A general overview for financial institutions, fintechs, data aggregators, and consumers

On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released its long-awaited "Required Rulemaking on Personal Financial Data Rights" (Proposed Rule) for public comment. The Proposed Rule was issued under Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA) and is intended to foster a consumer financial data access framework for third-parties that is safe, secure, reliable, and competitive by "direct regulation of practices in the market and by identifying areas in which fair, open, and inclusive standards can develop to provide additional guidance to the market."[1]

Through the Proposed Rule, the CFPB aims to establish a framework for consumers that would allow them to authorize third parties to safely collect their personal financial data and enable access to products and services provided primarily by Fintechs. The Proposed Rule is comprehensive in scope and application, with potential impacts on a wide array of data providers (depository and non-depository institutions), third parties, and data aggregators.

In the coming weeks, DWT will be providing deeper dives into specific areas of concern to help you further understand how the Proposed Rule may impact you (and how you might want to respond in your comments to the CFPB). For now, a general overview:

When are comments due? What is the proposed effective date?

According to the Proposed Rule (as currently published by the CFPB), comments are due on or before December 29, 2023. The CFPB proposes that the effective date occur 60 days after the date of the final rule's publication in the Federal Register, with staggered compliance dates for data providers ranging from six months to four years, based on data providers' asset size or revenue:

Why the Proposed Rule?

According to the CFPB, the Proposed Rule seeks to empower consumers by enabling them to more easily choose the financial products and services that offer the best products and prices. It is tied to broader efforts by the CFPB to "discourage junk fees."[2] It starts from the premise that consumers lack control over their financial data, and that their financial data is being shared without their permission (i.e., beyond their requested product or service).

By creating a more standardized process, the Proposed Rule is intended to "accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data."[3] It seeks to "jumpstart competition by forbidding financial institutions from hoarding a person's data and by requiring companies to share data at the person's direction with other companies offering better products."[4]

Who is impacted and what would the respective requirements be?

The Proposed Rule would usher in a new regime for how consumer financial data is accessed and used, impacting a multitude of industry participants on wide-ranging issues. At a high level, this regime will establish obligations governing (i) banks' and nonbanks' provision to consumers and authorized third parties of certain data relating to consumers' transactions and accounts; and (ii) third parties' access to consumer data (e.g., privacy protections, basic standards for data access, and fair, open, and inclusive industry standards).

The key players most impacted by the Proposed Rule are the subset of "covered persons" the CFPB is proposing to first apply the proposed Rule—i.e., entities providing asset accounts subject to the Electronic Fund Transfer Act and Regulation E, credit cards subject to the Truth in Lending Act and Regulation Z, and related payment facilitation products and services.[5]

Consumers – a natural person (including trusts established for tax or estate planning purposes).

• The proposed definition of consumer differs from the definition included in CFPA section 1002(4), which defines a consumer as "an individual or an agent, trustee, or representative acting on behalf of an individual." This distinction is intentional – and necessary – to distinguish between consumers and the third parties that are effectively acting as the consumer's agent or representative in accessing covered data on behalf of the consumer pursuant to the Proposed Rule.

Data Providers – anyone that "controls or possesses covered data concerning a covered consumer financial product or service" and that has a "consumer interface" (as described below). This would include:

• Financial institutions, such as:
  • Banks, savings associations, credit unions, or other persons that directly or indirectly hold consumer asset accounts (including prepaid accounts); and
  • Persons that issue an access device and agree with a consumer to provide EFT services (including mobile wallets and other electronic payment products).
• Card issuers as defined by Regulation Z, including:
  • Depository and non-depository institutions that issue credit cards;
  • Other persons that are deemed to have issued a credit card; and
  • Card issuer agents with respect to the cards.
    (Note that a "card issuer" under Regulation Z means a person that issues a "credit card" – and that "credit card" is not necessarily limited to open-end credit accounts but can include cards used to access closed-end credit plans through the definition of "creditor.")
• Digital wallet providers.
• "Any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person."
  • While the reference to "any other person that controls or possesses information" is, by itself, extremely broad, it is qualified by the limitation that such "other person" is providing a financial product or service to the consumer. Presumably, this would exclude processors and other entities acting on behalf of a bank, credit union, or other financial institution that are providing the financial product or service, but it arguably could include a fintech who offers a financial product or service in concert with a bank or credit union, to the extent the fintech itself is deemed to be providing a financial product or service to the consumer.

According to the Proposed Rule, the subset of depository institutions that do not have a consumer interface would not be deemed a Data Provider:

• "Consumer interface" in the Proposed Rule means an interface "through which a data provider receives requests for covered data and makes covered data available in an electronic form usable by consumers and authorized third parties in response to the requests."[6]

The Proposed Rule would require data providers, with certain exceptions, to make available to a consumer and an authorized third party, upon request, covered data in the data provider's control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider, in useable, electronic form. Data providers would be required to make available the most recently updated covered data in their control or possession, including available information concerning authorized but not yet settled debit card transactions.

Among other things, data providers would be prohibited from imposing any fees or charges on a consumer or an authorized third party in connection with establishing or maintaining the consumer interface(s), receiving requests, or making available covered data in response to requests.

Authorized Third Parties—a third party (e.g., an app or service) that seeks access to covered data from a data provider on behalf of a consumer to provide a product or service requested by the consumer and that has complied with the authorization procedures under the Proposed Rule, including:

• Providing the consumer with an authorization disclosure, including a statement certifying that the third party agrees to certain obligations; and
• Obtaining the consumer's express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.

The Proposed Rule would require the third party's authorization disclosure to be provided electronically or in writing, in a form that is clear, conspicuous, and segregated from other materials. The disclosure would be required to include certain content, including:

• The name of the third party that would be authorized to access covered data;
• The name of the data provider that controls or possesses the covered data;
• A brief description of the product or service that the consumer has requested the third party provide and a statement that the third party will collect, use, and retain the consumer's data only for the purpose of providing that product or service to the consumer;
• The categories of covered data that would be accessed; and
• A complete and accurate translation of the authorization disclosure (if applicable).

An authorized third party would be prohibited from using the covered data to engage in targeted advertising, cross-selling of other products or services, or selling the covered data.

Data Aggregators – entities that are retained by and provide services to an authorized third party to enable access to covered data.

When a third-party seeking authorization (see above) uses a data aggregator to assist with accessing covered data on behalf of a consumer, the data aggregator would need to certify to the consumer, in advance, that it agrees to certain conditions regarding its access to the consumer's covered data.

What are some of the key issues for stakeholders to consider?

The Proposed Rule seeks to (1) expand consumers' access to their financial data across a wide range of financial institutions; (2) ensure privacy and data security for consumers by limiting the collection, use, and retention of data that is not needed to provide the consumer's requested service; and (3) push for greater efficiency and reliability of data access across the industry to reduce industry costs, facilitate greater competition, and support the development of beneficial products and services.

The Proposed Rule raises numerous issues that will data providers, authorized third parties, data aggregators, and other stakeholders in various ways. Below is a preview of selected issues.

Privacy

The Proposed Rule is intended to enhance consumer protection regarding the collection, use, and management of consumer financial data, through certifications and other standardized processes, and by defining responsibilities according to a participant's role in the transaction. The Proposed Rule would establish a new privacy framework—on top of the existing privacy regimes that apply to data providers and third-party recipients—as a means of further protecting consumers' privacy while fostering competition in the marketplace. Specifically, the Proposed Rule would:

• Require data providers to allow access to covered data through developer interfaces while prohibiting third parties' use of consumer interface credentials for screen scraping, which creates the risk of overcollection and unauthorized use of consumer data. However, rather than prohibiting screen scraping across the ecosystem, the Proposed Rule places the burden on data providers to prevent screen scraping, based on concerns with data providers relying on third parties' ability to use credential-based screen scraping to satisfy their obligations under CFPA section 1033, but does not consider screen scraping that occurs outside of the data providers' control. Further, the Proposed Rule only limits screen scraping of the developer interface, despite the fact that the majority of screen credential-based screen scraping occurring today is done on the consumer interface.
• Require third parties both to certify that they would collect, use, and retain the consumer's data only "to the extent reasonably necessary to provide the consumer's requested product or service" and to provide consumers with a "clear and conspicuous authorization disclosure" that describes the third parties' practices.
  • The Proposed Rule doesn't define "requested product or service," although the concept is key to the scope of the rule's applicability. The CFPB is seeking comment on whether the rule should include any additional requirements to ensure that the term is "narrowly tailored and specific such that it accurately describes the particular product or service that the consumer has requested."
• Prohibit third parties from engaging in certain activities that are not part of providing the requested product or service, including – but not limited to – targeted advertising, cross-selling of other products and services, and the sale of consumers' covered data.

Data providers, in turn, would need to ensure that third parties requesting access to consumer data are acting on behalf of a consumer and have complied with the specified authorization procedures. Data providers would be able to satisfy this requirement by receiving a copy of the third party's authorization disclosure signed by the consumer. Access to a consumer's data would have to be reauthorized annually, and consumers would have the right to revoke access at any time.

The Proposed Rule does not otherwise address the specific privacy regimes that would attach to data providers or third parties, including how data may be shared within those regimes. Presumably this is because the third-party recipients are acting on behalf of the consumer who is the subject of such information. Accordingly, it appears that, from the data provider's perspective, disclosure under Regulation P (12 C.F.R. 1016) is not in scope because the consumer (and the third-party recipient acting on their behalf) is not a "non-affiliated third-party." Alternatively, some data providers may want to bolster their position by considering this to be a disclosure to a third-party recipient pursuant to the consumer's consent or direction per 12 C.F.R. 1016.15(a)(1). While this would in turn impose limitations on re-use and re-disclosure under Section 11 on the third-party recipient, the third party's ability to re-use or re-disclose the information may be necessarily limited under the Proposed Rule (as noted above).

At the same time, the third-party recipient will need to adhere to its own privacy obligations, pursuant to its own privacy regime, in addition to the restrictions imposed by the Proposed Rule. While in many cases this may be under Regulation P (to the extent the third party is a Gramm-Leach-Bliley Act (GLBA) financial institution as well), it could be under other privacy laws, such as the California Consumer Privacy Act, where the third party recipient is not offering a financial product or service to the consumer.[7] Furthermore, the handoff between data providers, on the one hand, and authorized third parties and data aggregators, on the other hand, and the privacy regime that applies at any given point in time, may need to be further handled in the agreements between the two parties. It is notable that the Proposed Rule makes clear that data providers are not primarily responsible for enforcing a third-party recipient's compliance with law.

Relatedly, the CFPB – at least preliminarily – distinguished the scope of the Proposed Rule from the Fair Credit Reporting Act (FCRA). While not expressly addressed in the proposed regulations of the Proposed Rule, the CFPB discusses how a third-party recipient engaged in data aggregation activities, where the information at issue would be used for FCRA permissible purposes (such as underwriting a loan or insurance), may be a consumer reporting agency under the FCRA. As the Proposed Rule is developed, special care is needed to clearly delineate when a data aggregator is acting on behalf of the consumer (and thus subject to the Proposed Rule) versus acting as a consumer reporting agency (subject to the FCRA) – and, at the same time, when a financial institution is acting as a data provider (under the Proposed Rule) or a furnisher under the FCRA. This is especially important given that the Proposed Rule imposes accuracy requirements on data providers (which could overlap with a financial institution's accuracy obligations as a furnisher under FCRA), as well as the fact that the CFPB recently initiated its amended FCRA rulemaking process with its Outline of Proposals and Alternatives under Consideration.[8] Among other things, the Outline contemplates capturing "data brokers" as consumer reporting agencies—in some cases regardless of how the information will be used.

Information Security Safeguards

The Proposed Rule would require both data providers and third parties to maintain an information security program that complies with applicable rules issued under section 501 of the GLBA:[9]

• For data providers regulated by the federal banking agencies—the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—the applicable security rules are codified in the Interagency Guidelines for Establishing Standards for Safeguarding Customer Information (the "Interagency Guidelines")[10].
• Non-bank financial institutions, such as alternative lenders and neobanks, subject to GLBA must comply with the Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule".[11]
• Data providers and third parties not subject to GLBA must comply with the requirements of the Safeguards Rule. When a third party uses a data aggregator to access covered data, the data aggregator must certify that it maintains an information security program that complies with the applicable GLBA security rules, or the FTC Safeguards Rule if the aggregator is not subject to GLBA.

Entities that are not yet compliant with the GLBA's information security requirements may find some provisions challenging to implement. For example, the FTC's Safeguards Rule requires covered financial institutions to, among other things, implement multifactor authentication (MFA) for any individual (customer, employee, etc.) accessing a covered information system,[12] encrypt all customer information in transit and at rest, continuously monitor the effectiveness of its information security program's controls, such as through penetration testing and vulnerability assessment, and provide annual written reports to its board of directors or other governing body regarding it information security program and risks.

Data providers and third parties must determine which of their systems are subject to the Proposed Rule's security requirements. The Proposed Rule states that data providers must apply a compliant information security program to the "developer interface," but which systems compromise the developer interface (Just the API? Are backend systems included as well?) is unstated. Third parties must apply their information security program to its "systems for the collection, use, and retention of covered data."

Business Continuity

The Proposed Rule would require a data provider's developer interfaces to have "commercially reasonable" performance. To meet this standard, the interface must have at least a 99.5 percent successful response rate (excluding scheduled downtime) but meeting that response rate is not sufficient to establish that the interface exhibits commercially reasonable performance.

The Proposed Rule provides two indicia that an interface meets this performance standard: compliance performance standards in a qualified industry standard and meeting performance standards achieved by "the developer interfaces established and maintained by similarly situated data providers." Compliance with this second indicium would require data providers to consistently monitor the performance of other providers' interfaces and evaluate whether they are meeting performance specifications consistent with those other developers who are "similarly situated." The Proposed Rule does not provide guidance on what makes data providers "similarly situated."

The CFPB notes that the Proposed Rule requires data providers to publicly disclose their response metrics, which it says will enable data providers to evaluate their performance against other providers.

Cost of Compliance

While data providers today do not typically charge data aggregators any fees for accessing consumer data, the Proposed Rule's ban on such fees for both consumers and authorized third parties will be impactful, as data providers will now have to build and maintain their platforms to comply with standards and meet performance requirements and support an increased number of third parties accessing data. Larger institutions will thus need to reserve resources to come into compliance with the Proposed Rule within as little as six months of the effective date.

The ban on fees will be particularly burdensome for smaller data providers who have limited resources and/or were not engaging with data aggregators at all. Under the Proposed Rule, these entities must secure resources to come into compliance within 4 years. We understand that small banks and credit unions are already voicing concerns about the Proposed Rule's cost of compliance.

Bank Risk and Supervision

The Proposed Rule would likely impact bank supervision in several ways:

• Banking regulators are likely to revisit assumptions about retail deposit "stickiness" and outflow assumptions as consumers enjoy even greater ease[13] of deposit account portability. The Proposed Rule notes that the "increased availability of consumer-authorized data may also lower the costs for a consumer switching financial institutions in search of higher deposit rates, lower fees, better service, or lower rates on credit products . . . [making] it easier for a consumer to move to a new institution by easing the transfer of funds and account information from the old institution to the new institution." Increased account portability—in conjunction with related regulatory developments[14]—could result in banks having to recalibrate liquidity risk for retail deposits and hold more high-quality liquid assets as a result.
• As data providers, banks would continue providing consumer financial data to data aggregators and third parties, meaning their relationships would continue to be governed by the federal banking regulators final third-party risk management guidance.[15] As a result:
  • Banks will need to revisit each party's ownership of and rights and responsibilities regarding personal data and other sensitive bank data. This review is essential for determining each party's obligations and how data could be used within and outside the partnership context.
  • Banks will also need to assess security risks to systems, data, and physical locations that support partnership operations and clearly delineate the parties' responsibilities to address those risks. In many cases, risks may be properly addressed through shared responsibilities by multiple parties.

In addition to managing third-party risk, banks would also need to carefully balance obligations to make consumer data available with ongoing security and safety and soundness requirements. The Proposed Rule would require data providers to make consumer data available to consumers and third parties (including data aggregators), but also acknowledges that: (i) depository institutions have legal obligations to operate in a safe and sound manner; (ii) depository institutions and nondepository institutions have security-related obligations; and (iii) regulatory guidance requires banking organizations to manage the risks arising from third-party relationships by conducting due diligence on third parties and implementing controls to identify threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer data.

The Proposed Rule takes the third-party risk management guidance into consideration, stating that a data provider can reasonably deny a consumer or third party access to its interface based on risk management concerns, including if necessary to comply with the safety and soundness requirements or data security requirements in Federal law, but that such denials must be narrowly tailored to specific risk management concerns to avoid frustrating a consumer's right to access their data. As part of their risk management programs, data providers will need to maintain procedures for evaluating whether a third-party requestor maintains adequate data security safeguards to address risks identified by the data provider. Moreover, this exception to a data provider's data availability obligations raises questions around how agreements between data providers and third parties could allow data providers to comply with overlapping regulatory obligations while still ensuring robust data availability to consumers in compliance with a final rule.

Transactional

The Proposed Rule comes at a time when many data providers, data aggregators, and other third parties have already negotiated data access agreements based on the CFPB data aggregation "Consumer Protection Principles,"[16] and established robust ecosystems pursuant to these existing data access agreements and principles. Accordingly, the Proposed Rule could to some degree alter how these parties negotiate future agreements and require renegotiation of certain terms in existing data access agreements. In attempting to standardize elements of these relationships and data sharing practices, the Proposed Rule adds a new layer of complexity to these relationships – in addition to negotiating terms that are acceptable to each party and sufficiently address each party's broader regulatory compliance obligations and risk appetite, now the parties would also need to evaluate whether these agreements will be consistent with the final rule.

Some of the issues that the Proposed Rule raises in light of these implementation concerns include:

• Data Provider/Data Aggregator Relationship – The Proposed Rule provides little clarity regarding the relationship between the data provider and the data aggregator. Instead, the Proposed Rule focuses more on the relationships between the data provider and the third party, and the third party and consumer, with the data aggregator operating as a service provider to the third party. This is expected given that CFPA 1033 is focused on consumers' access to their data from their data providers; however, clarity around data provider/data aggregator relationships would be useful since the current state of the open banking ecosystem relies heavily on these data provider/data aggregator relationships to facilitate consumer data access. While data providers and data aggregators may eventually agree to standard terms and conditions for data access, the lack of guidance regarding these relationships implies that the CFPB is inclined to defer to data providers and data aggregators in negotiating and defining these relationships, subject to each party's compliance with the applicable sections of the Proposed Rule, which may frustrate the CFPB's goal of creating efficiency in data access.
• Secondary Uses of Covered Data – As noted above, the Proposed Rule is prescriptive regarding the scope of permitted use and retention of the consumer's data by the third party (including use by a third party's data aggregator), limiting use and retention to the extent reasonably necessary to provide the consumer's requested product or service and expressly excluding use and retention for targeted advertising, cross-selling of other products or services, or the sale of covered data. This represents a deviation from the position often taken by data aggregators and other third parties[17] – i.e., that broader use and retention should be permitted so long as the consumer is made aware of, and consents to, such broader use and retention. Although the CFPB acknowledges this deviation and asks for feedback on whether the final rule should permit third parties to solicit consumers' opt-in consent to some secondary uses of data, the CFPB appears certain, noting that secondary uses of data generally will not be consistent with meaningful consumer control over their data, and that consumers often do not know about various data uses and lack bargaining power to protect their data privacy. We expect that this issue will receive significant attention in the comments to the Proposed Rule since it directly impacts existing data aggregation and open banking ecosystem practices.
• Potential Impact on Back-End Deals – Section 421(c)(3) of the Proposed Rule states that a permitted use of covered data would be for "servicing or processing the product or service the consumer requested," but it is not clear whether the rule would impact back-end deals like those involving acquiring/processing or networks in addition to deals providing for consumer-facing products.[18]

Enforcement and Liability

Under the Proposed Rule, compliance would be enforced primarily by the CFPB, but certain provisions may be subject to private causes of action under other state or common law. In particular, the Proposed Rule includes certain requirements for third parties and data aggregators to certify their compliance, such as the third party or data aggregator authorization disclosures discussed above. The Proposed Rule would also require a third party to certify that it maintains written policies and procedures that are "reasonably designed" to meet the rule's objectives.[19] By requiring certification, the Proposed Rule would condition a third party's or data aggregator's access to consumer data on the party's express representation to the consumer that it will comply with the Proposed Rule. This could result in a consumer's having a cause of action under state consumer protection or common law for a breach of the certificate of compliance. The CFPB seems to have had this in mind. The Proposed Rule notes that certifications "would be helpful in allowing a consumer and the CFPB and other regulators to enforce these obligations if the data aggregator breaches these obligations."[20]

The Proposed Rule does not directly address allocation of liability among the participants in the event of fraud, breach, stolen credentials, etc. In such an event, each participant – data providers, third parties, data aggregators – would still be required to comply with their respective legal obligations under state and federal law. For data providers, that could include error resolution and limitations on consumer liability under Regulation E and Z. As a result, data providers and the third parties acting on behalf of a consumer may still need to address allocation of liability amongst themselves, notwithstanding their respective consumer protection obligations under applicable laws.

Conclusion

Beyond the above-identified gaps, critical implementation issues, and open questions in the Proposed Rule, there are a number of unanswered questions regarding competitive concerns (i.e., the extent to which a final rule could drive further consolidation), and more broadly, whether a final rule would, in practice, meet the CFPB's stated policy objectives.

Given the relatively short window for public comment, we would be happy to further discuss your particular questions and concerns, including on topics worthy of additional consideration.