CFPB Proposes a Rule on Personal Financial Data Rights

The fourth quarter of 2023 has seen significant proposed rulemaking from regulators. Just over a week after the Federal Trade Commission issued its Notice of Proposed Rulemaking on its “junk fees” rule, the Consumer Financial Protection Bureau (“CFPB”) published its proposed rule on Personal Financial Data Rights on October 19, 2023. According to the CFPB’s press release, the purpose of the rule is to “jumpstart competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products.” The rule, designed to foster what has come to be known as “open banking,” also aims to prevent companies from “misusing or wrongfully monetizing” sensitive personal financial data.

Although the text of the proposed rule itself comprises nearly 30 pages, the crux is that data providers must share certain covered data pertaining to a consumer’s account upon a proper request from the consumer or an authorized agent of the consumer. The basic contours of that rule are broken down below.

To whom does the rule apply? The obligation to share covered data falls on data providers. The rule defines data providers as (1) financial institutions; (2) card issuers; and (3) “any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.” The rule offers a digital wallet provider as an example of a “data provider.” The only clear exclusion from the definition of data providers is for depository institutions that do not have a consumer interface.

What is a covered consumer financial product or service? Given that characterization as a data provider hinges on whether the entity at issue has information about a covered consumer financial product, the next logical question is what is a consumer financial product or service? Again, the rule’s definition has a broad sweep. It defines “covered consumer financial products or services” to include: (1) a demand deposit or consumer asset account held by a financial institution and established primarily for personal, family, or household purposes; (2) a credit card, including hybrid pre-paid credit cards; or (3) the facilitation of payments from a demand deposit account or a credit card account, as described above.

What data must be disclosed? The rule imposes on data providers the obligation to share certain covered data upon a proper request from a consumer or the consumer’s authorized agent. But what is “covered data”? According to the rule, covered data means: (1) transaction information, including historical transaction information, going back 24 months; (2) account balance; (3) information necessary to initiate payment to or from a depository account, such as account and routing number; (4) the terms and conditions attendant to the account, including whether the consumer is subject to an arbitration agreement; (5) upcoming bill information, including information about third-party bill payments scheduled through the data provider; and (6) basic account verification information, limited to name, address, email, and phone number associated with the covered product or service.

What data is not covered by the proposed rule? There are, however, some substantial carve-outs from covered data. Covered data would not include confidential commercial information, such as an algorithm used to derive credit or risk scores (although the rule says that data that is merely an input to, or output of, an algorithm is not necessarily shielded). Covered data also excludes data collected for the sole purpose of preventing fraud or money laundering, data that is required by another provision of law to be kept confidential, or data that cannot be retrieved in the ordinary course of business. However, the proposed rule cautions that a general duty to protect information for the benefit of a consumer does not allow data providers to restrict the consumer’s access to the consumer’s own information.

When does covered data have to be shared? The core obligation of the rule requires data providers to make available to a consumer or an authorized third party, “upon request,” covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider, in a usable electronic form. The rule prescribes the contents of an authorization form third parties must obtain to request covered data on a consumer’s behalf, along with concomitant recordkeeping, and document retention obligations. However, it is silent as to the form the consumer’s request for the consumer’s own data must take, which presumably leaves some room for data providers to set their own policies as needed to screen for potential fraud and identity theft.

How does data have to be shared? The proposed rule would require data providers to maintain a consumer interface and to establish and maintain a developer interface to make the disclosures required by this rule available in electronic form. Moreover, data providers would be prohibited from charging consumers any fee associated with the making of, or responding to a request, or for establishing or maintaining the interface necessary to honor the requests.

What’s next? While fully drafted, the rule is not final and is not yet enacted. The CFPB will remain open to public comments on the rule until December 29, 2023. If the rule is enacted in its current form, data providers will have varying timeline for compliance based on whether they are depository institutions and the total value of their assets. In the meantime, however, the CFPB continues to hope that good consumer protection rules will drive a shift toward open and decentralized banking.