After over a decade of discussion regarding how best to balance the complex set of policy interests, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking to implement section 1033 of the Dodd-Frank Act (1033 NPRM). The provision mandates—subject to rules prescribed by the CFPB—that consumer financial institutions provide consumers access to nonconfidential data about their financial product or service in machine readable format.

CFPB Director Rohit Chopra is an unabashed promoter of the promise of “open banking,” which he believes will promote competition and allow consumers “to earn higher rates on their savings, pay lower rates on their loans, and more efficiently manage their finances.” Consistent with Director Chopra’s vision and, as widely expected, the proposal would create a legal requirement to provide data access in a simplified, automated fashion. The 1033 NPRM limits its reach to only certain financial institutions providing certain products, and conditions third parties ability to access this information on consumer’s informed consent, legally enforceable data security requirements, and limitations on the collection, use, and retention of consumers’ data.

Who has to provide data?

Section 1033’s mandate could apply to any institution subject to the CFPB’s authority, including mortgage servicers, debt collectors, or any institution that offers or provides consumer credit (e.g., payday lenders, buy now, pay later providers, installment lenders, etc.).

The proposed rule, however, would start by imposing the information access mandate on firms that most commonly provide this access today – primarily banks that offer consumer checking or savings accounts or issue consumer credit cards. The rule would also apply to certain non-depository institutions that control or possess information concerning these types of accounts, including prepaid card providers, neobanks and digital wallet providers.

Depository institutions that do not offer mobile or online banking – mostly small banks and credit unions – are exempt.

What are the proposed deadlines for compliance?

The compliance dates for covered data providers are staggered. The largest institutions are required to comply within six months of publication of the final rule, the smallest in four years, and everyone else in between. The CFPB has said it intends to expand the rule over time to cover additional types of financial institutions, but it has so far rejected calls to begin with a broader rule.

What data do institutions have to provide?

The proposed rule would require these institutions, known as “data providers,” to make certain “covered data” in their possession or control available to consumers of their relevant products (e.g., depositors or credit card borrowers) or third parties authorized by those consumers. “Covered data” is defined as data about consumers’ accounts or credit cards of the type that consumers likely can already access through an online or mobile portal, including:

• Transaction information (e.g., amount, date, payee, etc.) relating to transactions that are underway, including, for example, debit card transactions that have been authorized but not yet settled and those that have occurred within the last two years (at a minimum).
• Account balance.
• Account and routing information (though this can be tokenized).
• Terms and conditions of the account (e.g., fee schedule, rate, rewards terms, overdraft coverage, existence of an arbitration agreement, etc.).
• Upcoming bill information (e.g., an upcoming utility bill or a minimum payment).

The CFPB narrowed the data it had indicated it might require institutions to provide, in part in response to concerns regarding fraud and consumer privacy.

What kind of data is protected from disclosure?

Data providers would not have to disclose:

• Confidential commercial information.
• Data collected solely to combat fraud.
• Data that is protected from disclosure (to someone other than the consumer) by other sources of law.
• Data that is not retrievable in the ordinary course of business.

Moreover, the statutory language of section 1033 precludes the creation of any duty to maintain or keep any information about a consumer.

What method must data providers use to transmit this data?

The proposed rule would prohibit the use of consumer’s credentials to access data and prohibit “screen scraping.” Covered financial institutions would instead be required to develop application program interfaces (APIs) to allow third parties to access consumer data in a consistent, accurate and secure fashion.

The data provided through these APIs must be provided in a standardized format, and the APIs are required to satisfy certain performance specifications (e.g., 99.5% of requests for data must be satisfied within 3.5 seconds) and data security requirements.

Data providers are prohibited from imposing access caps on third parties and must avoid excessive “downtime” for their APIs. Notwithstanding the expense these requirements impose on data providers, the CFPB has proposed prohibiting them from charging any direct fee for responding to a data request subject to the rule.

What conditions must third parties satisfy to obtain this data?

To address privacy and data security concerns, the CFPB has proposed a number of requirements on third parties, such as fintechs, who would seek to obtain this data with consumers’ permission, including:

• Express informed consent. The rule would require third parties to provide consumers (and ultimately data providers) with clear and conspicuous disclosures that set forth:
  • Key facts about the third party that will obtain access.
  • The data it will collect.
  • The products for which it will collect data.
  • A certification that it will comply with legal obligations (described below) relating to data security, data accuracy, and its collection, use, and retention of data.
  • A description of the mechanism consumers can use to revoke their authorization.
• Limitations on collection, use and retention of data. Third parties may collect, use and retain a consumer’s data only to the extent “reasonably necessary” to provide the consumer’s requested product or service. They are prohibited from using consumers’ data to engage in targeted advertising, cross-selling of other products or services or selling consumers’ data. They must obtain reauthorization from consumers within one year. If they fail to obtain reauthorization, they must cease collecting additional data and delete data they do not need to provide the covered product or service. We expect to see ongoing discussion of what activities will be deemed “reasonably necessary.”
• Data accuracy. Third parties must adopt policies and procedures to ensure the data they receive remains accurate during its transmission (i.e., reflects the same information that the data provider has).
• Adequate data security. Third parties’ data security must at least comply with section 501 of the Gramm Leach Bliley Act (GLBA). Indeed, the rule allows data providers to deny access to their interface if the third party cannot demonstrate it has adequate data security. The FTC Safeguards Rule implementing section 501 provides that a non-bank third party’s data security program must be “appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue,” so it is possible that the quality of third parties’ data security protections will be a source of friction between data providers and third parties.
• Allowing consumers to control their data. Third parties that obtain consumers’ authorization to collect data must make it easy for consumers to get a copy of the disclosures described above (e.g., on the fintech’s app or website). They also must provide consumers with an easy method to revoke authorization for third party access. Upon revocation, the third party must notify the data provider and any other third party (e.g., a data aggregator or service provider) that had access to the data to stop further collection and delete any data not necessary to providing the product or service.

Notably, these obligations apply whether a third party obtains data from the data provider or through a data aggregator. If, for example, a fintech relies on a data aggregator to obtain consumer data from a bank, the aggregator must comply with the same obligations regarding collection, use, and retention of data, data accuracy, and data security described above and must provide consumers with a separate certification that it has complied with those obligations. The fintech remains ultimately responsible, however, for ensuring that the authorization procedures are followed.

In addition, the CFPB does not propose prohibiting third parties from sharing consumers’ data with additional parties (e.g., service providers) to deliver the product or service. Those subsequent parties, however, must agree to meet the same obligations as the third party who obtained the consumer’s permission.

Who is going to flesh out the details?

Acknowledging the pace of technological change in this area and its lack of comparative expertise, the CFPB has opted not to impose prescriptive technical standards for the format of data that is transmitted, the performance of APIs, data security or other technical standards. It has, instead, suggested that compliance with a “qualified industry standard” will constitute compliance (in the case of data format) or an indication of compliance with respect to technical standards.

However, the CFPB is seeking to limit a “qualified industry standard” to one established by a “fair, open, and inclusive standard-setting body” open to all relevant participants in the industry, including consumer advocates and civil rights organizations. The body must be transparent, balanced across participants, provide appropriate processes – including for appeals of determination – and establish standards based on general agreement. Significantly, a “standard-setting body” must have been recognized by the CFPB as an issuer of “qualified industry standards” in the past three years to issue qualified industry standards.

The CFPB’s reliance on such standards is consistent with Director Chopra’s statement that fair standards reflecting the interests of all participants “will be critical to the creation and maintenance of an open banking system” that best serves consumers. The agency has promised to provide additional information regarding the process for obtaining recognition as a standard-setting organization.

Who is going to enforce these obligations?

The CFPB would enforce the rule against non-depositories and banks and credit unions with more than $10 billion in assets, as is the case with other rules that implement a provision of Title X of the Dodd-Frank Act.

Federal banking agencies and the National Credit Union Administration would enforce the rule against banks and credit unions with less than $10 billion in assets. In addition, under section 1042 of the Dodd-Frank Act, State attorneys general and state regulators could enforce the rule against any institution subject to their jurisdiction, including national banks and federal savings associations.

The rule would not displace existing obligations, such as those under the Electronic Fund Transfer Act, Truth in Lending Act or GLBA, which are enforceable by the same agencies, as well as the FTC with respect to non-depositories. Nor would it displace consumers’ rights of actions under these or other laws that may be applicable.

What’s next?

Comments are due by December 29, 2023, the last business day of this year. This is a relatively short comment period for such an important rule. The time frame is necessary for the CFPB to meet Director Chopra’s stated goal of issuing a final rule by next fall.

Additional thoughts on section 1033

Listen to our RegFi podcast on the proposed rule.