Partner | Financial Regulation
On Thursday, October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) released a proposed rule addressing “personal data financial rights”, as we reported last week that they would be doing later in October. The proposed rule (comments due December 29, 2023) provides a comprehensive, but newfangled, approach to regulating the collection, use, sharing and maintenance of financial data by a wide variety of participants.
The full text of the Federal Register notice containing the proposed rule is 299 pages and includes a variety of new concepts. Therefore, the Cabinet will provide installments over the next three weeks looking at the different sections of the proposed rule. This week’s installment will discuss what the CFPB says about why it is proposing this rule and will give a high-level overview. Next week, we will have two installments, one which will focus on the scope of the rule, in terms of entities that would need to comply with the rule as proposed, as well as the scope of financial data that will be impacted. The other installment that will be published next week will get into the obligations that would be imposed upon the entities and examine some of the technology concepts. And the final week, we will examine how the proposed rule works (or may not work) vis-à-vis existing laws and some of the finer points and concepts.
The CFPB released the proposed rule in conjunction with a press release titled “CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking.” Necessarily, it is important to understand what the CFPB means when it refers to “open banking.” A footnote explains that, for purposes of the proposed rule, the CFPB “generally uses the term ‘open banking’ to refer to the network of entities sharing personal financial data with consumer authorization.” That network of entities includes the financial institutions that issue payment devices, manage bank accounts and originate credit, but also extends to non-bank financial institutions and technology companies that provide products and services such as digital wallets and personal financial management services, as well as to payment networks and any party that “controls or possesses information concerning a covered financial product or service” offered by that party.
Why does the CFPB care about whether the industry shifts to open banking? As explained in prepared remarks accompanying the proposed rule by CFPB Director Rohit Chopra, the end goal of “open banking” would be to create a “more decentralized market structure [that] will give consumers more control and minimize the ability for companies to take customers for granted” by giving consumers more control over their personal financial data, which in turn will make it easier for them to switch financial service providers. Chopra remarks that because consumers would be empowered to carry their entire personal financial data history with them, should they choose to switch providers, “You won’t lose your transaction history, which effectively serves as a life ledger. You won’t have to start over with a new firm that has less history with you and that is less likely to offer you better deals.”
Turning back to the text of the proposed rule, however, we can glean additional motives underlying these public relations talking points. Specifically, the CFPB focuses upon new players in the financial markets that are not regulated as financial institutions, but who interact with consumer financial data through authorizations and technologies such as screen-scraping and APIs. The CFPB designates these new, non-bank players as “data aggregators” and points out that these “aggregators currently function as connectors and, as a practical matter, standardize how many third parties receive data. As such, they accrue economic benefits from the system’s inability to scale [to] open industry standards.” The CFPB then goes on to explain that the dependency many financial institutions, as well as consumers, have developed upon the handful of data aggregators that have emerged allows these aggregators to stifle competition and self-deal. Accordingly, the CFPB envisions this proposed rule as being a crucial step to not only encourage open banking, but also to improve competition among all participants in the consumer payments system, preventing the “entrenching [of] the roles of data providers, intermediaries and third parties.”
As mentioned, we will have additional installments looking more closely at various aspects of the proposed rule, but, in sum, the proposed rule seeks to oblige financial institutions and other covered entities to make personal financial data available to consumers such that they may obtain and transfer their entire transactional history, among other personal financial data, to third parties of their choosing. The covered entities would also be required to collect and maintain only that information about consumers that is necessary to carry out the transactions requested by them, and would prohibit the entities from using any information for targeted or behavioral advertising purposes. The proposed rule also seeks to establish a method that would ensure that the personal financial data would be provided in electronic formats that are standardized and that are accessible through an electronic “consumer interface” maintained by each covered entity.
Early industry reactions to the proposed rule have been cautiously supportive of the proposed rule, with the American Bankers Association remarking, “we firmly believe that other entities that are granted access to consumers’ data must be held not only to the same high standards but also to the same level of supervision related to data security, privacy, and consumer protection that banks must meet every day,” while also pointing out the costs and difficulties in implementing some of the provisions.