On October 27, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced a new regulatory framework (“Framework”) governing “Personal Financial Data Rights,” or, in other words, “open banking.” Conceptually, open banking requires financial service providers to have open access to consumer financial data held by other financial institutions through the use of application programming interfaces (“APIs”).
The CFPB’s primary goal is to encourage consumers to “shop around” for financial products and services by ensuring that consumers (1) “don’t have to start over” if they change financial institutions and (2) will “have the leverage to leave because they will have access to more customized products and services.” If adopted by the CFPB, the Framework will reduce the current friction that burdens the flow of consumer data and may encourage reluctant consumers to obtain products or services from FinTech providers.
The Framework extends a worldwide trend in financial regulation that emphasizes open data flows, with the US soon to join the European Union (which adopted the Payment Services Directive (“PSD2”) in 2015) in mandating data transparency. The CFPB aims to increase competition between traditional financial institutions and FinTechs, which will hopefully improve services and lower prices. However, the mixed European experience shows the limits of open banking regulatory change that may be fostered.
II. Summary of the Framework
Under the Framework, “providers of protected data” will be required to provide certain data about users to (a) users and (b) “authorized third parties” through online data portals. The Framework will also place important obligations on third parties with respect to their collection, use and retention of user information.
b. Protected Data Provider
As proposed, the Framework will apply to protected data providers and the information they collect while providing certain specific services. Covered data providers will include “financial institutions” and the information they collect in providing “asset accounts” will be subject to the Framework. Covered data providers will also include “card issuers” and the information they collect in setting up “credit card accounts” will be subject to the Framework.
Under this definition, financial institutions will include banks, savings associations, credit unions and others who hold consumer checking and savings accounts, as well as persons who issue access devices and agree with consumers to provide electronic funds transfer services. An asset account will include any checking, savings or other consumer asset account established primarily for personal, family or household purposes. A card issuer will include any credit card issuer, and a credit card account will include any account offered under an open consumer credit plan.
c. Data Scope
The Framework requires providers of protected data to provide six specific categories of information:
- Periodic statement information for completed transactions and deposits;
- Information on previous transactions and outstanding deposits;
- Other information about previous transactions that are not normally shown on periodic statements or portals;
- Information about online banking transactions that the user has prepared but has not yet taken place;
- Account identity information; and
- Certain other information.
Expressly excluded from the requirement to provide information is any confidential commercial information, including algorithms used to derive credit scores or other risk scores.
With respect to periodic statement information, the protected data provider will be required to supply, among other items, the following:
- For each transfer, the amount, date, and location of the transfer, and the name of the third party (or seller) to or from whom the transfer was made;
- Any fees charged to the account;
- Any interest credited to an asset account or charged to a credit card account;
- Annual percentage yield (“APY”) of an asset account or annual percentage rate (“APR”) of a credit card account;
- Current account balance;
- Account terms and conditions, including a schedule of fees that may be charged to the account; and
- For asset accounts, the account number.
Account identity information includes information such as: name; age; gender; marriage status; Total liabilities; nation; ethnicity; citizenship or immigration status; veteran status; residential address; phone number; email address; date of birth; social security number; and driver’s license number.
Other information required to be provided under the Framework includes: consumer reports from consumer reporting agencies obtained and used by protected data providers in deciding whether to provide accounts or other financial products or services to consumers; fees assessed by the protected data provider in connection with its protected account; bonuses, rewards, discounts or other incentives provided by the protected data provider to the user; and information about security breaches that expose users’ identity or financial information.
d. Online Data Portal
The Framework requires providers of protected data to provide information in two different ways.
First, when a user requests direct access to that information, the protected data provider will be required to provide that information to the user through an online financial account management portal, exportable in both human and machine-readable formats, once the data provider is protected. have sufficient information to reasonably verify the user’s identity and identify the requested information.
Second, for third-party requests, protected data providers will be required to maintain a “third-party access portal” through which authorized third parties can access user information. The protected data provider will only be required to provide information when the protected data provider has received proof of the third party’s authority to access the information on behalf of the user, sufficient information to identify the scope of the information requested, and sufficient information to verify the identity of the third party.
e. Data Obligations and Restrictions
The CFPB Framework also outlines certain obligations that third parties seeking consumer information must meet. Under the Framework third parties will only be permitted to collect, use and store information that is reasonably necessary to provide the product or service requested by the user. Third parties are also required to provide users with an easy method to revoke their permission to access user information at any time. Third-party use of user-authorized information beyond what is reasonably necessary to provide the product or service requested by the user (“secondary use”) will also be limited under the Framework. Furthermore, when third parties no longer reasonably need the information to provide products or services to users, they will be required to delete it.
Third party obligations also require authorized third parties to implement certain policies and procedures, including data security standards to prevent harm to users arising from inadequate data security; policies and procedures to ensure the accuracy of user information collected (including procedures related to handling disputes submitted by users); and policies to make periodic disclosures to users that explain how they can revoke their consent to access their information and request details about the extent of third-party access to their information.
III. Rulemaking Process
The Framework is not a notice of proposed rulemaking (“NPRM”), nor is it an initial notice of proposed rulemaking – it’s in the middle. The CFPB (alone among federal agencies other than the Environmental Protection Agency) must submit any new regulations it contemplates to the review process under the Small Business Regulatory Enforcement Fairness Act (“SBREFA”) of 1996 administered by the Small Business Administration (“SBA”). ). To avoid appearing to ignore small business concerns raised through the SBREFA process, the CFPB did not submit the full NPRM for review. But the contours of the CFPB’s thinking are easy to glean from its SBREFA submission.
The CFPB has indicated that it expects to issue an NPRM in 2023, with an expected date of adoption in 2024. To hedge against a resolution of disapproval under the Congressional Review Act by a potential Republican administration in January 2025, we expect any final rule to be adopted no later than the end of the third quarter of 2025.
IV. The Impact of Open Banking in the EU
The CFPB proposal is not novel; The EU has been experimenting with open banking since adopting the revised PSD2 in 2015 and requiring implementation by member states by 2018. PSD2 requires financial institutions to deliver data access to third-party providers (“TPP”) with user consent and develop APIs through which they are licensed . TPP can access user data.
Almost immediately after PSD2 was implemented, the number of TPPs obtaining licenses increased, with TPPs increasing by a factor of four in just a few years. According to the results of the extensive survey, PSD2 does increase competition, but only to a certain extent. Most new licenses are granted to existing players with only about a quarter of new licenses obtained by start-ups, so PSD2 appears to have had the biggest impact on established firms. These firms may seek to meet new needs or may wish to expand their services, rather than compete with new entrants.
The use of open banking in the EU remains mostly limited to younger and technically savvy consumers who already place their trust in digital services. PSD2 has yet to change traditional attitudes and suspicions directed towards data access and aggregation. Therefore, the scope of increased trust and financial inclusion may be limited for older consumers and for those who are suspicious of opening their data to risks outside of banks or other institutions they know.