Last week, the Consumer Financial Protection Bureau issued its long-awaited proposed rule to implement Section 1033 of the 2010 Consumer Financial Protection Act, which has come to be known as the “open banking” provision.^[1] In a nutshell, the CFPB’s Personal Financial Data Rights rule would require “data providers” –financial institutions, card issuers, digital wallets, and any other consumer-facing entity that holds consumer financial data – to share a consumer’s financial data with authorized third parties at the consumer’s request. CFPB Director Rohit Chopra emphasized in his remarks accompanying the proposed rule that its primary purpose is to foster greater competition in financial services for consumers by empowering consumers to transfer their banking information more easily and securely via API among competing banks or fintechs. In theory, “open banking” promises to reduce fees, improve customer service, and result in more product choices designed to entice consumers to sign up or to remain where they are.

The proposed rule includes these key features:

• Timeline and scope of compliance. The Bureau has proposed a gradual phase-in of the rule’s requirements based on the size of the data provider. The largest – at least $500 billion in total assets for depositary institutions and $10 billion in revenue for non-depositary – must comply within six months of the final rule. The smallest depositary institutions (under $850 million) have four years to comply. And data providers that do not directly interface with consumers at all (small credit unions with no online platform, for example) are exempted altogether. Certain providers may have difficulty competing without developing a robust digital interface for consumers.
• Reasonable denial of request to share data. The Bureau’s proposed rule expressly allows data providers to reasonably deny requests by authorized third parties for a consumer’s data based on various factors. One of the most significant factors noted as a reasonable basis for denial is “risk management” concerns related to data security. On this point, the Bureau walks a line recognizing interagency guidance issued recently by federal prudential regulators, highlighting depository institutions' obligation to operate in a safe and sound manner, including the exercise of due diligence and risk management related to third-party relationships. There have been questions raised in the industry about who should bear liability if data is shared with the wrong party with damaging results. What falls within the scope of “risk management” concerns will likely be important in answering this question. Over time, courts and regulators will presumably allocate these risks by developing due diligence standards and regulatory safe harbors to avoid unnecessary barriers to data sharing and the attendant costs to consumers. Data providers will need to protect themselves with sufficiently clear policies and procedures that both conform to the final rule and minimize risks of liability from data breaches caused by bad actors.
• Not all consumer-related data must, or should, be shared. The proposed rule makes clear the types of information that must be shared by data providers – mostly the consumer’s transactional and personal information sufficient for identification – but also exempts from the data sharing requirement certain information. For example, data providers need not share their own algorithms or analyses of credit, or “any information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct.” In the future, these exemptions will likely raise potentially important questions of liability for information that was or was not shared about a consumer’s financial activities.
• Standards for data-sharing interfaces. The proposed rule envisions “fair, open, and inclusive” industry standards being established by a standard-setting body that is itself “fair, open, and inclusive.” The rule identifies the following seven attributes that such an issuer of qualified industry standards must possess: (1) Openness, in developing and revealing its sources, processes, and procedures; (2) Balance, in ensuring that its decision-making is not skewed toward one interest or another; (3) Due Process, in its processes and procedures used to develop standards; (4) Appeals, available to be handled impartially; (5) Consensus, defined as general agreement rather than unanimity, used in developing standards; (6) Transparency, in its processes and procedures used to develop standards; and (7) CFPB Recognition, in the last three years as such an issuer, upon request. This may ultimately be an area without significant controversies, given the near-universal embrace of open banking in at least some form. But the open questions we outlined above regarding liability and policies for reasonable denials of data-sharing requests will render these standards potentially significant.

The CFPB’s proposed rule highlights a number of areas where the Bureau is seeking industry input and comment, and submissions will be accepted through December 29, 2023. Director Chopra noted in prepared remarks announcing the rule that the Bureau anticipates finalizing the rule by the fall of 2024.

Footnotes

[1] See https://files.consumerfinance.gov/f/documents/cfpb-1033-nprm-reg-text-with-1001_2023-10.pdf

[View source.]