The Consumer Financial Protection Bureau (the “CFPB”) recently issued a Notice of Proposed Rulemaking to implement Section 1033 of the Dodd-Frank Act (“Section 1033”). Section 1033 generally requires covered persons to make information concerning a financial product or service that a consumer has obtained from such person available to the consumer, subject to CFPB rulemaking.
The rule recently proposed by the CFPB to implement Section 1033 (the “Proposed Rule”) would require that certain entities make transaction and other account data more readily available to consumers and authorized third parties. It also would impose privacy and information security obligations and limitations on these entities, as well as on third parties authorized to collect and use that data. These requirements and limitations are discussed in more detail below.
The CFPB stated in the supplementary information provided with the Proposed Rule that the Proposed Rule is being enacted to help develop a secure, reliable and competitive consumer financial data access framework by direct regulation of practices in the market and by identifying areas in which fair, open, and inclusive standards can develop to provide additional guidance to the market.
CFPB Director Rohit Chopra stated in a press release accompanying the Proposed Rule that the Proposed Rule is meant to “accelerate much-needed competition and decentralization in banking and consumer finance” while providing “strong data protections to prevent misuse and abuse of personal financial data.” Chopra sees the Proposed Rule as “… forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products.”
What are the categories of organizations affected by the Proposed Rule?
The Proposed Rule imposes obligations and otherwise affects a number of different kinds of parties, as follows:
Consumers. The Proposed Rule defines a “consumer” as a natural person, including trusts established for tax or estate planning purposes.
Data Providers. The Proposed Rule defines a “data provider” as anyone that “controls or possesses covered data concerning a covered consumer financial product or service” and that has a “consumer interface” (as described below). This would include, among others: financial institutions (as defined by Regulation E), which includes banks, savings associations, credit unions, and others that hold consumer asset accounts; card issuers (as defined by Regulation Z); and “[a]ny other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.” The Proposed Rule adds that a “digital wallet provider” would be considered a “data provider.”
The Proposed Rule provides that a business that would otherwise be considered a data provider will not be considered such if it does not have a “consumer interface,” which the Proposed Rule defines as an interface “through which a data provider receives requests for covered data and makes covered data available in an electronic form usable by consumers and authorized third parties in response to the requests.”
Authorized Third Parties. The Proposed Rule defines an “authorized third party” as a third party (i.e., not the consumer or a data provider) that seeks access to covered data from a data provider on behalf of a consumer to provide a product or service requested by the consumer and that has completed the Proposed Rule’s authorization procedures (discussed below).
Data Aggregators. Under the Proposed Rule, “data aggregators” are entities that are retained by and provide services to an authorized third party to enable access to covered data.
What data is subject to the Proposed Rule?
The Proposed Rule would require data providers to make “covered data” in their possession or control available to consumers and authorized third parties. The Proposed Rule defines “covered data” as data about consumers’ accounts or credit cards of the type that consumers likely can already access through an online or mobile portal, including:
- historical transaction information (e.g., amount, date, payment type, payee or merchant name, rewards credits and fees or finance charges) for at least the previous 24 months;
- account balance;
- account and routing information (though this is allowed to be tokenized);
- terms and conditions of the account;
- upcoming bill information, including information about third party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider; and
- basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service.
However, the Proposed Rule provides that data providers would not have to disclose:
- confidential commercial information, including algorithms used to derive credit scores or other risk scores or predictors;
- information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct;
- information required to be kept confidential by any other provision of law; or
- Any information that the data provider cannot retrieve in the ordinary course of business.
What obligations does the Proposed Rule impose on data providers?
The Proposed Rule would require that data providers maintain consumer interfaces (discussed above) and establish and maintain developer interfaces to allow authorized third parties to access data on consumers’ behalf. Importantly, the Proposed Rule would also:
- prohibit data providers from relying on screen scraping to comply with the Proposed Rule, because “it is not a viable long-term method of access.” Instead, data providers would be required to establish and maintain developer interfaces that would make covered data available in a machine-readable, standardized format and not allow a third party to access the system using consumer credentials. As a result, developer interfaces will likely take the form of application program interfaces, or “APIs”;
- require data providers to provide covered data in a standardized format based on “qualified industry standards,” or in a format “widely used by the developer interfaces of other similarly situated data providers with respect to similar data and [that] is readily usable by authorized third parties”;
- require data providers to, prior to providing covered data, obtain information sufficient to authenticate the authorized third party and consumer, confirm that the authorized third party has obtained consumer authorization and verify the covered data subject to the request;
- prohibit data providers from unreasonably restricting the frequency with which they accept and respond to requests for covered data;
- require that data providers’ developer interfaces perform at a “commercially reasonable” level – including that such interfaces have a data access request response rate, calculated consistent with the Proposed Rule, of at least 99.5%; and
- require data providers to implement an information security program for the developer interface that complies with the Safeguards Rule required by Gramm-Leach-Bliley Act (the “GLBA”) and promulgated by the regulator for such data provider or, if the data provider is not subject to the GLBA, the Federal Trade Commission (“FTC”) Safeguards Rule.
Despite the expense associated with complying with these requirements, the Proposed Rule prohibits data providers from imposing fees or charges on consumers or authorized third parties for establishing or making covered data available through the interfaces described above. The Proposed Rule also requires data providers to publicly disclose developer interface and contact information to facilitate access and provide a method to address questions.
What obligations and restrictions does the Proposed Rule impose on authorized third parties?
To ensure that consumers’ privacy is respected, the CFPB has proposed a number of requirements on authorized third parties that seek to obtain covered data, including requirements to:
- provide the consumer with an authorization disclosure, including a statement certifying that the authorized third party agrees to certain obligations;
- obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining a signed authorization disclosure. The Proposed Rule requires the authorized third party’s authorization disclosure to be in a form that is clear, conspicuous, and segregated from other materials, and to include certain content, including:
- the name of the authorized third party that would access the consumer’s covered data and the name of the data provider that controls or possesses the covered data;
- a brief description of the product or service that the consumer has requested the authorized third party provide and a statement that the authorized third party will collect, use, and retain the covered data only for the purpose of providing that product or service to the consumer;
- a certification to the consumer that the authorized third party will comply with the obligations imposed on authorized third parties by the Proposed Rule;
- the categories of covered data that would be accessed; and
- a complete and accurate translation of the authorization disclosure (if the authorization disclosure is in a different language than the communication in which the authorized third party conveys the authorization disclosure to the consumer);
- adopt policies and procedures to ensure the covered data they receive remains accurate during its transmission;
- implement an information security program for its systems for the collection, use, and retention of covered data that complies with the Safeguards Rule required by the GLBA and promulgated by the regulator for such third party or, if such third party is not subject to the GLBA, the FTC Safeguards Rule. Note that the Proposed Rule allows data providers to deny access to their developer interface if the authorized third party cannot demonstrate it has adequate information security;
- upon obtaining authorization to access covered data on the consumer’s behalf, deliver a copy of the authorization disclosure to the consumer or make it available in a location that is readily accessible to the consumer, such as the third party’s interface. An authorized third party must also provide to a consumer, upon request, certain information about the third party’s access to the consumer’s covered data, including: categories of covered data collected; the reasons for collecting the covered data; the names of parties with which the covered data was shared; and the reasons for sharing the covered data.
In addition to these requirements, the Proposed Rule imposes some significant limitations on authorized third parties by providing that they may collect, use and retain a consumer’s covered data only to the extent “reasonably necessary” to provide the consumer’s requested product or service. They are prohibited from using covered data to engage in targeted advertising, cross-selling other products or services and from selling consumers’ data. If authorized third parties fail to obtain reauthorization from consumers within one year, they must cease collecting additional covered data and delete covered data that is not necessary to provide the covered product or service.
What obligations and restrictions does the Proposed Rule impose on data aggregators?
When an authorized third party uses a data aggregator to assist with accessing covered data on behalf of a consumer, the Proposed Rule requires the data aggregator to certify to the consumer in advance that it agrees to the obligations and restrictions that the Proposed Rule imposes on data aggregators.
Comments on the Proposed Rule are due on or before December 29, 2023. The CFPB stated that it will seek to finalize the rule by fall 2024. The CFPB proposes that the effective date occur 60 days after the date of the final rule’s publication in the Federal Register, with staggered compliance dates for financial institutions and other data providers ranging from six months to four years, based on an institution’s asset size or revenue.