On October 27, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced a new regulatory framework (“Framework”) governing “Personal Financial Data Rights”, or, by another name, “open banking”. Conceptually, open banking requires financial service providers to have open access to consumer financial data held by other financial institutions through the use of application programming interfaces (“APIs”).
The main objective of the CFPB is to promote the purchase of financial products and services by consumers by ensuring that consumers (1) “do not have to start from scratch” if they change their financial institution and ( 2) have “the necessary leverage to get away”. because they will have access to more suitable products and services. If adopted by the CFPB, the framework would reduce current frictions that impede the flow of consumer data and could encourage reluctant consumers to seek out products or services from FinTech vendors.
The framework continues a global trend in financial regulation emphasizing open data flows, with the United States soon to join the European Union (which adopted the Payment Services Directive (“PSD2”) in 2015 ) by mandating data transparency. The CFPB aims to increase competition between traditional financial institutions and FinTechs, which it hopes will increase services and lower prices. However, the mixed European experience shows the limits of the change that open banking regulations can foster.
II. Framework Summary
Under the framework, “covered data providers” would be required to provide certain data about a consumer (a) to the consumer and (b) to “authorized third parties” through online data portals. The framework would also impose significant obligations on a third party with respect to its collection, use and retention of consumer information.
b. Covered Data Providers
As proposed, the framework would apply to covered data providers and the information they collect when providing certain specified services. Covered data providers would include “financial institutions” and the information they collect by providing “asset accounts” would be subject to the Framework. Covered data providers would also include “card issuers” and the information they collect by providing “credit card accounts” would be subject to the framework.
Under this definition, financial institutions would include banks, thrift associations, credit unions, and other persons who hold consumer checking accounts and consumer savings accounts, as well as persons who issue a credit card device. access and agree with a consumer to provide electronic funds transfer services. Asset accounts would include all checking, savings or other consumer asset accounts established primarily for personal, family or household purposes. Card issuers would include any credit card issuer, and a credit card account would include any account offered under an open-ended consumer credit plan.
vs. Data scope
The Framework would require covered data providers to make available six specific categories of information:
- Periodic statement information for settled transactions and deposits;
- Information regarding past transactions and deposits that have not yet settled;
- Other information about past transactions not typically found on periodic statements or portals;
- Information regarding online banking transactions that the consumer has set up but have not yet taken place;
- Account Identity Information; and
- Certain other information.
Any confidential business information, including algorithms used to derive credit ratings or other risk ratings, is expressly excluded from making the information available.
With respect to periodic statement information, Covered Data Providers would be required to provide, among other things, the following:
- For each transfer, the amount, date and place of the transfer, as well as the name of the third party (or seller) to or from whom the transfer was made;
- All fees charged to the account;
- Any interest credited to an asset account or charged to a credit card account;
- The annual percentage yield (“APY”) of an asset account or the annual percentage rate (“APR”) of a credit card account;
- Current account balance;
- The terms and conditions of the account, including a schedule of fees that may be charged to the account; and
- For an asset account, the account number.
Account identity information includes information such as: name; age; genre; marital status; Number of dependents; race; ethnic group; citizenship or immigration status; Veteran status; residential address; phone number; e-mail address; Date of Birth; social Security number; and driver’s license number.
Other information to be made available under the framework includes: consumer reports from consumer reporting agencies obtained and used by the covered data provider to decide whether to provide an account or other financial product or service to a consumer; charges that the Covered Data Provider assesses in connection with its Covered Accounts; any bonuses, rewards, discounts or other incentives the Covered Data Provider provides to consumers; and information about security vulnerabilities that revealed a consumer’s identity or financial information.
D. Online data portals
The framework would require covered data providers to make information available in two different ways.
First, where a consumer requests direct access to information, a covered data provider would be required to make the information available to the consumer through an online financial account management portal, exportable in human-readable formats and by machine, once Covered Data Provider has sufficient information to reasonably authenticate the identity of the consumer and identify the requested information.
Second, for third party requests, Covered Data Providers would be required to maintain a “Third Party Access Portal” where authorized third parties could access consumer information. A Covered Data Provider would only be required to make the information available once it has received evidence that the third party is authorized to access the information on behalf of a consumer, information sufficient to identify the scope of the information requested and sufficient information to authenticate the identity of the third party.
e. Data obligations and restrictions
The CFPB framework also set out certain obligations that third parties seeking consumer information must meet. Under the Framework, third parties would only be permitted to collect, use and retain information reasonably necessary to provide the product or service requested by a consumer. The third party would also be required to make available to the consumer an easy way to revoke their permission to access consumer information at any time. A third party’s use of information authorized by the consumer beyond what is reasonably necessary to provide the product or service requested by the consumer (“secondary use”) would also be limited under the Framework. Further, once a third party no longer reasonably needs the information to provide the product or service to the consumer, they would be required to delete it.
Third party obligations would also require authorized third parties to implement certain policies and procedures, including data security standards to prevent consumer harm resulting from inadequate data security; policies and procedures to ensure the accuracy of information collected about consumers (including procedures related to handling disputes submitted by consumers); and periodic consumer disclosure policies explaining how they can revoke their permission to access their information and request details about the extent of third-party access to their information.
III. Rule-making process
The framework is not a Notice of Proposed Rulemaking (“NPRM”), nor a Notice of Proposed Rulemaking – it sits somewhere in the middle. The CFPB (alone among federal agencies other than the Environmental Protection Agency) must propose any proposed new regulations for a review process under the Small Business Regulatory Enforcement Fairness Act (“SBREFA”) of 1996 administered by Small Business Administration (“SBA”). ). To avoid being perceived as ignoring small business concerns raised through the SBREFA process, the CFPB does not submit a full NPRM for review. But the contours of the CFPB’s thinking are easily apparent from its submission to the SBREFA.
The CFPB said it plans to issue an NPRM sometime in 2023, with an expected adoption date of 2024. To guard against a resolution of disapproval under the Administration Review of Congress Act potential Republican in January 2025, we would expect any final rule to pass no later than the end of Q3 2025.
IV. Effects of Open Banking in the EU
The CFPB proposal is not new; the EU has been experimenting with open banking since adopting its revised PSD2 in 2015 and requiring member countries to implement it by 2018. PSD2 obliges financial institutions to provide data access to third-party providers (“TPP”) with consumer consent and to develop APIs through which TPPs can access consumer data.
Almost immediately after the implementation of PSD2, the number of TPPs acquiring licenses exploded, with TPPs increasing fourfold in just a few years. According to the results of an extensive survey, PSD2 has increased the competition, but only up to a point. Most new licenses went to existing players with only around a quarter of new licenses acquired by start-ups, so PSD2 appears to have had the most impact on established companies. These companies might be looking to meet new requirements or might be looking to expand their services, rather than compete with new entrants.
The use of open banking in the EU has remained mostly limited to young, technically-savvy consumers who already trust digital services. PSD2 has yet to change traditional attitudes and suspicions towards data access and aggregation. Therefore, the scope for increased trust and financial inclusion could be limited for older consumers and for those who suspect they are opening their data to risks beyond their familiar bank or other institution.