In a move expected to accelerate a shift toward opening
banking, the Consumer Financial Protection Bureau (CFPB) proposed a rule giving
consumers more control over their financial data and provide new protections
against companies that misuse consumer data.
Dubbed the “Personal Financial Data Rights” rule, the
proposed regulation would implement Sec. 1033 of the Dodd-Frank Act, pertaining
to “consumer rights to access information.” The rule would require covered
financial entities to allow consumers and authorized third parties to access
their personal financial data at no charge through dedicated digital interfaces
that are safe, secure and reliable.
The CFPB believes the rule would “jumpstart competition by
forbidding financial institutions from hoarding a person’s data” as companies would
be required to adhere to consumers’ instructions to share data with other
companies offering better products, according to a bureau press release.
“With the right consumer protections in place, a shift
toward open and decentralized banking can supercharge competition, improve
financial products and services, and discourage junk fees,” CFPB Director Rohit
Chopra said in the release. “Today, we are proposing a rule to give consumers
the power to walk away from bad service and choose the financial institutions
that offer the best products and prices.”
To illustrate his point, Chopra compared the act of allowing
consumers to transfer their data access from one company to another to the
Federal Communications Commission’s rules requiring wireless providers to allow
consumers to easily transfer their phone numbers between providers to seek
better prices and service.
The proposed rule would require financial firms offering
transaction accounts i.e., checking accounts, prepaid cards, credit cards, digital
wallets, etc. to offer consumers access to their personal financial data, so they
would have the option to share or transfer the data to another provider.
“This will make it much easier to switch. You won’t lose
your transaction history, which effectively serves as a life ledger,” Chopra
said, in prepared remarks. “You won’t have to start over with a new firm that
has less history with you and that is less likely to offer you better deals. In
addition, bringing in your personal financial ledger to a new provider will let
them consider your full financial history when offering you a loan, instead of
relying on a summary from the credit reporting conglomerates.”
Sec. 1033 provides multiple examples and exceptions
describing circumstances in which companies must make consumer data available,
as well as exceptions when companies are not required to make consumer data
available.
The new rule would require the following consumer data to be
made available:
a)
Transaction information, such as “historical
transaction information in the control or possession of the data provider.”
b)
Account balance.
c)
Information to initiate payment to or from a
Regulation E account, including “a tokenized account and routing number that
can be used to initiate an Automated Clearing House transaction. In complying
with its obligation under § 1033.201(a), a data provider is permitted to make
available a tokenized account and routing number instead of, or in addition to,
a non-tokenized account and routing number.”
d)
Terms and conditions, including “the applicable
fee schedule, any annual percentage rate or annual percentage yield, rewards
program terms, whether a consumer has opted into overdraft coverage, and
whether a consumer has entered into an arbitration agreement.”
e)
Upcoming bill information, including “information
about third party bill payments scheduled through the data provider and any
upcoming payments due from the consumer to the data provider.”
f)
Basic account verification information, “which
is limited to the name, address, email address, and phone number associated
with the covered consumer financial product or service.”
Situations in which Sec. 1033 states companies are not
required to make the following types of consumer data available:
a)
“Any confidential commercial information,
including an algorithm used to derive credit scores or other risk scores or
predictors. Information does not qualify for this exception merely because it
is an input to, or an output of, an algorithm, risk score, or predictor. For
example, annual percentage rate and other pricing terms are sometimes
determined by an internal algorithm or predictor but do not fall within this
exception.
b)
“Any information collected by the data provider
for the sole purpose of preventing fraud or money laundering, or detecting, or
making any report regarding other unlawful or potentially unlawful conduct.
Information collected for other purposes does not fall within this exception.
For example, name and other basic account verification information do not fall
within this exception.
c)
“Any information required to be kept
confidential by any other provision of law. Information does not qualify for this
exception merely because the data provider must protect it for the benefit of
the consumer. For example, the data provider cannot restrict access to the
consumer’s own information merely because that information is subject to
privacy protections.
d)
“Any information that the data provider cannot
retrieve in the ordinary course of its business with respect to that
information.”
In addition to empowering consumers with respect to their
financial lives, the bureau hopes the proposed rule would address inconsistent
policies among financial institutions regarding consumer data access.
“Importantly, the rule says that firms that receive
financial data to provide a specific service cannot feed the data into
algorithms for unrelated activities, such as targeted advertising and
marketing,” Chopra said. “Firms couldn’t collect data to provide a service, and
then also monetize it by selling it to data brokers. Authorized data also
couldn’t be used to train artificial intelligence that manipulates consumer
behavior. And firms would not be able to hold onto your personal financial data
indefinitely. If a consumer chooses to end a relationship, the firm would have
to stop collecting and using the consumer’s data as well as delete the data it
already possesses.”
The proposed rule also would implement protections against
unchecked surveillance and misuse of data by companies once they are authorized
to access a consumer’s data on their behalf. Such companies would have to agree
to certain conditions. Third parties would not be permitted to collect, use or
retain data to advance their own commercial interests through actions such as targeted
or behavioral advertising. Third parties would be obligated to limit their use
of consumer data to reasonably necessary uses to fulfill a consumer’s request
for a particular product or service.
Companies also would likely be forced to move away from certain
data collection practices the bureau deems as “risky,” such as screen scraping,
which typically requires people to share their usernames and passwords with
third parties.
The bureau views the proposal as a potential foundation to
set an industry standard on data collection, which financial entities will be
able to account for in their policies and procedures.
Consumer Bankers Association (CBA) President and CEO Lindsey Johnson released a statement noting CBA’s support for the bureau’s efforts to regulate how entities distribute consumer data.
“Many of these entities that are collecting, storing, and selling this consumer information are not subject to the same rigorous data security and privacy standards as well-regulated and supervised financial institutions, putting consumers and their sensitive financial information at risk,” Johnson said. “CBA looks forward to working with the Bureau on developing a final Section 1033 rule that achieves the statutory intent of the law to ensure consumers have greater access to their own personal financial data, and that uniformly protects consumers’ data across banks and non-banks, establishes clear liability standards for all parties, and affords consumers control in how their data is accessed and used.”
The bureau is aiming to finalize a rule implementing Sec.
1033 in fall of 2024. It plans to implement the proposed requirements in
phases, with larger providers being subject to them much sooner than smaller
ones, according to the release. Many community banks and credit unions currently
lacking a digital interface would be exempt from the rule, the bureau
acknowledged.