The Consumer Finance Protection Bureau (CFPB) on Oct. 19, 2023, proposed a new Personal Financial Data Rights rule (Proposal) through which it seeks to increase competition in the financial sector. The Proposal was developed in an attempt to boost open banking and increase competition throughout the financial sector. It would require certain financial institutions (as defined under 12 C.F.R. 1005.2(i) (Reg. E.)), card issuers (as defined under 12 C.F.R. 1026.2(a)(15)(i) (Reg. Z)) or any other person who controls or possesses information concerning a covered consumer, financial product or service (data providers), to provide data portability and data access rights to consumers and authorized third parties.

The Proposal concerns only "covered data," which is defined as "transaction information, account balance, payment-initiation information, terms and conditions, upcoming bill information, and basic account verification information." This would be the first attempt by the CFPB to codify its authority under Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal data sharing standards and protections.

The CFPB intends to implement the new Proposal in phases, with large financial providers being subject to its requirements much earlier than smaller providers. Small community banks and credit unions that have no digital interface for consumer interactions would be exempt from the rules. The Proposal would:

• require banks and other providers to make personal financial data available at no charge to consumers or their agents through dedicated digital interfaces
• provide consumers a legal right to grant third parties access to information associated with their credit card, checking, prepaid and digital wallet accounts
• provide data use restrictions on companies that consumers authorize to access data on their behalf
• provide consumers the right to later revoke access to their personal financial data

New Data Provider Obligations

Data providers are obligated to furnish authenticated consumers, authorized third parties and data aggregators current covered data for a covered consumer's financial product or service in a usable electronic format. In support of that obligation, data providers must create a developer interface through which data providers can receive and respond to requests for covered data and secure it with an information security program consistent with Gramm-Leach-Bliley Act obligations. Data providers must also establish and maintain written policies and procedures designed to achieve the Proposal's objectives and ensure the retention of compliance records.

New Restrictions on Authorized Third Parties

Authorized third parties (e.g., FinTech companies) face limitations on the collection, use and retention of covered data and must restrict activities to what is reasonably necessary for providing the consumer's requested product or service. Prohibited activities include targeted advertising, cross-selling and the sale of covered data. Authorized third parties must also limit the duration of data collection to a maximum of one year after the consumer's most recent authorization, implement data security programs, and establish written policies and procedures for accurate data transmission and retention.

New Data Security Practices

In addition to the new data security requirements imposed on data providers and authorized third parties, including data security programs for new systems that may need to be deployed in compliance with the Proposal requirements, the CFPB is also looking to address what it views as risky data collection practices in the financial sector. The Proposal therefore seeks to shift the financial sector's dependence away from "screen scraping," which requires consumers to provide third-party aggregators or others username and password credentials for access to their data at a financial institution. The CFPB will seek to implement requirements aligned with industry standards (to be periodically reviewed by the CFPB), which would then become best practices industrywide.

Additionally, the Proposal introduces new restrictions on data storage and access. Data providers must establish and uphold systems that can handle requests to revoke data access, oversee authorizations with time constraints and delete data when required, whether due to revoked or expired authorizations, or when retaining the data is no longer reasonably necessary.

Takeaways

The Proposal is intended to increase competition and create a more open banking system. Still, many in the financial industry have expressed concerns about the Proposal's impact on account and information security. In addition, data portability and access requirements imposed on data providers may be difficult and expensive, and financial industry participants may need to begin analyzing their systems and operational capabilities with the expectation that the new Proposal may be finalized in 2024. Interested parties have until Dec. 29, 2023, to submit comments on the Proposal.