The League – Fostering Financial Wellbeing for All

League seeks CU input on CFPB’s “open banking” proposal

Comment Call Compliance Courier

Written by

in

COMMENT CALL:  The League is seeking credit unions’ input on the CFPB’s recently proposed Personal Financial Data Rights rule. The proposed rule would:

  • Require financial institutions (including most credit unions) and other companies to give a consumer certain data relating to that consumer’s transactions and accounts, and to share that data with third parties (including other businesses that offer competing products) at no cost – if the consumer asks for it;
  • Establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data;
  • Provide basic technical standards for data access; and
  • Promote fair, open, and inclusive industry standards.

As described by the CFPB, the rule “would jumpstart competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products. The proposed rule would allow people to break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”

CFPB Director Rohit Chopra said he believes the proposed rule would “give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices.”

The proposed rule, issued on Oct. 19, would implement section 1033 of the Dodd-Frank Act (which Congress enacted more than a decade ago). It is sometimes referred to as the 1033 rule of the “open banking” rule.

Make your voice heard

The League plans to comment on the CFPB’s proposal, and we’d like your help. Please take some time to review the proposal and share your feedback with us. Do you support the rules as proposed? If not, why not? What could the CFPB change to ease the compliance burden and lower the costs that this rule would impose on your credit union? What would you like the regulators to know about the impact this rule might have on your operations?

Please share your thoughts with Paul Guttormsson by Dec. 22, so that our comment letter (which is currently due Dec. 29) can reflect your views. (CUNA and NAFCU have sought an extension to the deadline for comments. We will let you know if the CFPB grants their request.)

More details on the proposal

The CFPB has published a set of “Fast Facts” that gives a high-level overview of the proposal.

The following summary, from prominent national law firm Orrick, Herrington & Sutcliffe LLP, covers the proposal’s main points.

Who has to provide data?

Section 1033’s mandate could apply to any institution subject to the CFPB’s authority, including mortgage servicers, debt collectors, or any institution that offers or provides consumer credit (e.g., payday lenders, buy now, pay later providers, installment lenders, etc.).

The proposed rule, however, would start by imposing the information access mandate on firms that most commonly provide this access today – primarily banks that offer consumer checking or savings accounts or issue consumer credit cards. The rule would also apply to certain non-depository institutions that control or possess information concerning these types of accounts, including prepaid card providers, neobanks and digital wallet providers.

Depository institutions that do not offer mobile or online banking – mostly small banks and credit unions – are exempt.

What are the proposed deadlines for compliance?

The compliance dates for covered data providers are staggered. The largest institutions are required to comply within six months of publication of the final rule, the smallest in four years, and everyone else in between. The CFPB has said it intends to expand the rule over time to cover additional types of financial institutions, but it has so far rejected calls to begin with a broader rule.

What data do institutions have to provide?

The proposed rule would require these institutions, known as “data providers,” to make certain “covered data” in their possession or control available to consumers of their relevant products (e.g., depositors or credit card borrowers) or third parties authorized by those consumers. “Covered data” is defined as data about consumers’ accounts or credit cards of the type that consumers likely can already access through an online or mobile portal, including:

  • Transaction information (e.g., amount, date, payee, etc.) relating to transactions that are underway, including, for example, debit card transactions that have been authorized but not yet settled and those that have occurred within the last two years (at a minimum).
  • Account balance.
  • Account and routing information (though this can be tokenized).
  • Terms and conditions of the account (e.g., fee schedule, rate, rewards terms, overdraft coverage, existence of an arbitration agreement, etc.).
  • Upcoming bill information (e.g., an upcoming utility bill or a minimum payment).

The CFPB narrowed the data it had indicated it might require institutions to provide, in part in response to concerns regarding fraud and consumer privacy.

What kind of data is protected from disclosure?

Data providers would not have to disclose:

  • Confidential commercial information.
  • Data collected solely to combat fraud.
  • Data that is protected from disclosure (to someone other than the consumer) by other sources of law.
  • Data that is not retrievable in the ordinary course of business.

Moreover, the statutory language of section 1033 precludes the creation of any duty to maintain or keep any information about a consumer.

What method must data providers use to transmit this data?

The proposed rule would prohibit the use of consumer’s credentials to access data and prohibit “screen scraping.” Covered financial institutions would instead be required to develop application program interfaces (APIs) to allow third parties to access consumer data in a consistent, accurate and secure fashion.

The data provided through these APIs must be provided in a standardized format, and the APIs are required to satisfy certain performance specifications (e.g., 99.5% of requests for data must be satisfied within 3.5 seconds) and data security requirements.

Data providers are prohibited from imposing access caps on third parties and must avoid excessive “downtime” for their APIs. Notwithstanding the expense these requirements impose on data providers, the CFPB has proposed prohibiting them from charging any direct fee for responding to a data request subject to the rule.

What conditions must third parties satisfy to obtain this data?

To address privacy and data security concerns, the CFPB has proposed a number of requirements on third parties, such as fintechs, who would seek to obtain this data with consumers’ permission, including:

  • Express informed consent. The rule would require third parties to provide consumers (and ultimately data providers) with clear and conspicuous disclosures that set forth:
  • Key facts about the third party that will obtain access.
  • The data it will collect.
  • The products for which it will collect data.
  • A certification that it will comply with legal obligations (described below) relating to data security, data accuracy, and its collection, use, and retention of data.
  • A description of the mechanism consumers can use to revoke their authorization.
  • Limitations on collection, use and retention of data. Third parties may collect, use and retain a consumer’s data only to the extent “reasonably necessary” to provide the consumer’s requested product or service. They are prohibited from using consumers’ data to engage in targeted advertising, cross-selling of other products or services or selling consumers’ data. They must obtain reauthorization from consumers within one year. If they fail to obtain reauthorization, they must cease collecting additional data and delete data they do not need to provide the covered product or service. We expect to see ongoing discussion of what activities will be deemed “reasonably necessary.”
  • Data accuracy. Third parties must adopt policies and procedures to ensure the data they receive remains accurate during its transmission (i.e., reflects the same information that the data provider has).
  • Adequate data security. Third parties’ data security must at least comply with section 501 of the Gramm Leach Bliley Act (GLBA). Indeed, the rule allows data providers to deny access to their interface if the third party cannot demonstrate it has adequate data security. The FTC Safeguards Rule implementing section 501 provides that a non-bank third party’s data security program must be “appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue,” so it is possible that the quality of third parties’ data security protections will be a source of friction between data providers and third parties.
  • Allowing consumers to control their data. Third parties that obtain consumers’ authorization to collect data must make it easy for consumers to get a copy of the disclosures described above (e.g., on the fintech’s app or website). They also must provide consumers with an easy method to revoke authorization for third party access. Upon revocation, the third party must notify the data provider and any other third party (e.g., a data aggregator or service provider) that had access to the data to stop further collection and delete any data not necessary to providing the product or service.

Notably, these obligations apply whether a third party obtains data from the data provider or through a data aggregator. If, for example, a fintech relies on a data aggregator to obtain consumer data from a bank, the aggregator must comply with the same obligations regarding collection, use, and retention of data, data accuracy, and data security described above and must provide consumers with a separate certification that it has complied with those obligations. The fintech remains ultimately responsible, however, for ensuring that the authorization procedures are followed.

In addition, the CFPB does not propose prohibiting third parties from sharing consumers’ data with additional parties (e.g., service providers) to deliver the product or service. Those subsequent parties, however, must agree to meet the same obligations as the third party who obtained the consumer’s permission.

Who is going to flesh out the details?

Acknowledging the pace of technological change in this area and its lack of comparative expertise, the CFPB has opted not to impose prescriptive technical standards for the format of data that is transmitted, the performance of APIs, data security or other technical standards. It has, instead, suggested that compliance with a “qualified industry standard” will constitute compliance (in the case of data format) or an indication of compliance with respect to technical standards.

However, the CFPB is seeking to limit a “qualified industry standard” to one established by a “fair, open, and inclusive standard-setting body” open to all relevant participants in the industry, including consumer advocates and civil rights organizations. The body must be transparent, balanced across participants, provide appropriate processes – including for appeals of determination – and establish standards based on general agreement. Significantly, a “standard-setting body” must have been recognized by the CFPB as an issuer of “qualified industry standards” in the past three years to issue qualified industry standards.

The CFPB’s reliance on such standards is consistent with Director Chopra’s statement that fair standards reflecting the interests of all participants “will be critical to the creation and maintenance of an open banking system” that best serves consumers. The agency has promised to provide additional information regarding the process for obtaining recognition as a standard-setting organization.

Who is going to enforce these obligations?

The CFPB would enforce the rule against non-depositories and banks and credit unions with more than $10 billion in assets, as is the case with other rules that implement a provision of Title X of the Dodd-Frank Act.

Federal banking agencies and the National Credit Union Administration would enforce the rule against banks and credit unions with less than $10 billion in assets. In addition, under section 1042 of the Dodd-Frank Act, State attorneys general and state regulators could enforce the rule against any institution subject to their jurisdiction, including national banks and federal savings associations.

The rule would not displace existing obligations, such as those under the Electronic Fund Transfer Act, Truth in Lending Act or GLBA, which are enforceable by the same agencies, as well as the FTC with respect to non-depositories. Nor would it displace consumers’ rights of actions under these or other laws that may be applicable.

More posts