On 22 Oct. 2024, the Consumer Financial Protection Bureau issued its long-awaited final Personal Financial Data Rights rule, which implements Section 1033 of the Dodd-Frank Act.
The rule requires data providers, typically banks, to give certain data about a consumer's use of their products or services to the consumer or a designated third party upon the consumer's request. These third parties are often financial technology companies, called fintechs, that offer digital applications that are not regulated like financial institutions.
The practice of transferring bank data to another entity at a consumer's direction, commonly known as open banking, is one of the most significant modern business cases for data portability. Open banking has been a growing trend in the U.S. and around the world, often supported or even driven by regulations.
For the new CFPB rule's purposes, covered financial products include checking and savings accounts per Regulation E and credit cards per Regulation Z, as well as facilitation of payments from these accounts. Data providers are entities that provide these products, including digital wallets, above certain asset and revenue thresholds. The authorized third party category is more open-ended, and can inlcude any party that follows the rule's authorization procedures. The CFPB indicates it may cover more data providers and products in future rulemakings.
The CFPB's stated goals include fostering competition and innovative products and services for consumers, while promoting privacy and security. While innovation can take many forms, open banking typically has two common benefits for consumers. First, consumers can better aggregate information about their various accounts for financial planning purposes. Second, they can enable more payments directly from their bank accounts, sometimes called pay by bank.
Given that open banking provides access to consumers' sensitive financial information and impacts entities across different regulatory regimes, myriads of privacy and security issues are raised. Key examples include the accountabilities and interplay of the parties, the rule's novel approach to privacy, both for the financial sector and more generally, and the role of industry standards under the rule.
For purposes of this article, data providers are referred to as banks and third parties as fintechs, although there are other covered entities and parties can also play multiple roles — that is, there will be use cases where the bank is a third party offering a new service.
The privacy dance between the parties
Privacy practitioners working for business-to-consumer companies know the challenges of compliance with consumer-facing duties, such as regarding notice and choice, and the need for back-end controls to ensure systems are secure and function properly.
In open banking, this is complicated by the addition of other entities. There are often three companies involved in an open baking transaction: the bank and the fintech, which have independent relationships with the consumer, as well as data aggregators like Plaid that are hired by fintechs to facilitate the data transfers.
The CFPB's rule applies modern privacy principles to consumer-facing obligations, including notice — called an "authorization disclosure" — opt-in consent and individual rights.
All three open banking entities can have roles to play in interacting directly with the consumer. Fintechs have the primary responsibility for many of these interactions since they are providing the new desired service. Aggregators can assist and must be identified to the consumer as part of the authorization disclosure or via their own certification. Given the importance of getting the transaction right, the bank is responsible for authenticating the consumer and third party and is allowed to confirm the accounts and type of information subject to the data transfer. Banks will have to do this carefully, as the rule prohibits evasion, or activities that chill consumer access. In addition, banks and aggregators can, and fintechs must, provide revocation methods to consumers. Collaboration between the parties on all these intersecting privacy roles is key.
The back-end infrastructure is just as complex. The rule requires banks to establish "developer interfaces" to conduct data transfers to fintechs.A commonly known example is an application programming interface. Once established, banks can block fintechs from "screen scraping," whereby the fintech gets user credentials from consumers and then accesses platforms like chase.com to extract information on the consumer's behalf. This is a poor privacy and security practice that the Future of Privacy Forum and other commenters on the notice of proposed rulemaking recommended be sunset as soon as practical.
Banks also act as gatekeepers to decide if fintechs get access to the interfaces. Some denial reasons are straightforward, such as if the fintech hasn't provided information to identify itself or any evidence of an adequate security program.
As a more complex process, banks may also deny access based on risk management concerns. There are three grounds for these risk management denials: safety and soundness standards of a prudential regulator, information security standards under the Gramm-Leach-Bliley Act, and other applicable laws and regulations regarding risk management. The rule does not establish what qualifies as a risk management law or regulation or the extent to which banks may rely on interagency guidance on managing risks from third parties,which is issued by prudential regulators and informed by laws and regulations. Further, it is unclear which regulators will have jurisdiction over all the parties, what oversight may look like or when bank denials could be considered evasion.
The CFPB's novel approach to data uses and deidentification for third parties
Some of the rule's most important aspects are in its new approaches to privacy. The CFPB declined to extend the GLBA privacy rules to third parties. Instead, a fintech must limit how it collects, uses and retains data to what is "reasonably necessary" to provide the requested product or service. The rule lists examples of activities that qualify as reasonably necessary, now including product improvement, and what activities do not, including targeted advertising, cross-selling and data sales.
There is very little guidance otherwise related to permissible collection, use and retention. This is unusual for the financial sector, which tends to live under extensive regulatory guidance, particularly where fintechs will often be new entrants and may need guidance to achieve an appropriate control environment. For comparison, the CFPB issued privacy regulations under the GLBA, known as Regulation P or the Privacy of Consumer Financial Information, which runs 48 pages in the electronic Code of Federal Regulations.
In addition, the rule prohibits fintechs from secondary uses of data or from using deidentified data, unless that use is itself reasonably necessary or is a stand-alone product authorized by the consumer. This approach is at the level or stricter than recent state laws or international approaches. Deidentified data is typically considered to be outside the purview of the underlying regulation since it is not personal data. The CFPB acknowledges there can be public policy value in researching deidentified data and suggests it may conduct further rulemaking on that specific topic. Applying this approach to deidentification to other regulatory regimes would likely have substantial impacts and is one for privacy practitioners to watch.
As a final word about privacy, the additional notice, consent and use requirements are additive to the growing number of privacy rules. Even within open banking, a bank may have to follow GLBA rules while acting as a data provider, and Section 1033 rules if it receives data as a third party.
The CFPB supports industry standards within its regulatory framework
Lastly, the rule sets forth important roles for industry standards. In the early days of this rulemaking, the CFPB favorably cited the U.S. Office of Management and Budget's Circular A-119, which examines when and how agencies could rely on industry standards in rulemaking. The rule establishes several topics in which a standard setter can set an industry standard that provides an "indicia of compliance," meaning the standard would be one, but not the only, way to show rebuttable compliance.
Examples concern the developer interface and its performance, risk management denials, and certain policies and procedures. The standard setter would need to be recognized by the CFPB through a process outlined in a final rule issued earlier this year. On 8 Jan., the CFPB recognized its first standard setter — the Financial Data Exchange, a nonprofit that has developed an open banking API and other guidance. The role of industry standards, whether formally recognized or not, are likely to benefit this developing ecosystem.
As you can see, there are plenty of juicy things to chew on to implement the CFPB's final Section 1033 rule. For the largest banks, the effective date is April 2025, with the smallest covered banks coming on board by April 2030.
Litigation has already been filed challenging the CFPB's authority to issue the rule. And, of course, there is a new administration coming in that may pause or change the rule's direction.
However, regardless of the rule's fate, open banking as a business activity is here to stay. Players in the ecosystem must continue to work together to meet consumer needs.
Zoe Strickland, CIPP/G, is a senior fellow and Daniel Berrick, CIPP/E, CIPP/US, is a senior policy counsel for artificial intelligence at the Future of Privacy Forum.
