On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) announced its long-awaited proposed rule regulating “Personal Financial Data Rights” (the proposed rule). The proposed rule implements Section 1033 of the Dodd-Frank Act, which provides consumers the right to access and port their financial information between banks and other financial entities. CFPB Director Rohit Chopra stated that the proposal would accelerate the shift towards open banking and jumpstart competition in the U.S. financial service sector by giving consumers “the power to walk away from bad service” and switch providers.
The proposed rule would apply to two main categories of entities: 1) data providers like banks, consumer credit lenders, and payment facilitation companies (e.g., digital wallets); and 2) authorized third parties who can access financial data from data providers on consumer’s behalf, including data aggregators.
Requirements Applicable to Data Providers. Data providers would be subject to three main requirements:
- Requirement to make consumer data available without fees or charges. The proposed rule would require data providers to make consumer account information available, without fees or charges, both to the consumer about whom the account relates, as well as any entity authorized to act on the consumer’s behalf, such as a data aggregator. The range of covered information required to be provided is broad, and includes account information, transaction history, account balance, and upcoming bill information. The proposed rule does not require the disclosure of confidential commercial information (such as algorithms used to derive credit scores and risk predictors), information collected to prevent fraud or other unlawful conduct, and information the provider cannot retrieve in the ordinary course of its business.
- Requirement to establish and maintain “developer interfaces.” The proposed rule would require providers to “establish and maintain” an accessible “developer interface” for third parties to access consumer-authorized data (for example, through the use of APIs). The performance of the interface must be “commercially reasonable.” Data providers are also prohibited from imposing unreasonable access caps (i.e., limits on how often a third-party authorization request will be fulfilled). They must implement security safeguards consistent with the Gramm-Leach-Bliley Act and the Safeguards Rule. And they must disclose information about themselves and the developer interfaces to ensure that consumers and authorized third parties have the information necessary to make requests and use the interface.1
- Requirement to implement standardized formats. The proposed rule would require consumer data to be made available in both “usable” and “standardized” format by consumers and their authorized third parties. To satisfy the “usable” standard, the data must be available in a machine-readable file that a consumer or authorized third party can retain and transfer into a separate information system. As for “standardization,” data providers may either 1) comply with “qualified industry standards” issued by a CFPB-recognized standard-setting body, or 2) if no such standards exist, make covered data available in a format that is “widely used by the developer interfaces of other similarly situated data providers with respect to similar data and is readily usable by authorized third parties.” The CFPB sets forth a process through which applicants can become a “qualified standard setting body,” which includes the applicant having to show that they develop their standards through a “fair, open, and inclusive” method.
Authorized Third Parties. Third parties would be subject to the following main requirements, among others.
- Disclosure, Consent, and Certification. The proposed rule would place strict limitations on third parties’ ability to access consumer data from data providers. Before seeking access to a consumer’s data from a data provider, the third party would have to disclose the following information to the consumer to secure their authorization: 1) the name of the third party (including the name of any data aggregator that will assist the third party, along with a brief description of the services the data aggregator will provide); 2) the name of the relevant data provider; 3) a brief description of the product or service that the consumer has requested from the third party; 4) the categories of covered data that will be accessed; 5) a certification that the third party will comply with limitations on data collection, use, and retention along with other privacy, accuracy, and security obligations; and 6) a description of how consumers may revoke authorized access. The third party would then have to get the consumer’s express informed consent to access their information, signed by the consumer electronically or in writing.
If the third party is using a data aggregator to assist with accessing a consumer’s data, the data aggregator must also provide a certification to the consumer that the aggregator will comply with limitations on data collection, use, and retention along with other privacy, accuracy, and security obligations. The third party may include the data aggregator’s certification in its authorization disclosure, or the data aggregator may provide a separate certification. The proposed rule also permits the third party to rely on the data aggregator to perform the third-party authorization procedures on behalf of the third party, but it makes clear that the third party is ultimately responsible for compliance. - Use Limitations. Under the proposed rule, authorized third parties and data aggregators that access a consumer’s financial data would only be allowed to collect, use, and retain that data to the extent “reasonably necessary” to offer the consumer’s requested product or service. They may not collect, use, or retain the consumer’s data for any secondary purposes, including for example, targeted or behavioral advertising, cross-selling of other products or services, or to sell the covered data to other third parties. However, the proposed rule continues to permit data uses that are required to comply with law enforcement subpoenas and court orders and uses that are reasonably necessary to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.
- Data Minimization Requirements: The proposed rule states that third parties may only retain consumer information for one year after the consumer’s most recent authorization. If the third party wanted to keep data for beyond this period, the consumer would have to reauthorize access on an annual basis. In addition, consumers would have the right to revoke access at any time, which the third party would have to honor.
- Data Security: Third parties under the proposed rule would be required to certify to consumers that they will apply a data security program consistent with the Gramm-Leach-Bliley Act and the Safeguards Rule.
- Record-Keeping Requirements: Finally, the proposed rule would require third parties to retain records that are evidence of compliance with the proposed rule.
The CFPB proposes to implement the rule in phases, establishing a staggered effective date starting at six months for the largest banks and firms, and extending to four years for the smallest.
Next Steps
The proposed rule is likely to undergo some revision before being finalized sometime in fall 2024. Interested parties may submit public comments to the CFPB on or before December 29, 2023. We encourage businesses interested in and potentially affected by the CFPB’s proposed rule to submit comments. Wilson Sonsini Goodrich & Rosati routinely advises companies on submitting public comments on proposed rules in the fintech, privacy, and security areas. For more information about this alert, please contact Maneesha Mithal, Libby Weingarten, or any member of the firm’s privacy and cybersecurity or fintech and financial services practices.
Doo Lee contributed to the preparation of this alert.
[1] The CFPB details certain risks associated with the practice of screen-scraping and states that “[t]he CFPB expects that third parties would no longer use screen scraping to access covered financial data once data providers have compliant interfaces for third parties.” Notice of Proposed Rulemaking at 213.
