On October 19, the Consumer Financial Protection Bureau (the "CFPB") proposed the long-anticipated "Personal Financial Data Rights Rule" (the "Proposed Rule"), which would govern access for consumers and data aggregators to personal financial information from financial institutions through open banking. The CFPB's stated goals for the Proposed Rule are to increase competition in the banking and consumer finance sector and to protect consumer data through the creation of a "data access framework" that is safe, secure, reliable and competitive.1 The Proposed Rule would be implemented under Section 1033 of the 2010 Dodd-Frank Consumer Financial Protection Act,2 under what CFPB Director Rohit Chopra characterized as "dormant authority" in prepared remarks accompanying the release.3
Director Chopra asserted that a lack of data access in the consumer banking and finance sector prevents consumers from easily changing providers, even if unsatisfied with interest rates and service quality. He equated the bureaucratic challenge of switching banks to that of the wireless phone industry before the Federal Communications Commission adopted new policies requiring wireless phone number portability.
Director Chopra notes the Proposed Rule would establish "standards for data access," whereby financial institutions subject to the rule would be required to provide consumers with access to their financial data, including their transaction history.4 The CFPB's stated goals for this rule include presenting new financial providers with a more complete financial picture to consider when offering products to consumers and to enable consumers to more easily leave underperforming providers.5 If adopted, the rollout of these requirements would occur in stages, with compliance by larger financial institutions being required before smaller institutions.6
Data security and control
The Proposed Rule also aims to transition the market away from reliance on screen scraping as a means of accessing personal financial data from financial institutions. It would also impose new data storage and access restrictions. Firms would be required to "establish and maintain systems that could receive data access revocation requests, track duration-limited authorizations, and delete data when required due to revoked authorizations, lapsed authorizations, or because retaining the data is no longer reasonably necessary."7
Third-party data use restrictions
Director Chopra also noted the Proposed Rule would address perceived data privacy concerns by imposing prohibitions on the use of personal data by third-party recipients, including using data for targeted advertising, selling data to data brokers and using data to train artificial intelligence to manipulate consumer behavior.8
The CFPB is accepting comments to the proposal until December 29, 2023, with the goal of finalizing the rule by Fall 2024.
The Proposed Rule, if implemented, will significantly change the legal and commercial dynamics among consumers, traditional financial institutions, technology platforms and third-party users of consumer data. The proposal is significant and warrants reviews of firms' consumer and data compliance policies as well as commercial arrangements. Given the influence federal consumer protection laws have on state laws, and the increased interest in data privacy laws at the state level, it is likely that states, too, will adopt or modify their approach to consumer data rights addressed in the Proposed Rule.
1 Consumer Financial Protection Bureau, 12 CFR Parts 1001 and 1033, Docket No. CFPB-2023-0052, Required Rulemaking on Personal Financial Data Rights (October 19, 2023).
3 Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule, Consumer Financial Protection Bureau (October 19, 2023).
4 Consumer Financial Protection Bureau, 12 CFR Parts 1001 and 1033, Docket No. CFPB-2023-0052, Required Rulemaking on Personal Financial Data Rights (October 19, 2023).
6 "CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking, Consumer Financial Protection Bureau" (October 19, 2023).
7 Consumer Financial Protection Bureau, 12 CFR Parts 1001 and 1033, Docket No. CFPB-2023-0052, Required Rulemaking on Personal Financial Data Rights (October 19, 2023).
8 Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule, Consumer Financial Protection Bureau (October 19, 2023).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP