On October 22, 2024, the Consumer Financial Protection Bureau (CFPB or the Bureau) issued a final rule the Rule) implementing the requirements of sections 1033(a) and (b) of the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act (Dodd-Frank). The Rule requires, among other things, that a "covered person" make available to customers information about the financial products or services that they receive from the covered person.
This rulemaking marks the conclusion of a process that the CFPB began in 2016 and follows the publication of a proposed rule in October 2023. The Rule is intended to strengthen data security and improve competition in the open-banking ecosystem by making it easier for consumers to switch providers of financial products and services.
A coalition of the Rule's opponents, led by the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, has sued the CFPB in federal court in the Eastern District of Kentucky (Forcht Bank NA et al. v. Consumer Financial Protection Bureau et al.). The plaintiffs allege violations of the Administrative Procedure Act and seek an order setting aside the Rule. They argue that the Rule exceeds the statutory authority granted to the CFPB by Dodd-Frank, increases data security risks by requiring data transfers, improperly appoints private standards-setting bodies (in lieu of the CFPB) to determine compliance requirements, and to draft and implement compliance standards; sets a compliance timeline dependent on those private standard-setting bodies – which haven't yet formed – and prohibits charging fees for data access, resulting in a "windfall" to financial technology firms and data aggregators at the expense of data providers. This suit could delay or halt the Rule's implementation. We will monitor the litigation closely and provide updates.
Key Takeaways
- Compliance Deadlines: The Rule establishes staggered compliance deadlines based on the size and type of financial institution. Depository institutions with at least $250 billion in assets and non-depository institutions with at least $10 billion in receipts for calendar year 2023, or 2024 for non-depository institutions, must comply with the Rule by April 1, 2026. See "Compliance Dates/Threshold Requirements" below for additional details.
- Data Governance and Infrastructure Overhaul: The Rule mandates that institutions make consumer financial data readily available in a form that is usable by customers, which may require significant upgrades to data management systems. Financial institutions and other covered persons should assess the scalability and robustness of their current infrastructure to ensure they can meet the prescribed interface uptime requirements for real-time data sharing, likely in response to a high volume of requests. Major investments in both systems and compliance programs will likely be required on an expedited timeline.
- Development of Standardized Interfaces: Covered persons will need to design or adopt standardized developer interfaces that comply with the performance and interoperability requirements set forth in the Rule. These interfaces must not only meet technical specifications for data sharing, but also ensure that third-party developers can integrate with them seamlessly, promoting innovation while maintaining compliance with the law. For example, banks will need to develop a system for requesting and receiving data from their FinTech partners.
- Focus on Consent Management: The requirement for explicit, informed consumer consent with clear disclosures will place a burden on covered persons. Developing transparent and user-friendly consent management systems that allow consumers to authorize, track, and revoke access is essential.
- Enhanced Cybersecurity Measures: As the Rule requires the creation of developer interfaces to facilitate data sharing, covered persons will need to bolster their cybersecurity frameworks to safeguard against unauthorized access and data breaches. Strong encryption, secure data storage, and regular security audits will be necessary to protect consumer data and avoid potential compliance penalties.
- Operational Alignment Across Business Units: Financial institutions and FinTech firms must ensure that various departments, including IT, legal, and compliance, work closely together to align their operations with the Rule. Internal teams should be well-versed in how the Rule impacts data-sharing practices and customer interactions to ensure a seamless and unified approach to implementation.
- Third-Party Vendor Management: The Rule focuses significant attention on third-party service providers. Third parties who access consumer financial data are subject to strict requirements, and covered persons must ensure that their vendor management processes are robust. Contracts with third-party service providers should clearly outline data privacy obligations, permissible uses of consumer data, and security requirements. Continuous monitoring of vendor compliance will also be necessary to avoid potential liability for breaches or misuse of consumer data.
- Consumer Education Initiatives: Given the complexity of the Rule and the potential for consumers to misunderstand the implications of sharing financial data, financial institutions may consider it worthwhile to invest in consumer education efforts. Providing clear, accessible information on how data is shared, the risks involved, and how to control data access will be critical in building consumer trust and ensuring regulatory compliance.
- Expanded Oversight: While the Rule does not introduce new amendments to the Fair Credit Reporting Act (FCRA), data aggregators that operate under the Rule's framework must remain mindful of FCRA obligations. Entities that use consumer data for activities governed by the FCRA must adhere to permissible purposes for data use and provide consumers with protections against misuse. Additionally, as future rulemakings on the FCRA evolve, data aggregators may be subject to further scrutiny and requirements regarding data accuracy and privacy.1
- Preparation for Regulatory Scrutiny: The Rule provides the CFPB with significant oversight authority, including the ability to recognize standard-setting bodies and monitor compliance with data-sharing protocols. Institutions should prepare for heightened regulatory scrutiny by establishing thorough documentation and auditing processes to demonstrate compliance with the Rule's requirements.
Important Definitions
- "Covered Consumer Financial Products or Services": The Rule defines "covered consumer financial products or services" to include Regulation E accounts, Regulation Z credit cards, and third-party payment facilitation services.2 The Rule carves out exceptions for certain smaller depository institutions (those with total assets below the Small Business Administration size standard).3
- "Covered Data": The Rule applies to
covered data, which includes the following4:
- Transaction information (including historical transaction information, if the provider has control or possession of it – financial institutions are required to provide at least 24 months of historical transaction data in a usable electronic format), including amount, date, payment type, pending/authorized status, payee/merchant name, rewards credits, fees, or finance charges;
- Account balance information;
- Information necessary to make a payment to or from an electronic debit card (Regulation E) account;
- Terms and conditions (g., fees, APY, credit limit, rewards program terms);
- Upcoming bill information;
- Basic account verification information (g., the name, address, email address, phone number associated with a covered product or service).5
- Exceptions include:
- Confidential Commercial Information: Data that is proprietary or could harm the competitive position of the data provider if disclosed.
- Information Collected for Fraud Prevention: Data gathered solely for the purpose of preventing fraud, money laundering, or other financial crimes.
- Information Required to be Kept Confidential by Law: Data that is mandated to remain confidential under other applicable laws or regulations.
- "Data Providers": The Rule defines a "data provider" as a covered person (per 12 U.S.C. § 5481(6)) that is a financial institution;6 card issuer;7or any other person that controls or possesses information concerning a covered consumer financial product or service and provides that product or service to a consumer.8
- "Third Party": The Rule defines a "third party" as "any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer's covered data."9
Overview of the Rule
The Rule mandates that financial institutions make a consumer's financial data available to the consumer, or authorized third parties, upon request in a usable electronic format, subject to the exceptions above.
- Data Provider Obligations: Data providers must
ensure that covered data is available electronically and cannot
engage in practices that obstruct access. For example, they cannot
impose fees for data access, and access tools that are made
available to consumers and third parties are subject to minimum
performance standards.
- Tokenization: Data providers must make account numbers available, but they may do so in either tokenized or non-tokenized form.10 In the Rule, the CFPB noted that it intends to monitor the market for pretextual use of TANs to "frustrate consumers' ability to provide functioning payment initiation information to authorized third parties of their choice."11
- Screen-Scraping: A "core objective" of the Rule was to "transition the market away from using screen scraping to access covered data."12 Accordingly, the Rule prohibits screen scraping as a method of facilitating third-party access.13 The CFPB also considered, but declined to permit, tokenized screen scraping.14
- Developer Interface: The Rule requires data
providers to offer a developer interface (with "commercially
reasonable" performance) that facilitates authorized
third-party access to consumers' financial data.15
An interface that conforms to a (yet to be determined) consensus
standard will be considered commercially reasonable.16
The interface must also have a response rate equal to or greater
than 99.5 percent each calendar month.17 This means for
at least 99.5 percent of requests received, the developer interface
must either provide the requested data or give a "proper
response" explaining why the developer interface cannot
provide the requested data.18
- The Rule places a significant emphasis on standardization by mandating that data providers create interfaces that are "commercially reasonable" and compatible with recognized industry formats.19
- Data providers may not allow third parties to access the developer interface using the same credentials that a consumer uses.20 Other cybersecurity requirements for the developer interface are aligned with the rules issued under section 501 of the Gramm-Leach-Bliley Act (for providers subject to Gramm-Leach-Bliley) and the Federal Trade Commission's Standards for Safeguarding Customer Information.21
- Recordkeeping Requirement: Data providers must
retain records for up to three years relating to their compliance
efforts, including:
- Actions taken in response to a consumer or third-party's request regarding the developer interface;
- Other records that are evidence of the data provider's compliance with its obligations to make data available (including those showing evidence of commercially reasonable performance22), to provide interfaces, and to respond to requests.23
- Third-Party Authorization and Use: Third
parties seeking access to consumer data must adhere to strict
authorization and use limitations.
- Authorization: Under the Rule, a third party must 1) provide a consumer with an authorization disclosure (contents are described in the Rule); 2) provide a statement in the authorization certifying that the third party agrees to certain obligations related to how long it can hold the collected data and security requirements for the data; and 3) obtain express, informed consent to access covered data on the consumer's behalf, via a disclosure that may be signed electronically or in writing.24
- Collection, Use, and Retention: Third parties
may not expand the collection, use, or retention of covered data
beyond the scope of products or services covered in the
consumer's authorization.25 In general, the
collection, use, and retention of covered data is limited to what
is "reasonably necessary" to provide the requested
product or service.26 Marketing is not reasonably
necessary.
- A third party who seeks to share covered data with another third party must require the recipient of the covered data to comply with the same third-party obligations created by the Rule (g., prohibition on use of covered data for advertising, only holding covered data for a year without reauthorization, etc.).27
- Recordkeeping Requirements: The Rule requires third parties to maintain policies and procedures designed to ensure retention of records demonstrating compliance regarding access, use, and retention of consumer financial data28 Those records must include a copy of the authorization disclosure signed by the customer (electronically or in writing) that reflects the date of the customer's signature and a record of the consumer's actions.29 Data aggregators must also include a copy of a data aggregator certification statement provided to the customer as required by the Rule.30 Third parties must retain records for three years.31
- Standard-Setting Bodies: The CFPB will
recognize standard-setting bodies to ensure compliance with the
technical requirements for data sharing. While the Rule fails to
explicitly define a standard-setting body, the Bureau outlines the
attributes of such bodies and recognizes that these bodies will
establish "consensus standards" governing the
functionality of interfaces.32 Standard-setting bodies
that meet CFPB standards for openness, balance, due process,
consensus, and transparency are eligible to be recognized by the
CFPB for a five-year period.33
- A standard-setting body can be formed by a group of stakeholders, including industry representatives, consumer advocates, technology experts, and other relevant parties, who come together to develop and maintain standards that promote interoperability and security in data sharing.
- These bodies must adhere to principles of openness, balance, due process, consensus, and transparency in their operations. The specific standards enforced or monitored by these bodies would include technical specifications for API functionality, data security protocols, and user authentication methods, among others. Moreover, such standards could cover aspects like data accuracy, privacy protections, and timely access to financial data.
- The composition of a standard-setting body, as envisioned by the CFPB, would typically include a diverse array of members to ensure that the standards reflect a broad consensus. This could include representatives from financial institutions, FinTech companies, consumer groups, regulatory experts, and independent technology consultants.
Compliance Dates/Threshold Requirements
- $850 Million Asset Threshold for Depository Institutions: The Rule's application to depository institutions is limited. Data providers that are depository institutions may be exempt from subparts B (the obligation to make covered data available) and C (the obligation to provide consumer and developer interfaces) of the Rule under § 1033.111(d) if their total assets are equal to or below the applicable Small Business Administration size standard (currently $850 million for all relevant institutions).34 The Rule is generally applicable to data providers that are non-depository institutions.35
- Compliance Dates Staggered Based on Size: The Rule takes effect 60 days after its publication in the Federal Register for certain aspects of the Rule, such as the submission of applications for recognition as a standard-setting body, which do not impose obligations on parties. Data providers are responsible for compliance starting between April 1, 2026, and April 1, 2030, depending on the provider's size.36By the compliance date, they must have "established functioning developer and consumer interfaces...that are technically capable of complying with the requirements in subparts B and C of part 1033 by their compliance deadline."37
The Rule marks a significant shift in the regulation of financial data access and privacy. Financial institutions and FinTech firms should begin taking steps to align with the new data-sharing requirements, ensure compliance with privacy safeguards, and enhance consumer transparency.
Footnotes
1 See proposed rule, Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information (Regulation V), 89 Fed. Reg. 42123 (June 18, 2024) (to be codified at 12 C.F.R. pt. 1022). Prohibition on Inclusion of Adverse Information in Consumer Reporting in Cases of Human Trafficking (Regulation V), 87 Fed. Reg. 37700 (Jun. 24, 2022) (to be codified at 12 C.F.R. pt. 1022).
2 12 C.F.R. . § 1033.111.
3 Final Rule, 72-73.
4 Final Rule, 117.
5 See 12 C.F.R. § 1033.211.
6 As defined in Regulation E, 12 CFR 1005.2(i).
7 As defined in Regulation Z, 12 CFR 1026.2(a)(7).
8 12 C.F.R. § 1033.111(c).
9 12 C.F.R. § 1033.131.
10 Final Rule, 132.
11 Final Rule, 133.
12 Final Rule, 213.
13 Final Rule, 14.
14 Final Rule, 165. Tokenization is the replacement of sensitive data with meaningless characters or data that are not sensitive. In the Rule, the CFPB acknowledged that tokenized screen scraping is more secure than regular screen scraping, but reasoned that permitting tokenized screen scraping would result in "third parties accessing a larger portion of consumers' financial data than they need to provide the financial services that consumers are requesting." Id.
15 Final Rule, 193-195.
16 Final Rule, 196.
17 Final Rule, 197.
18Final Rule, 199-201. Messages provided during unscheduled downtime of the developer interface are excluded from the definition of "proper response." Final Rule at 572. A proper response (a) fulfills the request or explains why the request was not fulfilled; (b) is consistent with policies and procedures maintained by the data provider; and (c) is provided within a "commercially reasonable amount of time." Id.
19 Final Rule, 187.
20 12 C.F.R. § 1033.311(e).
21 16 C.F.R. part 314.
22 12 C.F.R. § 1033.351(d)(2)(v)
23 Final Rule, 300.
24 Final Rule, 326.
25 Final Rule, 329.
26 Final Rule, 348.
27 Final Rule, 401-402.
28 Final Rule, 433.
29 Final Rule, 433.
30 Final Rule, 433.
31 Final Rule, 434.
32 Final Rule, 197.
33 12 C.F.R. § 1033.141; See also, CFPB Personal Financial Data Rights Standard-Setter Guide, 2024, https://files.consumerfinance.gov/f/documents/cfpb_personal-financial-data-rights_standard-setter-guide_2024-06.pdf.
34 Final Rule, 72.
35 Final Rule, 74.
36 See 12 C.F.R. § 1033.121(c).
37 Final Rule, 83.
38 Final Rule, 83.
39 Receipts calculated based on Small Business Administration definition of receipts at 13 C.F.R. 121.104(a). See Final Rule at 88.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.