KEY TAKEAWAYS

Consumer Financial Protection Bureau Releases Final Rule on Personal Financial Data Rights

OCTOBER 22, 2024

What Happened

 

Today, the Consumer Financial Protection Bureau (CFPB) issued a final rule implementing section 1033 of the Dodd-Frank Act (the 1033 Final Rule) requiring data providers, including banks, to share consumers’ data with several different third parties. This rule is referred to by some as an “open banking” rulemaking.

 

This long-awaited rule builds off of the CFPB’s October 2023 notice of proposed rulemaking (October Proposal) to implement section 1033 of the Dodd-Frank Act and October 2022 Small Business Regulatory Enforcement Fairness Act (SBREFA) outline on consumers’ personal financial data rights. In June 2024, the CFPB previously finalized part of this rule regarding the minimum attributes a standard-setting body must possess to receive CFPB recognition and to issue consensus standards. 

 

Significant Provisions of the Final Rule

 

Earlier this month, CBA highlighted a few of the many issues that would impact members. The list below identifies the similarities and differences between what the CFPB proposed in the October Proposal, and what it has finalized today.

 

Compliance Timelines

 

  • October Proposal: The October Proposal proposed to require the largest depository institutions to comply with the final rule within six months after publication, while the smallest institutions would have four years to comply.


  • CBA’s Position: The CFPB should provide the largest institutions with a minimum of two years to comply with the final rule.


  • Today’s Final Rule: Compliance dates have been extended as follows:

 

  • The largest depository institutions – those that hold at least $250 billion in total assets – will need to comply with the Final Rule by April 1, 2026.


  • Note: The group of depository institutions that will need to comply with the earliest compliance date has expanded. The October Proposal subjected institutions with at least $500 billion in total assets to the earliest compliance date; the Final Rule has reduced that threshold to $250 billion.

 

  • Depository institutions holding at least $10 billion, but at less than $250 billion in total assets, will have until April 1, 2027, to comply with the Final Rule.


  • Depository institutions holding at least $3 billion, but less than $10 billion in total assets, will have until April 1, 2028, to comply with the Final Rule.


  • Depository institutions holding at least $1.5 billion, but less than $3 billion in total assets, will have until April 1, 2029, to comply.


  • Depository institutions holding at least $850 million, but less than $1.5 billion in total assets, will have until April 1, 2030, to comply. 


  • As discussed below, depository institutions holding less than $850 million in total assets are exempt from obligations for data providers under the Final Rule.

 

Sharing of Payments Information

 

  • October Proposal: Among the categories of data that would need to be shared, the October Proposal included “information to initiate payment to or from a Regulation E account,” meaning account numbers and routing numbers that can be used to initiate a transfer.


  • CBA’s Position: CBA cautioned the CFPB against including the sharing of payment initiation information, emphasizing that sharing this information may make third parties an increased target for data breaches and that compromised credentials could be used to initiate fraudulent transactions.


  • Today’s Final Rule: The Final Rule is consistent with the October Proposal. “Information to initiate a payment to or from a Regulation E account directly or indirectly held by the data provider” must be shared as “covered data.” 

 

Fee Prohibitions

 

  • October Proposal: Under the October Proposal, data providers are prohibited from imposing any fees or charges on third parties accessing consumer data.  


  • CBA’s Position: Data providers should be allowed to recover costs of development and maintenance of the new interfaces for accessing data through reasonable and proportional fees to third parties and data aggregators accessing consumer data. In fact, European regulators are now considering expressly clarifiedthat such “reasonable compensation from data users” would be appropriate in their versions of “open banking” regulation. 


  • Today’s Final Rule: The Final Rule is consistent with the October Proposal. Data providers may not impose any fees or charges on consumers or third parties accessing consumer data. 

 

Minimum Performance Specifications


  • October Proposal: The October Proposal set out various highly-specific performance requirements for the interfaces third parties will be using to access consumer data. For example, the interface would need to have a response time of no more than 3,500 milliseconds and a response rate no less than 99.5 percent.


  • CBA’s Position: The CFPB should avoid setting numerical standards for technology in the final rule, as this could lock industry into legacy technologies and standards that may not address needs in an evolving market.


  • Today’s Final Rule: Some of the minimum performance specifications have been adjusted in the Final Rule. The Final Rule still requires a response rate no less than 99.5 percent, but specifies that the response rate is calculated “in each calendar month.” The Final Rule does not include the October Proposal’s mandate of a response time of no more than 3,500 milliseconds. Instead, the Final Rule requires that the response time be “commercially reasonable,” and indicia that a response time is commercially reasonable includes conformance to an applicable consensus standard.

 

Secondary Use Limitations

 

  • October Proposal: The October Proposal proposed to prohibit the secondary use of consumer data by third parties for targeted advertising, cross-selling of other products or services, and the sale of data.


  • CBA’s Position: CBA requested greater clarity on secondary use limitations, particularly for how to determine “primary” or “secondary” use. CBA also recommended that the CFPB include an express prohibition on reverse engineering a data provider’s confidential, proprietary information or other trade secrets.


  • Today’s Final Rule: The Final Rule maintains the same explicit prohibitions on targeted advertising, cross-selling of other products or services, and the sale of covered data that were proposed in the October Proposal. The Final Rule did not add an explicit prohibition on reverse engineering. However, the Final Rule explicitly allows for the use of covered data for “uses that are reasonably necessary to improve the product or service the consumer requested.”

 

Institution Carve Outs

 

  • October Proposal: The October Proposal did not contain any carve outs for institutions based by size, and instead imposing rolling compliance dates for all data providers based on their size.  


  • CBA’s Position: CBA did not support any carve outs from compliance with the final rule for institutions based on their size. 


  • Today’s Final Rule: The Final Rule added a carve out. Depository institutions with less than $850 million in assets are not covered as data providers, and thus do not need to comply with obligations for data providers under the Final Rule.  

 

There were several other issues that CBA expressed concerns about that were not addressed in the October Proposal. These include:

 

  • Screen Scraping: The October Proposal did not contain an express prohibition of screen scraping, which is when a third party uses consumer credentials to log into a consumer’s account to retrieve data. CBA has long advocated for the practice of screen scraping to be sunsetted. Despite the CFPB’s claim that the Final Rule “helps move the industry away from ‘screen scraping,’” the Final Rule does not contain an express prohibition on screen scraping. Indeed, the CFPB notes that it “plans to monitor the market to evaluate whether data providers are blocking screen scraping without a bona fide and particularized risk management concern or without making a more secure and structured method of data access available.”

 

  • Liability Framework: The Final Rule, much like the October Proposal, presupposes that existing liability frameworks, specifically the Electronic Fund Transfer Act and its implementing regulation, Regulation E, along with bilateral contracts, would be adequate for allocating liability among all of the new parties that would be accessing consumer data. CBA has continuously cautioned that this is not correct. Particularly in light of the rising rates of scams and fraud, current protections do not sufficiently map onto third parties and data aggregators, who are the parties with the greatest ability to prevent consumer harm stemming from access to their data. 

 

  • The CFPB asserts that “it would not be appropriate for this rule to impose a comprehensive approach to assigning liability among commercial entities or safe harbors from the requirements of [the Electronic Fund Transfer Act (EFTA)] and Regulation E or [the Truth in Lending Act (TILA)] and Regulation Z.” 

 

  • The CFPB in the Final Rule further summarizes that “consumers have a statutory right under EFTA to resolve errors through their financial institution, while private network rules, contracts, and other laws address which payment market participant is ultimately liable for unauthorized transfers and other payment errors… the U.S. payment system allows non-bank payees to initiate payments through their depository institution, and those partner depository institutions also bear responsibility for who is allowed to access the payment networks.”

 

  • The CFPB was also unpersuaded by arguments provided by industry about the need for grater clarity on liability. The CFPB asserted that “commenters did not provide legal analysis or factual evidence about the likelihood that data providers would actually incur legal liability under these laws when consumers request, or Federal law requires, they make data available to a third party that subsequently misuses or mishandles the data. While some commenters stated that consumers would be likely to seek to recoup from the data provider losses arising from third party conduct, it is not clear to what extent that is likely to occur when losses arise from a third party to which the consumer requested the data provider make information available.”

 

  • Scope of Coverage: The Final Rule mirrors the October Proposal’s scope of coverage, focusing just on asset accounts and credit card accounts, along with facilitation of payments from such accounts. The Final Rule, though, specifies that “products or services that merely facilitate first party payments” are excluded from coverage. CBA recommended that the CFPB broaden the scope of coverage for not just asset accounts and credit card accounts, but also to credit products like auto loan accounts and non-bank credit alternatives, like Buy Now Pay Later products and Electronic Benefit Transfer cards.

 

What CBA is Saying

 

In response to today’s announcement, CBA President and CEO Lindsey Johnson said:


“CBA fully supports consumers having access to their own personal financial information, as required under Section 1033 of the Dodd-Frank Act. The CFPB, though, has contorted this very clear and limited statute into enabling thousands of third parties to access consumers’ data. In doing so, the CFPB far exceeds its statutory authority. We have long argued that the CFPB does not have the statutory authority to use this rulemaking to prescribe an open banking regime. 

 

“Moreover, CBA continues to strongly object to the CFPB’s inaccurate assertions that this rulemaking is needed to increase competition in the marketplace. Indeed, the consumer credit card and deposit account markets specifically are highly competitive and the CFPB should not rely on mischaracterizations of the marketplace to justify the necessity of this rulemaking. 

 

“Many CBA members support an open-banking framework. Nevertheless, even if the Bureau has the statutory authority to utilize this rulemaking to introduce an open banking framework, this final rule severely misses the mark as it failed to incorporate much of the critical feedback provided by industry through the comment period. This has created an even less durable final rule that does not reflect market, technological, and practical realities.”


What's Next?

 

The Final Rule is set to be effective 60 days after publication in the Federal Register. As of today, the Final Rule has not yet been published in the Federal Register.

 

CBA will be hosting a webinar next week to discuss the details of the 1033 Final Rule and to answer questions on the rule’s impact. Details for the webinar will follow shortly. CBA will also be sharing a more robust summary of the 1033 Final Rule after the webinar.
Facebook  X  Linkedin  

Consumer Bankers Association | 1225 New York Ave, NW Suite 1100 | Washington, DC 20005 US

Unsubscribe | Constant Contact Data Notice