10 minute read | October.24.2023
After over a decade of discussion regarding how best to balance the complex set of policy interests, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking to implement section 1033 of the Dodd-Frank Act (1033 NPRM). The provision mandates—subject to rules prescribed by the CFPB—that consumer financial institutions provide consumers access to nonconfidential data about their financial product or service in machine readable format.
CFPB Director Rohit Chopra is an unabashed promoter of the promise of “open banking,” which he believes will promote competition and allow consumers “to earn higher rates on their savings, pay lower rates on their loans, and more efficiently manage their finances.” Consistent with Director Chopra’s vision and, as widely expected, the proposal would create a legal requirement to provide data access in a simplified, automated fashion. The 1033 NPRM limits its reach to only certain financial institutions providing certain products, and conditions third parties ability to access this information on consumer’s informed consent, legally enforceable data security requirements, and limitations on the collection, use, and retention of consumers’ data.
Section 1033’s mandate could apply to any institution subject to the CFPB’s authority, including mortgage servicers, debt collectors, or any institution that offers or provides consumer credit (e.g., payday lenders, buy now, pay later providers, installment lenders, etc.).
The proposed rule, however, would start by imposing the information access mandate on firms that most commonly provide this access today – primarily banks that offer consumer checking or savings accounts or issue consumer credit cards. The rule would also apply to certain non-depository institutions that control or possess information concerning these types of accounts, including prepaid card providers, neobanks and digital wallet providers.
Depository institutions that do not offer mobile or online banking – mostly small banks and credit unions – are exempt.
The compliance dates for covered data providers are staggered. The largest institutions are required to comply within six months of publication of the final rule, the smallest in four years, and everyone else in between. The CFPB has said it intends to expand the rule over time to cover additional types of financial institutions, but it has so far rejected calls to begin with a broader rule.
The proposed rule would require these institutions, known as “data providers,” to make certain “covered data” in their possession or control available to consumers of their relevant products (e.g., depositors or credit card borrowers) or third parties authorized by those consumers. “Covered data” is defined as data about consumers’ accounts or credit cards of the type that consumers likely can already access through an online or mobile portal, including:
The CFPB narrowed the data it had indicated it might require institutions to provide, in part in response to concerns regarding fraud and consumer privacy.
Data providers would not have to disclose:
Moreover, the statutory language of section 1033 precludes the creation of any duty to maintain or keep any information about a consumer.
The proposed rule would prohibit the use of consumer’s credentials to access data and prohibit “screen scraping.” Covered financial institutions would instead be required to develop application program interfaces (APIs) to allow third parties to access consumer data in a consistent, accurate and secure fashion.
The data provided through these APIs must be provided in a standardized format, and the APIs are required to satisfy certain performance specifications (e.g., 99.5% of requests for data must be satisfied within 3.5 seconds) and data security requirements.
Data providers are prohibited from imposing access caps on third parties and must avoid excessive “downtime” for their APIs. Notwithstanding the expense these requirements impose on data providers, the CFPB has proposed prohibiting them from charging any direct fee for responding to a data request subject to the rule.
To address privacy and data security concerns, the CFPB has proposed a number of requirements on third parties, such as fintechs, who would seek to obtain this data with consumers’ permission, including:
Notably, these obligations apply whether a third party obtains data from the data provider or through a data aggregator. If, for example, a fintech relies on a data aggregator to obtain consumer data from a bank, the aggregator must comply with the same obligations regarding collection, use, and retention of data, data accuracy, and data security described above and must provide consumers with a separate certification that it has complied with those obligations. The fintech remains ultimately responsible, however, for ensuring that the authorization procedures are followed.
In addition, the CFPB does not propose prohibiting third parties from sharing consumers’ data with additional parties (e.g., service providers) to deliver the product or service. Those subsequent parties, however, must agree to meet the same obligations as the third party who obtained the consumer’s permission.
Acknowledging the pace of technological change in this area and its lack of comparative expertise, the CFPB has opted not to impose prescriptive technical standards for the format of data that is transmitted, the performance of APIs, data security or other technical standards. It has, instead, suggested that compliance with a “qualified industry standard” will constitute compliance (in the case of data format) or an indication of compliance with respect to technical standards.
However, the CFPB is seeking to limit a “qualified industry standard” to one established by a “fair, open, and inclusive standard-setting body” open to all relevant participants in the industry, including consumer advocates and civil rights organizations. The body must be transparent, balanced across participants, provide appropriate processes – including for appeals of determination – and establish standards based on general agreement. Significantly, a “standard-setting body” must have been recognized by the CFPB as an issuer of “qualified industry standards” in the past three years to issue qualified industry standards.
The CFPB’s reliance on such standards is consistent with Director Chopra’s statement that fair standards reflecting the interests of all participants “will be critical to the creation and maintenance of an open banking system” that best serves consumers. The agency has promised to provide additional information regarding the process for obtaining recognition as a standard-setting organization.
The CFPB would enforce the rule against non-depositories and banks and credit unions with more than $10 billion in assets, as is the case with other rules that implement a provision of Title X of the Dodd-Frank Act.
Federal banking agencies and the National Credit Union Administration would enforce the rule against banks and credit unions with less than $10 billion in assets. In addition, under section 1042 of the Dodd-Frank Act, State attorneys general and state regulators could enforce the rule against any institution subject to their jurisdiction, including national banks and federal savings associations.
The rule would not displace existing obligations, such as those under the Electronic Fund Transfer Act, Truth in Lending Act or GLBA, which are enforceable by the same agencies, as well as the FTC with respect to non-depositories. Nor would it displace consumers’ rights of actions under these or other laws that may be applicable.
Comments are due by December 29, 2023, the last business day of this year. This is a relatively short comment period for such an important rule. The time frame is necessary for the CFPB to meet Director Chopra’s stated goal of issuing a final rule by next fall.
Listen to our RegFi podcast on the proposed rule.