March 10, 2023
Stroock Client Alert
By: Stephen J. Newman, Jimmy L. Ma
Introduction
In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), which included Section 1033. Subject to rules prescribed by the Consumer Financial Protection Bureau (the “CFPB”), Section 1033 generally requires financial service providers to make financial data concerning a consumer available to that consumer.[1] On October 27, 2022, the CFPB finally unveiled its plans to issue a regulation (the “CFPB Open Banking Rule”) implementing Section 1033.[2] The CFPB Open Banking Rule[3] proposes giving consumers the right to control and share their financial data with banks and non-bank financial institutions through the use of application program interfaces (“APIs”). The rule is said to move the financial services industry towards “open banking,” which refers to the practice of giving financial services firms access to customer banking and other financial data to facilitate the development of new types of products and services for consumers.[4] If implemented, the CFPB Open Banking Rule is thought to be one of the most significant data privacy laws promulgated by a federal agency. This article discusses what and who the CFPB Open Banking Rule covers, the purpose of the rule, issues confronting the rule, and the timeline for implementing the rule.
Who And What Is Covered By The CFPB Open Banking Rule
The CFPB Open Banking Rule applies to “covered data providers,” which include:
The CFPB explained that it focused on these covered data providers because they implicate consumers’ payment and transaction data. Notably, some consumer finance actors that are not covered by the CFPB’s plans include auto lenders, nonbank mortgage lenders, and installment lenders.[6] The CFPB has said that its rules may cover more financial products in the future.[7]
The CFPB Open Banking Rule requires covered data providers to make available the following six categories of consumer financial information:
Interestingly, the CFPB Open Banking Rule does not appear to grant banks any discretion to deny requests to access consumer financial information, which raises issues discussed further below.[8]
To protect against the unauthorized transfer of consumer information to third-party financial service providers, the CFPB has stated that an “authorized third-party” must:
The CFPB is also considering proposals that:
Rationale For The CFPB Open Banking Rule
CFPB Director Rohit Chopra has explained that the CFPB Open Banking Rule is intended to boost market competition in the financial sector by “empowering people to break up with banks that provide bad service” and by enabling people to take their financial data with them to other institutions that offer better financial products and services.[9] New or small financial firms would be able to use the financial data to build and offer products, services, and mobile apps to compete with large financial institutions.
The aggregation of a consumer’s financial data provides a financial overview of the consumer, which banks and financial technology companies (“fintechs”) can use to tailor services, recommend products, and improve consumer experiences. Such data is useful for mobile apps, such as Mint, that help users budget and gain insight into their transactions and spending habits across multiple financial accounts.
People have also argued that standardizing the use of APIs to transfer financial data will be a safer alternative to the use of screen scraping where a website or mobile app uses a consumer’s log-in credentials to access a financial account, which poses security and privacy risks.[10] In contrast, an API is a standardized interface software that data providers would use to authenticate the consumer and send requested information without requiring a consumer to share their credentials with a third party.
Risks Implicated By The CFPB Open Banking Rule
Contrary to Director Chopra’s comments, some banking trade groups have noted that there has been limited adoption of APIs because the technology is too expensive, especially for smaller financial institutions.[11] According to the National Association of Federally-Insured Credit Unions, the CFPB Open Banking Rule “could have the opposite of its intended effect: rewarding the largest, most technologically, sophisticated companies at the expense of credit unions and other community institutions focused on relationship banking.”[12] As such, the American Bankers Association (the “ABA”) has suggested that banks should be permitted to charge access fees to help pay for data-sharing portals.[13]
Critically, the CFPB Open Banking Rule is silent regarding the allocation of liability for any misuse, theft or fraud that could occur after a bank complies with a consumer’s instruction to transmit data externally.[14] According to the Bank Policy Institute (the “BPI”), consumers will “likely look to their bank rather than the data recipients to make them whole for a loss or other harm that befalls the customer.”[15] The BPI has suggested that a bank's liability should end when the data leaves their portal, or banks should be indemnified by the party responsible for any loss or harm suffered by a consumer, which would incentivize third parties to enhance their data security and privacy practices.[16] The Consumer Bankers Association (the “CBA”) has stated that “liability for consumer recourse should be imposed on the party that was in control of the consumer’s data at the time of the breach or action.”[17] Meanwhile, the Consumer Data Industry Association, which represents credit reporting companies, has urged the CFPB to exclude credit report information from the CFPB Open Banking Rule because the Fair Credit Reporting Act “already provides for consumer access to the information.”[18]
Banking trade groups have expressed concerns that fintechs and other third-party financial service providers may not have the same rigorous cybersecurity and privacy standards as traditional banks and credit unions, which are examined regularly by the CFPB and prudential regulators.[19] The United States currently lacks uniform regulations or policies that can address data privacy and security related to open banking. As such, the ABA has urged the CFPB to expand the scope of its rule to include data aggregators and data recipients.[20]
Banking trade groups have also said that banks should have the right to reject data-sharing requests if they believe the data recipient does not meet their data security standards.[21] Indeed, the CFPB Open Banking Rule has been criticized for not adequately addressing situations where fraudsters or hackers pose as legitimate data recipients. Consumers may also find it hard to keep track of who has access to their data. The CBA expressed concerns that “data providing banks would have no way of confirming whether the consumer actually made the request, and scammers could create fake authorizations.”[22] In light of the myriad of issues confronting the CFPB Open Banking Rule, it is no surprise that the BPI has said that, “data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider’s portal.”[23]
Timeline For Implementing The CFPB Open Banking Rule
The CFPB plans to publish a report in the first quarter of 2023 about public comments it received, which were due on January 25, 2023.[24] Before issuing a proposed rule, the Small Business Regulatory Enforcement Fairness Act requires that the CFPB convene a panel of small businesses that represent their markets to provide input on the CFPB’s proposals.[25] The CFPB will issue rules later this year, and then finalize and implement the rules in 2024.[26] We will continue to monitor these legal developments.
[1] Section 1033(a) of Dodd-Frank Act says: “[A] covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account, including costs, charges, and usage data.” 12 U.S.C. § 5533; Pub.L. 111-203, Title X, § 1033, July 21, 2010, 124 Stat. 2008.
[2] The CFPB has been slow to promulgate a rule implementing Section 1033 and, instead, spent several years trying to assess consumer access to financial data, requesting public comment regarding such access in 2016, and then issuing a 2017 outline of principles for consumer-authorized financial data and aggregation. See CFPB, Request for Information Regarding Consumer Access to Financial Records, 81 Fed. Reg. 83806 (Nov. 22, 2016), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy; CFPB, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 18, 2017), available at https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. On July 14, 2021, the Biden Administration issued an executive order encouraging the CFPB to consider “commencing or continuing a rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovate financial products.” Exec. Off. Of The Pres., Promoting Competition in the American Economy, E.O. 14036 (July 14, 2021), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy.
[3] CFPB, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights: Outline of Proposals and Alternatives Under Consideration (Oct. 27, 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf
[4] Congressional Research Service, Open Banking, Data Sharing, and the CFPB’s 1033 Rulemaking (Sept. 9, 2021), available at https://crsreports.congress.gov/product/pdf/IN/IN11745
[5] The CFPB notes that the rule is intended to include “financial institutions” as defined by Regulation E, and “card issuers” as defined by Regulation Z.
[6] Evan Weinberger & Andrea Vittorio, Small Banks Urge CFPB to Phase in Open Banking Tech Requirements (Correct), Bloomberg Law (Jan. 30, 2023), available at https://news.bloomberglaw.com/banking-law/small-banks-urge-cfpb-to-phase-in-open-banking-tech-requirements
[7] CFPB Newsroom, Director Chopra’s Prepared Remarks at Money 20/20 (Oct. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20/
[8] Am. Banker’s Assoc., Outline of Proposals and Alt.’s Under Consideration for Required Rulemaking on Personal Financial Data Rights (Jan. 25, 2023), available at https://www.aba.com/-/media/documents/comment-letter/cl1033datasharing20230125.pdf?rev=fb01be49ef614dda8f9bcfcc87ec1823
[9] Gabrielle Saulsbery, CFPB aims to give ‘open banking’ rule teeth in 2024, Banking Dive (Oct. 26, 2022) available at https://www.bankingdive.com/news/cfpb-open-banking-rule-consumer-data-2024/635017/
[10] Weinberger, supra note 6.
[11] Id.
[12] Id.
[13] Am. Banker’s Assoc., supra note 8.
[14] Jon Hill, Banks Say CFPB Data Rules Need ‘Clear Liability Standard', Law360 (Jan. 26, 2023), available at https://www.law360.com/articles/1569384
[15] Bank Policy Institute, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial
Data Rights: Outline of Proposals and Alternatives Under Consideration (Jan. 25, 2023),
available at https://www.law360.com/articles/1569384/attachments/0
[16] Id.
[17] Consumer Bankers Assoc., Feedback on Small Business Advisory Review Panel for Required Rulemaking on
Personal Financial Data Rights - Outline of Proposals and Alternatives under Consideration (Jan. 25, 2023), available at https://www.law360.com/articles/1569384/attachments/2
[18] Id.
[19]Hill, supra note 16; see also Weinberger, supra note 6; Am. Banker’s Assoc., supra note 8.
[20] Am. Banker’s Assoc., supra note 8.
[21] Hill, supra note 14.
[22] Consumer Bankers Assoc., supra note 17.
[23] Bank Policy Institute, supra note 15.
[24] CFPB Newsroom, supra note 7.
[25] Id.
[26] Id.
March 10, 2023
Stroock Client Alert
By: Stephen J. Newman, Jimmy L. Ma
Introduction
In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), which included Section 1033. Subject to rules prescribed by the Consumer Financial Protection Bureau (the “CFPB”), Section 1033 generally requires financial service providers to make financial data concerning a consumer available to that consumer.[1] On October 27, 2022, the CFPB finally unveiled its plans to issue a regulation (the “CFPB Open Banking Rule”) implementing Section 1033.[2] The CFPB Open Banking Rule[3] proposes giving consumers the right to control and share their financial data with banks and non-bank financial institutions through the use of application program interfaces (“APIs”). The rule is said to move the financial services industry towards “open banking,” which refers to the practice of giving financial services firms access to customer banking and other financial data to facilitate the development of new types of products and services for consumers.[4] If implemented, the CFPB Open Banking Rule is thought to be one of the most significant data privacy laws promulgated by a federal agency. This article discusses what and who the CFPB Open Banking Rule covers, the purpose of the rule, issues confronting the rule, and the timeline for implementing the rule.
Who And What Is Covered By The CFPB Open Banking Rule
The CFPB Open Banking Rule applies to “covered data providers,” which include:
The CFPB explained that it focused on these covered data providers because they implicate consumers’ payment and transaction data. Notably, some consumer finance actors that are not covered by the CFPB’s plans include auto lenders, nonbank mortgage lenders, and installment lenders.[6] The CFPB has said that its rules may cover more financial products in the future.[7]
The CFPB Open Banking Rule requires covered data providers to make available the following six categories of consumer financial information:
Interestingly, the CFPB Open Banking Rule does not appear to grant banks any discretion to deny requests to access consumer financial information, which raises issues discussed further below.[8]
To protect against the unauthorized transfer of consumer information to third-party financial service providers, the CFPB has stated that an “authorized third-party” must:
The CFPB is also considering proposals that:
Rationale For The CFPB Open Banking Rule
CFPB Director Rohit Chopra has explained that the CFPB Open Banking Rule is intended to boost market competition in the financial sector by “empowering people to break up with banks that provide bad service” and by enabling people to take their financial data with them to other institutions that offer better financial products and services.[9] New or small financial firms would be able to use the financial data to build and offer products, services, and mobile apps to compete with large financial institutions.
The aggregation of a consumer’s financial data provides a financial overview of the consumer, which banks and financial technology companies (“fintechs”) can use to tailor services, recommend products, and improve consumer experiences. Such data is useful for mobile apps, such as Mint, that help users budget and gain insight into their transactions and spending habits across multiple financial accounts.
People have also argued that standardizing the use of APIs to transfer financial data will be a safer alternative to the use of screen scraping where a website or mobile app uses a consumer’s log-in credentials to access a financial account, which poses security and privacy risks.[10] In contrast, an API is a standardized interface software that data providers would use to authenticate the consumer and send requested information without requiring a consumer to share their credentials with a third party.
Risks Implicated By The CFPB Open Banking Rule
Contrary to Director Chopra’s comments, some banking trade groups have noted that there has been limited adoption of APIs because the technology is too expensive, especially for smaller financial institutions.[11] According to the National Association of Federally-Insured Credit Unions, the CFPB Open Banking Rule “could have the opposite of its intended effect: rewarding the largest, most technologically, sophisticated companies at the expense of credit unions and other community institutions focused on relationship banking.”[12] As such, the American Bankers Association (the “ABA”) has suggested that banks should be permitted to charge access fees to help pay for data-sharing portals.[13]
Critically, the CFPB Open Banking Rule is silent regarding the allocation of liability for any misuse, theft or fraud that could occur after a bank complies with a consumer’s instruction to transmit data externally.[14] According to the Bank Policy Institute (the “BPI”), consumers will “likely look to their bank rather than the data recipients to make them whole for a loss or other harm that befalls the customer.”[15] The BPI has suggested that a bank's liability should end when the data leaves their portal, or banks should be indemnified by the party responsible for any loss or harm suffered by a consumer, which would incentivize third parties to enhance their data security and privacy practices.[16] The Consumer Bankers Association (the “CBA”) has stated that “liability for consumer recourse should be imposed on the party that was in control of the consumer’s data at the time of the breach or action.”[17] Meanwhile, the Consumer Data Industry Association, which represents credit reporting companies, has urged the CFPB to exclude credit report information from the CFPB Open Banking Rule because the Fair Credit Reporting Act “already provides for consumer access to the information.”[18]
Banking trade groups have expressed concerns that fintechs and other third-party financial service providers may not have the same rigorous cybersecurity and privacy standards as traditional banks and credit unions, which are examined regularly by the CFPB and prudential regulators.[19] The United States currently lacks uniform regulations or policies that can address data privacy and security related to open banking. As such, the ABA has urged the CFPB to expand the scope of its rule to include data aggregators and data recipients.[20]
Banking trade groups have also said that banks should have the right to reject data-sharing requests if they believe the data recipient does not meet their data security standards.[21] Indeed, the CFPB Open Banking Rule has been criticized for not adequately addressing situations where fraudsters or hackers pose as legitimate data recipients. Consumers may also find it hard to keep track of who has access to their data. The CBA expressed concerns that “data providing banks would have no way of confirming whether the consumer actually made the request, and scammers could create fake authorizations.”[22] In light of the myriad of issues confronting the CFPB Open Banking Rule, it is no surprise that the BPI has said that, “data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider’s portal.”[23]
Timeline For Implementing The CFPB Open Banking Rule
The CFPB plans to publish a report in the first quarter of 2023 about public comments it received, which were due on January 25, 2023.[24] Before issuing a proposed rule, the Small Business Regulatory Enforcement Fairness Act requires that the CFPB convene a panel of small businesses that represent their markets to provide input on the CFPB’s proposals.[25] The CFPB will issue rules later this year, and then finalize and implement the rules in 2024.[26] We will continue to monitor these legal developments.
[1] Section 1033(a) of Dodd-Frank Act says: “[A] covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account, including costs, charges, and usage data.” 12 U.S.C. § 5533; Pub.L. 111-203, Title X, § 1033, July 21, 2010, 124 Stat. 2008.
[2] The CFPB has been slow to promulgate a rule implementing Section 1033 and, instead, spent several years trying to assess consumer access to financial data, requesting public comment regarding such access in 2016, and then issuing a 2017 outline of principles for consumer-authorized financial data and aggregation. See CFPB, Request for Information Regarding Consumer Access to Financial Records, 81 Fed. Reg. 83806 (Nov. 22, 2016), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy; CFPB, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 18, 2017), available at https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. On July 14, 2021, the Biden Administration issued an executive order encouraging the CFPB to consider “commencing or continuing a rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovate financial products.” Exec. Off. Of The Pres., Promoting Competition in the American Economy, E.O. 14036 (July 14, 2021), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy.
[3] CFPB, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights: Outline of Proposals and Alternatives Under Consideration (Oct. 27, 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf
[4] Congressional Research Service, Open Banking, Data Sharing, and the CFPB’s 1033 Rulemaking (Sept. 9, 2021), available at https://crsreports.congress.gov/product/pdf/IN/IN11745
[5] The CFPB notes that the rule is intended to include “financial institutions” as defined by Regulation E, and “card issuers” as defined by Regulation Z.
[6] Evan Weinberger & Andrea Vittorio, Small Banks Urge CFPB to Phase in Open Banking Tech Requirements (Correct), Bloomberg Law (Jan. 30, 2023), available at https://news.bloomberglaw.com/banking-law/small-banks-urge-cfpb-to-phase-in-open-banking-tech-requirements
[7] CFPB Newsroom, Director Chopra’s Prepared Remarks at Money 20/20 (Oct. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20/
[8] Am. Banker’s Assoc., Outline of Proposals and Alt.’s Under Consideration for Required Rulemaking on Personal Financial Data Rights (Jan. 25, 2023), available at https://www.aba.com/-/media/documents/comment-letter/cl1033datasharing20230125.pdf?rev=fb01be49ef614dda8f9bcfcc87ec1823
[9] Gabrielle Saulsbery, CFPB aims to give ‘open banking’ rule teeth in 2024, Banking Dive (Oct. 26, 2022) available at https://www.bankingdive.com/news/cfpb-open-banking-rule-consumer-data-2024/635017/
[10] Weinberger, supra note 6.
[11] Id.
[12] Id.
[13] Am. Banker’s Assoc., supra note 8.
[14] Jon Hill, Banks Say CFPB Data Rules Need ‘Clear Liability Standard', Law360 (Jan. 26, 2023), available at https://www.law360.com/articles/1569384
[15] Bank Policy Institute, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial
Data Rights: Outline of Proposals and Alternatives Under Consideration (Jan. 25, 2023),
available at https://www.law360.com/articles/1569384/attachments/0
[16] Id.
[17] Consumer Bankers Assoc., Feedback on Small Business Advisory Review Panel for Required Rulemaking on
Personal Financial Data Rights - Outline of Proposals and Alternatives under Consideration (Jan. 25, 2023), available at https://www.law360.com/articles/1569384/attachments/2
[18] Id.
[19]Hill, supra note 16; see also Weinberger, supra note 6; Am. Banker’s Assoc., supra note 8.
[20] Am. Banker’s Assoc., supra note 8.
[21] Hill, supra note 14.
[22] Consumer Bankers Assoc., supra note 17.
[23] Bank Policy Institute, supra note 15.
[24] CFPB Newsroom, supra note 7.
[25] Id.
[26] Id.
