CFPB action to date on Personal Financial Data Rights

Background

Pursuant to Dodd-Frank Act¹ section 1033’s requirement that bank and non-bank financial institutions make account and transaction data available to a consumer upon request, the CFPB has embarked on a series of steps toward “open banking” rules with a focus on consumer rights to their own data in order to more easily use third-party financial applications and switch among financial service providers. Currently, when an app is downloaded and secures the ability to connect to a bank, there are few and non-uniform rules governing the third party’s relationship with either the consumer or the financial from which it sources the data as to how the third party keeps the data, uses the data, etc.

Since October of 2016, when it published a Request for Information seeking comments about consumer access to financial account and account-related information,² the CFPB has been active gathering data, conducting a small business review panel, and drafting rules related to consumer financial data. A final rule is expected as soon as October 2024.

In October of 2023, the CFPB issued a proposed rule outlining its vision for ensuring customers have access to their personal financial data. Additionally, in June of 2024, the CFPB issued a final rule implementing standard-setting provisions of the October 2023 proposed rule. The memo discusses certain notable steps of the CFPB’s rulemaking process below.

Section 1033 of the Consumer Financial Protection Act (CFPA)

Section 1033(a) of Title X of the Dodd-Frank Act (also called the “Consumer Financial Protection Act” or the “CFPA”) mandates the CFPB to prescribe rules requiring:

a covered person [to] make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.³

In addition, Section 1033(d) states

[t]he Bureau, by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine readable files, to be made available to consumers under this section.

Advanced notice of proposed rulemaking

On October 22, 2020, the CFPB released an Advanced Notice of Proposed Rulemaking (ANPR) soliciting comments from industry to inform the CFPB’s implementation of Section 1033 of the CFPA.⁴ The ANPR summarized the Dodd-Frank Act’s description of consumer rights to access their financial records, provided defined terms, presented an overview of data access, summarized the CFPB’s actions to date related to consumer-authorized data access, and included questions for industry about how the CFPB could provide effective regulatory guidance in the area.

Small business regulatory enforcement fairness act of 1996 Obligations

Dodd-Frank also requires the CFPB comply with the Small Business Regulatory Enforcement Fairness Act of 1966 (SBREFA) which demands federal agencies “consult with representatives of small entities likely to be affected directly by the regulations the [Agency] is considering proposing and to obtain feedback on the likely impacts the rules the [Agency] is considering would have on small entities.”⁵

Pursuant to the SBREFA, the CFPB issued an “Outline of Proposals and Alternatives under Consideration for the Required Rulemaking on Personal Financial Data Rights.”⁶ Further, the CFPB organized a Small Business Review Panel, which includes representatives from the CFPB, Small Business Administration’s Chief Counsel for Advocacy, and the Office of Information and Regulatory Affairs in the Office of Management and Budget, and held two Panel meetings convening 18 small businesses selected as small entity representatives. The Panel issued its report on April 3, 2023.⁷             

Proposed Rule – Required rulemaking on personal financial data rights⁸

On October 31, 2023, CFPB published a proposed rule to implement Section 1033 of the CFPA. It would require “depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data; provide basic standards for data access; and promote fair, open, and inclusive industry standards.”

Scope of the proposed rule

The proposed rule identifies three classes of entities—data providers, authorized third parties, and data aggregators. The proposed rule also defines the covered financial product or service, specifically accounts covered by Regulation Z and Regulation E, and outlines what types of data would be included in the requirement.

Data Providers, Authorized Third Parties, and Data Aggregators. The proposed rule defines “data providers” as financial institutions, card issuers, or “any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.” However, data providers “that are depository institutions that do not have a consumer interface” are excluded from the rule’s requirements. “Authorized third parties” are those third parties that have complied with certain authorization procedures and “seek access to covered data from a data provider on behalf of a consumer to provide a product or service the consumer requested.” “Data aggregators” are those entities used by authorized third parties to access the covered data on behalf of a consumer.

Covered Financial Product or Service. The proposed rule initially limits the scope of covered financial products and services to “Regulation E accounts, “Regulation Z credit cards,” and “the facilitation of payments from a Regulation E account or Regulation Z credit card.” The CFPB is likely to add additional types of products and services to the scope of the rule over time.

Covered Data. “Covered data” is defined as “[t]ransaction information, including historical transaction information in the control or possession of the data provider [], account balance, information to initiate payment to or from a Regulation E account, terms and conditions, upcoming bill information, [and] basic account verification information.” The proposed rule excludes “confidential commercial information,” “[a]ny information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct,” “[a]ny information required to be kept confidential by any other provision of law,” and “[a]ny information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.”

Requirements

Data Providers. The proposed rule requires data providers “establish and maintain [consumer and developer] interfaces” to enable consumer requests of their covered data and “make available to a consumer or an authorized third party covered data in a machine-readable file” including certain documentation like “meta data describing all covered data and their corresponding data fields, and other documentation sufficient for a third party to access and use the interface.” Data providers are also prohibited from charging fees to consumers or authorized third-parties for accessing the data.

Authorized Third-Parties. The proposed rule also imposes certain notable obligations on authorized third-parties. Authorized third-parties must:

1.  “limit [their] collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service.” Authorized third-parties may not use the data for targeted advertising, the cross-selling of other products or services, or sale;

2. “[o]btain the consumer’s express informed consent [in writing] to access covered data on behalf of the consumer.” The signed “authorization disclosure” must contain certain information including “the categories of covered data that will be accessed,” “[a] brief description of the product or service that the consumer has requested the third party identified,” a “certification statement,” and more. Consumers may revoke the third-party’s access to covered data, including for particular products or services;

3. limit “the duration of covered data to a maximum period of one year after the consumer’s most recent authorization;” and

4. “establish and maintain written policies and procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.”

Data aggregators used by authorized third-parties are also subject to the same obligations as authorized third-parties.

Standard Setting. The proposed rule also outlines several requirements to ensure industry standards are fair, open, and inclusive requiring standard-setting body’s to have certain attributes including: openness, balance, due process, appeals, consensus, and transparency. We discuss the standard setting authorization process in much greater detail below.

Phased approach

Once the final rule is issued, data providers must comply pursuant to a staggered schedule set based on asset and revenue thresholds and depending on whether the data provider is a depository institution or a nondepository institution. The schedule requires compliance within:

• Six months: “for data providers that are depository institution data providers that hold at least $500 billion in total assets” and nondepository institution data providers generating at least $10 billion in revenue in the preceding calendar year or are projected to generate at least $10 billion in revenue in the current calendar year.

• One year: “for data providers that are [d]epository institutions that hold at least $50 billion in total assets but less than $500 billion in total assets or [n]ondepository institutions that generated less than $10 billion in revenue in the preceding calendar year and are projected to generate less than $10 billion in revenue in the current calendar year.”

• Two and a half years: “for depository institutions that hold at least $850 million in total assets but less than $50 billion in total assets.”

• Four years: “for depository institutions that hold less than $850 million in total assets.”

Final Rule – Required rulemaking on personal financial data rights⁹

On June 11, 2024, the CFPB issued a final rule revising and finalizing part of the proposed rule’s section 1033.131 (definitions) and all of proposed section 1033.141 (attributes a standard-setting body must demonstrate in order to be recognized by the CFPB).

Primarily, the final rule:

1. Establishes minimum attributes a standard-setting body must possess to receive CFPB recognition and to issue consensus standards when the full rule is finalized; and
2. Explains the CFPB process for how standard setters apply for CFPB recognition.

Industry standard setting

To become a recognized “standard-setting body,” the organization must request CFPB recognition and demonstrate it satisfies the following attributes:

1. Openness. The final rule requires the standard-setting body to demonstrate that its sources, procedures, and processes are open to all interested parties. The final rule explicitly lists certain stakeholders—consumer and other public interest groups with expertise in consumer protection, financial services, community development, fair lending, and civil rights; authorized third-parties; data providers; data recipients; data aggregators and other providers of services to authorized third parties; and relevant trade associations—as “interested third parties.” The standard-setting body must show that these parties can “meaningfully participate in standards development on a non-discriminatory basis.” The final rule clarifies that source materials must be available to all third-parties—even those outside the standard-setting body’s membership—to reference.

2. Balance. The final rule explains that the CFPB must evaluate “balance” by determining “whether the standard-setting body’s decision-making power is balanced across all interested parties . . . and is reflected at all levels of the standard-setting body.” Further, CFPB evaluates whether there is “meaningful representation for large and small commercial entities,” where “[n]o single interest or set of interests dominates decision-making.” In addition, the final rule clarifies “that if a participant plays multiple roles, the weight of that participant’s role will be factored into the balance consideration.” For example, “if a participant has a vote as a data provider but their primary business is as a third party, this could suggest that the standard-setting body is not balanced.” “Similarly, the CFPB can look at the ownership of a participant to determine to what degree the role and form of that entity’s participation in the standard-setting body furthers or hinders the body’s balance.”

3. Due Process and Appeals. In considering “due process,” the final rule requires the CFPB consider whether “a standard-setting body uses documented and publicly available policies and procedures, and it provides adequate notice of meetings and standards development, sufficient time to review drafts and prepare views and objections, access to views and objections of other participants, and a fair and impartial process for resolving conflicting views.” The CFPB must also consider whether the standard-setting body implements an impartial appeals process. The final rule rebuffed a commenter’s request to include express language about “anonymity of participant dialogue to encourage open dialogue among the members of the standard-setting body” only because the CFPB finds “such protection is already provided by the final rule.” More specifically, the final rule states, “[s]tandard-setting bodies are not precluded from making viewpoints anonymous, so long as such anonymity policies do not have the potential to undermine a final openness, transparency, or due process attribute.”

4. Consensus. The CFPB must review “whether the standards development processes would proceed by consensus, defined as general agreement but not unanimity.” The final rule added the language specifying that consensus does not necessarily require unanimity. The final rule also requires standard-setting bodies to consider comments and objections “using fair, impartial, open, and transparent processes.”

5. Transparency. The final rule requires the CFPB to review the standard-setting body’s “procedures and processes for participating in standards development” to ensure they are “transparent to participants and publicly available.” Again, the final rule explains that viewpoints can be made anonymous so long as the anonymity does not “undermine a final openness, transparency, or due process attribute.”

6. Additional Attributes. While, in the proposed rule, the CFPB requested comment on whether it should consider additional attributes when evaluating a standard-setting body for recognition, it declined to do so in the final rule. One commenter requested the CFPB consider “the relevance of standards that a standard-setting body adopts,” however the final rule does not include an additional “relevance” attribute. The final rule does point out that “demonstrating the attributes in this final rule is the minimum requirement for recognition; accordingly, the CFPB may consider other information when reviewing an application for recognition, including whether the standard-setting body will adopt and maintain standards relevant to open banking.”

Procedures for recognition

The final rule also provides a step-by-step guide for “how standard setters should apply for recognition, how the CFPB evaluates the applications, and what standard setters can expect once recognized.”

1. Requesting recognition. Prospective standard setting organizations should submit, to the CFPB, a written request for recognition including key contact information, evidence of [the] organization’s policies and practices, and an explanation of how [the] organization satisfies each of the requirements in the Personal Financial Data Rights rule to be a recognized standard setter.” The procedures also allow for pre-filing meetings so that applicants can work with the CFPB to submit a complete application.

2. Additional Information and Public Comment. Once the application is submitted, the CFPB may publish the application to “enable stakeholders who believe the application is deficient to bring the CFPB’s attention to any evidence that might substantiate such claims of deficiency.” In the event such evidence surfaces, the applicant must “provide written responses to any such claims, which the CFPB can then consider as part of its review.” 

3. CFPB Review. The CFPB will evaluate the complete application “to evaluate whether the applicant satisfies the [five attributes].” The CFPB will also consider “whether the information provided in the application is accurate and complete” and “how granting a recognition request might support its own role in open banking pursuant to its CFPA section 1033 authority.” 
4. Application Decision. The CFPB will either grant the recognition, decline the recognition, or provide contingent recognition “to an applicant that has presented a satisfactory written plan specifying how and when it will address contingencies that the CFPB has identified.” The CFPB will issue contingent recognitions when “it determines that an applicant is close to realizing, but has not yet realized, recognition requirements.” For example, “if the CFPB grants recognition based on the intention of a standard setter to develop and publish a consensus standard on a given subject matter, the CFPB may condition recognition on good faith efforts to develop a consensus standard in the given area. The contingent recognition will become formal when the “applicant presents sufficient evidence that it has addressed such contingencies.” All CFPB recognitions will be publicly disclosed on the CFPB website. Denials will also be published, “as required by law.” Similarly, conditional recognitions will be published, “along with the applicable terms and conditions of such recognition.”

5. Post-Recognition. The final rule outlines how the recognized standard setter-CFPB relationship will look after recognition. For example, recognized standard setters must “agree that the CFPB may monitor [the] organization and that [the organization] will provide information that [the CFPB] request[s].” Organizations must also notify the CFPB, within 10 days, of any material change in information submitted with its application and “any reason [the] organization may no longer meet underlying requirements for recognition.” In addition, organizations must agree to comply with “other specified terms and conditions” of recognition.
6. Re-Recognition. Recognition lasts up to five years. The procedures explain that recognized standard-setters “can apply for re-recognition by re-starting at Step One at least 180 days before expiration.” The CFPB “may temporarily extend a recognition while a re-recognition is pending.”

Conclusion: Start planning for Third-Party Access to consumers’ account data

Bank and non-bank financial services institutions should start planning now for third-party data requests under the CPFB’s data access rule. Although the CFPB has not made public any information about which standard setting organization it will choose and that selectee will have to first make public data specifications for the Application Programming Interface (API) that will connect data providers with third parties, CFPB covered persons should be reviewing data governance policies and procedures, IT infrastructure regarding Regulation Z and Regulation E accounts, and consumer account disclosures in order to prepare for the final rulemaking and implementation period.

To read more of the latest legal, market and regulatory developments in the Financial Institutions Sector, visit here.

Authored by Liz Boison, Mark Brennan, James Denvil, Sara Lenet, Nathan Salminen, and Roshni Patel.