Understanding CFPB Proposed Rule on Personal Finance Data Rights

Overview

On October 19 2023, the CFPB proposed a rule that would require Financial Institutions to comply to data sharing requests made by consumers and authorized third parties for certain data relating to consumers’ transactions and accounts.

While the rule proposes to provide more control to the consumers to share their data, it also establishes obligations for third parties who will access consumer’s data to handle the data securely, including privacy protections and provides basic standards for data access to promote fair, open, and inclusive industry standards.

Scope & Timeline

• The proposed rule will apply first to a subset of covered persons —namely, entities providing asset accounts subject to the Electronic Fund Transfer Act (EFTA) and Regulation E, credit cards subject to the Truth in Lending Act (TILA) and Regulation Z, and related payment facilitation products and services.
• Almost three hundred pages of the proposed rulemaking is available for review and making comments prior to the December 29 deadline.
• The rule requirements will be implemented in phases. The larger providers will obligated to meet these requirements much sooner than the smaller ones.
• Community banks and credit unions that have no digital interface at all with their customers would be exempt from the rule’s requirements. 
• The proposed rule will be the first to implement Section 1033
• CFPB will cover additional products and services in future rulemaking

How is this expected to impact the industry?

The proposed rule is expected to drive major industry reforms as consumers are handed control over their data and decide on its usage while getting new protections against companies misusing their data. This is expected to push up competition, provide greater choice of service providers to consumers and also accelerate the shift towards open banking.

Salient points of the Proposal

The proposed rule intends to benefit the consumers in the following ways:

• Provide consumers access to their data at no charge: Banks and other providers subject to the rule will be required to make available consumers their personal financial data without any fee or charges in a safe, secure, and reliable manner.
• Consumers will have a legal right to share their data: People would have a legal right to grant third parties’ access to information associated with their credit card, checking, prepaid, and digital wallet accounts. This will allow Financial Institutions and third party providers to provide a wide range of products and services, improving pricing and making switching providers and managing manage accounts from multiple providers more convenient.
• Enable options that allow walking away from bad service: Consumers should be able to walk away from bad services and products.  As the rule will make providers lose the hold on their data and make shifting a competitor offering better or lower priced products and services a lot easier.

Fostering a Secure Environment for Fair Operations

• Robust protections to prevent unchecked surveillance & misuse: Third Parties whom people authorize to access data on their behalf would have to agree to certain conditions like not collect, use, or retain data to advance their own commercial interests through actions like targeted or behavioral advertising. Providers and third parties will be required to limit data usage to what is necessary to provide the individual’s requested product.
• Hand over control to the consumer: The rule will give people the right to revoke access to their data. Once a person revokes access, the proposal would require immediate data access end and deletion. Access will not allowed to be maintained for > 1 Year, requires individual consumer’s reauthorization.
• Prohibits risky data collection practices: Seeks to move the market away from these risky data collection practices like screen scraping, which often requires people to share their usernames and passwords with third parties.
• Aims at setting fair and standard industry practices: There are many requirements that aim to ensure industry standards are fair, open, and inclusive.

The Personal Financial Data Rights rule will challenge the industry, opening up competition to acquire and retain customers, protect consumers from excessive surveillance, and help them walk away from bad service.

References:

1. https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/

2. https://files.consumerfinance.gov/f/documents/cfpb-1033-nprm-fr-notice_2023-10.pdf