed rule applies to “data providers” which are defined as financial institutions that offer deposit accounts subject to the Electronic Funds Transfer Act, credit card issuers subject to the Truth in Lending Act, and any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person. In addition to banks, digital wallet providers would fall under the proposed rule as covered entities. Entities without consumer-facing digital banking interfaces, however, are excluded.

Key Features of the Rule:

• Access to Covered Data: Under the proposed rule and subject to limited exceptions, covered entities would be responsible for providing consumer and authorized third-party access to “covered data,” in the data provider’s control. This would include up to 24-months of transaction information (including such data as payment types, payee information, reward credits, and fees or finance charges), account balance, terms and conditions (e.g., APR, reward program terms, overdraft coverage), upcoming billing information, and basic account verification.
• Requirement to establish and maintain interfaces: To ensure the timely and reliable access to covered data, data providers must establish and maintain developer and consumer interfaces to allow consumers and authorized parties to obtain their data in a useable electronic format (or upon request, a machine-readable file that can be transferred to another financial institution for processing).
  • One impact of the rule’s requirement to establish a developer interface is to prevent data providers from relying on screen scraping to provide consumers’ data. Screen scraping is a technology whereby third parties access a consumer’s account using the consumer’s login credentials. Those credentials are then stored by the third party, which gives them the ability to scrape the data from the bank account and use this information just like the customer would. The Bureau claims that screen scraping leads to the proliferation of shared consumer credentials and the overcollection of data.
  • The Bureau is proposing that consumer interfaces meet a high performance standard, specifying that an interface must provide accurate and timely responses at a rate of 99.5% to be in compliance.
• Limitations on the Rights of Third Parties: Third parties acting on behalf of a consumer would have a right to access covered data. The proposed rule would require these third parties to implement safeguards around the collection, use and retention of such data and provide the consumer with an authorization form disclosing, among other things, a description of the product or service being offered, the categories of data accessed, and how authorization can be revoked. Third parties will have to obtain reauthorization for continued access to the covered data from consumers on a yearly basis.
  • Notably, third parties will be prohibited from engaging in targeted advertising, the cross-selling of other products or services, or the sale of the covered data to data brokers.
• Specific Requirements for Data Aggregators: Under the proposed rule, third parties would be allowed to use data aggregators to access covered data but those data aggregators would also be subject to disclosure and authorization requirements. Moreover, the authorized third party would be ultimately responsible for the data aggregator’s compliance.
• Four Tiered Compliance Schedule: The rule has a four-tiered compliance implementation schedule based on the type and size of the institution. For example, depository institutions with at least $500 billion in total assets and non-depository institution data providers that generated at least $10 billion in revenue in the preceding calendar year or are projected to generate at least $10 billion in revenue in the current calendar year, should comply with the rule within six months after its publication in the Federal Register. But depository institutions that hold less than $850 million in total assets have four years to comply with the rule’s mandates.

What’s Next?

This is just the first step in the CFPB’s efforts to implement Section 1033 of the Dodd Frank Act and financial institutions can expect supplemental rulemaking. In fact, the Bureau has noted that while information about mortgage, automobile, and student loans may not fall under its definition of “covered data,” it may add those products and services in future rulemaking. In addition, the Bureau is seeking comment on whether electronic benefit transfer (EBT) cards, otherwise exempt from EFTA coverage, should be included in the scope of the proposed rule.

Comments on the rule are due no later than December 29, 2023. The Bureau is expected to issue the final rule in the fall of 2024.