In an effort to promote “open banking” and reduce “sticky banking”, make it easier for consumers to compare their current financial institution to competitors, and to generally increase competition among financial institutions, on October 19, 2023, the CFPB proposed a new Personal Financial Data Rights Rule, which, if it becomes final, will likely take effect early in 2024. Essentially, the proposed rule would require covered financial institutions to share their financial data about consumer accounts with the consumers and with competitor institutions if requested by the customer, without charging a fee. A copy of the proposed rule may be found here.
A copy of the CFPB’s announcement of the issuance of the proposed rule may be found here.
The CFPB asserts that the proposed rule will provide customers with more flexibility in choosing their financial institutions, and promote completion among financial institutions, and thus provide greater choices and more innovation for consumers. However, the proposed rule has already produced substantial criticism, including concerns about the costs for smaller institutions to conform to the rule and data privacy concerns.
Here is what the CFPB is proposing:
Compliance dates: The proposed mandatory compliance dates for different institutions ranges from 6 months after publication of the final rule for the largest institutions up to 4 years for the smallest institutions.
What persons, including financial institutions, would be covered: The rule would cover financial institutions, card issuers, and any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.
A “financial institution” includes, with limited exceptions, a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services.”
Under these definitions, coverage would extend to institutions like banks, consumer lenders and payment facilitation companies such as digital wallets.
However, the rule would not cover depository institutions that do not provide a “consumer interface” (an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by consumers in response to the requests).
Authorized third parties who are permitted by the consumer to access the consumer’s financial data from such data providers are also covered.
What types of accounts would be covered: The rule would give consumers and third parties they authorize the right to access financial information about accounts as their checking and prepaid accounts, credit cards, and digital wallets, and transactions involving such accounts, and share it with third parties, including the bank’s competitors. Other accounts, such as mortgages, are NOT covered. However, CFPB Director Chopra stated that “We also intend to cover additional product types in future rulemaking, to continue to foster more competition and consumer choice throughout the market.”
What data is covered: The consumer financial data to be covered includes transaction histories, account balances and terms, scheduled payment details, and accountholder identifying information.
Covered financial institutions’ obligations under the proposed rule:
- Financial institutions would become obligated to provide requested covered consumer financial information to the requesting consumer or to a third party authorized by the consumer.
- Financial institutions would be obligated to have a developer interface, through which it receives requests for covered information and makes the information available to authorized third parties. The interface must be able to perform reasonably.
- Financial institutions would not be allowed to charge a fee for customers accessing and transferring such data.
Obligations of institutions receiving such data: Institutions obtaining access to such data would have to limit their use of the data to the extent reasonably necessary to fulfill the consumer’s stated requested product or service. Such third parties would have to follow conditions that protect consumers from having their data used for unauthorized commercial purposes such as cross-selling, sale of the data, or targeted advertising.
Creation of industry standards monitored by the CFPB: The final rule would contain requirements to ensure that industry standards for access to and use of account information are fair, open and inclusive. The CFPB will be able to recognize standard setting bodies; institutions must follow such standards; if such standards are not available, they must utilize a format that is “widely used by the developer interfaces of other similarly situated data providers with respect to similar data and is readily usable by authorized third parties.”
As a leading national law firm with 11 offices in the western United States, Buchalter is recognized for its ability to provide sophisticated counseling in the full range of corporate and regulatory matters. Buchalter’s nationally known Financial Services Regulatory and Consumer Financial Services & Mortgage Regulatory Practice Groups provide counseling and analysis across the wide range of regulatory and compliance issues facing financial institutions, and the Group’s seasoned attorneys are experienced in the operational, compliance and risk management issues such as those raised by this proposed rule.