The US Consumer Financial Protection Bureau (CFPB) has put forward a rule for sharing consumers’ financial data with third parties, as it hopes to move the United States closer to open banking.
Last Thursday (October 19), the CFPB published its long-awaited Personal Financial Data Rights proposal, which lays down rules for third-party data sharing and strengthens protections against the misuse of consumer data.
The rules would implement Section 1033 of the Dodd-Frank Act, which gives consumers the right to share their personal financial data with third parties. The 2010 law also tasks the CFPB with implementing data-sharing standards and protections.
Although the right to share financial data was given to consumers more than 13 years ago, in the absence of regulatory action, the US market has developed a market-driven approach to open banking that largely relies on bilateral information-sharing agreements.
As a result, access to financial data is often inconsistent among financial institutions and the terms of the sharing vary greatly.
“This lack of norms in the market allows incumbents to play games to their own customers’ detriment,” the CFPB said in a press release, adding that it “undercuts the ability of small or upstart institutions to compete with incumbents”.
In the nearly 300-page proposal, the CFPB aims to ensure that consumers have a legal right to grant third parties access to information associated with their credit card, checking, prepaid and digital wallet accounts.
It would require banks to make personal financial data available, at no charge to consumers or their agents, through dedicated digital interfaces that are “safe, secure, and reliable”.
CFPB director Rohit Chopra said the rules align with many of the guidelines in place or under consideration in other major jurisdictions around the world.
However, as reported by Vixio, the CFPB’s open banking proposal is different from Europe’s open banking framework in the sense that it is limited to consumers’ financial data-sharing rights and, at this point, does not concern payment initiation.
Rules focused on safeguarding customers
As Chopra has stated several times, the main goal of the current proposal is to help consumers switch financial service providers more easily and enable consumers to “vote with their feet”.
Given the market-driven approach to open banking in the US, the proposal would leave standard-setting to the industry and instead aims to ensure that those standards are “fair, open, and inclusive”.
In addition to giving consumers access to their financial data, the rule introduces long-overdue protections aimed at strengthening data security and privacy standards and preventing the exploitation of personal data.
One of the proposed measures would prohibit third parties from collecting, using or storing customers’ personal information to a larger extent than what is “reasonably necessary” to provide the requested service.
Chopra stressed that when a consumer gives a company access to their data, “it is not a free pass for that company to exploit the data for other uses”.
The rules say that firms that receive financial data to provide a specific service cannot feed the data into algorithms for unrelated activities, such as targeted advertising and marketing.
“Firms couldn’t collect data to provide a service, and then also monetise it by selling to data brokers. Authorised data also couldn’t be used to train artificial intelligence that manipulates consumer behaviour,” emphasised the CFPB director.
The proposal also introduces consumer rights to revoke access to their data that also oblige the company to delete the data they hold on that consumer. Consumer consent would be limited to one year, after which the company must obtain reauthorisation.
Under the proposal, the requirements would be implemented in phases, with larger providers being subject to them within six months after the final rule is published, while the smallest players would have two and a half years to comply.
First reactions to the proposal
The proposed open banking rules have generally received positive feedback from fintech players, while banks, which will be required to share their customers’ data in line with the CFPB rules, have raised some concerns.
Penny Lee, president and CEO of the Financial Technology Association (FTA), said the proposal is a “win for consumers” that builds on the industry’s progress and “can provide assurances for continued consumer-friendly innovation”.
Steve Boms, executive director of the Financial Data and Technology Association of North America (FDATA), a trade association of open finance companies, said the association also strongly supports the proposed rules and is pleased that they create strong data security and privacy standards.
Meanwhile, Wise, the London-based fintech that provides payment services in the US, said the proposal is “a crucial step” for ensuring the US “remains competitive globally”.
“Looking ahead, we urge the CFPB to facilitate standard-setting and open banking governance to better incentivise data-sharing, guarantee data parity via API, and expand the scope of open banking to cover broader financial accounts and include payment initiation,” the company’s spokesperson told Vixio.
Bankers, on the other hand, expressed scepticism about the proposal.
The National Association of Federally-Insured Credit Unions (NAFCU) raised concerns that the rules could “invite rapid expansion of nonbank access to sensitive consumer account information”.
Ann Petros, NAFCU vice president of regulatory affairs, warned that the framework could also pose more systemic risks to the banking sector, for instance, by facilitating rapid and unpredictable movements of deposits and expanding data security and data privacy concerns.
Petros also noted that the proposal could have the unintended consequence of driving further consolidation within the industry “through extraordinary compliance costs and the obligation to provide — at no charge — data to third parties”.
Meanwhile, Rob Nichols, president and CEO of the American Bankers Association (ABA), urged the CFPB to address the question of liability “if something goes wrong” and hold third parties “not only to the same high standards” but also “to the same level of supervision related to data security, privacy, and consumer protection” that banks must meet.
The proposal is open for comment until December 29 and a final rule is expected to be issued by next autumn.
Going ahead, the agency said it will also issue additional information on how industry standard-setting organisations can obtain recognition from the CFPB and intends to cover “additional product types” in future rulemaking.