skip to main content
Overview
Toggle Button Open

March 10, 2023

Stroock Client Alert

By: Stephen J. Newman, Jimmy L. Ma

Introduction

In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), which included Section 1033. Subject to rules prescribed by the Consumer Financial Protection Bureau (the “CFPB”), Section 1033 generally requires financial service providers to make financial data concerning a consumer available to that consumer.[1] On October 27, 2022, the CFPB finally unveiled its plans to issue a regulation (the “CFPB Open Banking Rule”) implementing Section 1033.[2] The CFPB Open Banking Rule[3] proposes giving consumers the right to control and share their financial data with banks and non-bank financial institutions through the use of application program interfaces (“APIs”). The rule is said to move the financial services industry towards “open banking,” which refers to the practice of giving financial services firms access to customer banking and other financial data to facilitate the development of new types of products and services for consumers.[4] If implemented, the CFPB Open Banking Rule is thought to be one of the most significant data privacy laws promulgated by a federal agency. This article discusses what and who the CFPB Open Banking Rule covers, the purpose of the rule, issues confronting the rule, and the timeline for implementing the rule.

Who And What Is Covered By The CFPB Open Banking Rule

The CFPB Open Banking Rule applies to “covered data providers,” which include:

  1. banks;
  2. credit unions;
  3. any “other persons” that hold consumer accounts and issue debit cards, credit cards, and prepaid cards; and
  4. entities that issue an access device and agree to provide electronic fund transfer services, like mobile wallets and electronic payment products.[5] 

The CFPB explained that it focused on these covered data providers because they implicate consumers’ payment and transaction data. Notably, some consumer finance actors that are not covered by the CFPB’s plans include auto lenders, nonbank mortgage lenders, and installment lenders.[6] The CFPB has said that its rules may cover more financial products in the future.[7]

The CFPB Open Banking Rule requires covered data providers to make available the following six categories of consumer financial information:

  1. Periodic statement information for settled transactions and deposits;
  2. Information regarding prior transactions and deposits that have not yet settled;
  3. Other information about prior transactions not typically shown on periodic statements or portals (including card networks, ATM networks, automated clearing house networks, check-collection networks, and real-time payment networks);
  4. Online banking transactions that the consumer has set up but that have not yet occurred (i.e., payments set up in advance);
  5. Consumer identity information (e.g., name, address, date of birth, social security number, citizenship or immigration status, phone number, marital and veteran status, race and ethnicity, and number of dependents); and
  6. Additional miscellaneous information (e.g., consumer reports from consumer reporting agencies, fees that are assessed against a consumer’s financial account, any incentives that the covered data provider offers to consumers, and any security breaches that exposed the consumer’s identity or financial information).

Interestingly, the CFPB Open Banking Rule does not appear to grant banks any discretion to deny requests to access consumer financial information, which raises issues discussed further below.[8]

To protect against the unauthorized transfer of consumer information to third-party financial service providers, the CFPB has stated that an “authorized third-party” must:

  1. provide an “authorization disclosure” to inform the consumer of key terms of access;
  2. obtain the consumer’s informed, express consent to the key terms of access contained in the authorization disclosure; and
  3. certify to the consumer that it will abide by certain obligations regarding collection, use, and retention of the consumer’s information. 

The CFPB is also considering proposals that:

  • limit a third-party’s collection, use, and retention of financial data (e.g., reselling a consumer’s data for unauthorized uses);
  • require third parties to implement data security standards;
  • relate to data accuracy and dispute resolution; and
  • relate to disclosures regarding third party obligations.

Rationale For The CFPB Open Banking  Rule

CFPB Director Rohit Chopra has explained that the CFPB Open Banking Rule is intended to boost market competition in the financial sector by “empowering people to break up with banks that provide bad service” and by enabling people to take their financial data with them to other institutions that offer better financial products and services.[9] New or small financial firms would be able to use the financial data to build and offer products, services, and mobile apps to compete with large financial institutions.

The aggregation of a consumer’s financial data provides a financial overview of the consumer, which banks and financial technology companies (“fintechs”) can use to tailor services, recommend products, and improve consumer experiences. Such data is useful for mobile apps, such as Mint, that help users budget and gain insight into their transactions and spending habits across multiple financial accounts. 

People have also argued that standardizing the use of APIs to transfer financial data will be a safer alternative to the use of screen scraping where a website or mobile app uses a consumer’s log-in credentials to access a financial account, which poses security and privacy risks.[10] In contrast, an API is a standardized interface software that data providers would use to authenticate the consumer and send requested information without requiring a consumer to share their credentials with a third party.

Risks Implicated By The CFPB Open Banking  Rule

Contrary to Director Chopra’s comments, some banking trade groups have noted that there has been limited adoption of APIs because the technology is too expensive, especially for smaller financial institutions.[11] According to the National Association of Federally-Insured Credit Unions, the CFPB Open Banking Rule “could have the opposite of its intended effect: rewarding the largest, most technologically, sophisticated companies at the expense of credit unions and other community institutions focused on relationship banking.”[12] As such, the American Bankers Association (the “ABA”) has suggested that banks should be permitted to charge access fees to help pay for data-sharing portals.[13]

Critically, the CFPB Open Banking  Rule is silent regarding the allocation of liability for any misuse, theft or fraud that could occur after a bank complies with a consumer’s instruction to transmit data externally.[14] According to the Bank Policy Institute (the “BPI”), consumers will “likely look to their bank rather than the data recipients to make them whole for a loss or other harm that befalls the customer.”[15] The BPI has suggested that a bank's liability should end when the data leaves their portal, or banks should be indemnified by the party responsible for any loss or harm suffered by a consumer, which would incentivize third parties to enhance their data security and privacy practices.[16] The Consumer Bankers Association (the “CBA”) has stated that “liability for consumer recourse should be imposed on the party that was in control of the consumer’s data at the time of the breach or action.”[17] Meanwhile, the Consumer Data Industry Association, which represents credit reporting companies, has urged the CFPB to exclude credit report information from the CFPB Open Banking Rule because the Fair Credit Reporting Act “already provides for consumer access to the information.”[18]

Banking trade groups have expressed concerns that fintechs and other third-party financial service providers may not have the same rigorous cybersecurity and privacy standards as traditional banks and credit unions, which are examined regularly by the CFPB and prudential regulators.[19] The United States currently lacks uniform regulations or policies that can address data privacy and security related to open banking. As such, the ABA has urged the CFPB to expand the scope of its rule to include data aggregators and data recipients.[20] 

Banking trade groups have also said that banks should have the right to reject data-sharing requests if they believe the data recipient does not meet their data security standards.[21] Indeed, the CFPB Open Banking Rule has been criticized for not adequately addressing situations where fraudsters or hackers pose as legitimate data recipients. Consumers may also find it hard to keep track of who has access to their data. The CBA expressed concerns that “data providing banks would have no way of confirming whether the consumer actually made the request, and scammers could create fake authorizations.”[22] In light of the myriad of issues confronting the CFPB Open Banking Rule, it is no surprise that the BPI has said that, “data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider’s portal.”[23]

Timeline For Implementing The CFPB Open Banking   Rule

The CFPB plans to publish a report in the first quarter of 2023 about public comments it received, which were due on January 25, 2023.[24] Before issuing a proposed rule, the Small Business Regulatory Enforcement Fairness Act requires that the CFPB convene a panel of small businesses that represent their markets to provide input on the CFPB’s proposals.[25] The CFPB will issue rules later this year, and then finalize and implement the rules in 2024.[26] We will continue to monitor these legal developments.


[1] Section 1033(a) of Dodd-Frank Act says: “[A] covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account, including costs, charges, and usage data.” 12 U.S.C. § 5533; Pub.L. 111-203, Title X, § 1033, July 21, 2010, 124 Stat. 2008.

[2] The CFPB has been slow to promulgate a rule implementing Section 1033 and, instead, spent several years trying to assess consumer access to financial data, requesting public comment regarding such access in 2016, and then issuing a 2017 outline of principles for consumer-authorized financial data and aggregation. See CFPB, Request for Information Regarding Consumer Access to Financial Records, 81 Fed. Reg. 83806 (Nov. 22, 2016), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy; CFPB, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 18, 2017), available at https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. On July 14, 2021, the Biden Administration issued an executive order encouraging the CFPB to consider “commencing or continuing a rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovate financial products.” Exec. Off. Of The Pres., Promoting Competition in the American Economy, E.O. 14036 (July 14, 2021), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy.

[3] CFPB, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights: Outline of Proposals and Alternatives Under Consideration (Oct. 27, 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf

[4] Congressional Research Service, Open Banking, Data Sharing, and the CFPB’s 1033 Rulemaking (Sept. 9, 2021), available at https://crsreports.congress.gov/product/pdf/IN/IN11745

[5] The CFPB notes that the rule is intended to include “financial institutions” as defined by Regulation E, and “card issuers” as defined by Regulation Z.

[6] Evan Weinberger & Andrea Vittorio, Small Banks Urge CFPB to Phase in Open Banking Tech Requirements (Correct), Bloomberg Law (Jan. 30, 2023), available at https://news.bloomberglaw.com/banking-law/small-banks-urge-cfpb-to-phase-in-open-banking-tech-requirements

[7] CFPB Newsroom, Director Chopra’s Prepared Remarks at Money 20/20 (Oct. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20/

[8] Am. Banker’s Assoc., Outline of Proposals and Alt.’s Under Consideration for Required Rulemaking on Personal Financial Data Rights (Jan. 25, 2023), available at https://www.aba.com/-/media/documents/comment-letter/cl1033datasharing20230125.pdf?rev=fb01be49ef614dda8f9bcfcc87ec1823

[9] Gabrielle Saulsbery, CFPB aims to give ‘open banking’ rule teeth in 2024, Banking Dive (Oct. 26, 2022) available at https://www.bankingdive.com/news/cfpb-open-banking-rule-consumer-data-2024/635017/

[10] Weinberger, supra note 6.

[11] Id.

[12] Id.

[13] Am. Banker’s Assoc., supra note 8.

[14] Jon Hill, Banks Say CFPB Data Rules Need ‘Clear Liability Standard', Law360 (Jan. 26, 2023), available at https://www.law360.com/articles/1569384

[15] Bank Policy Institute, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial

Data Rights: Outline of Proposals and Alternatives Under Consideration (Jan. 25, 2023),

 available at https://www.law360.com/articles/1569384/attachments/0

[16] Id.

[17] Consumer Bankers Assoc., Feedback on Small Business Advisory Review Panel for Required Rulemaking on

Personal Financial Data Rights - Outline of Proposals and Alternatives under Consideration (Jan. 25, 2023), available at https://www.law360.com/articles/1569384/attachments/2

[18] Id.

[19]Hill, supra note 16; see also Weinberger, supra note 6; Am. Banker’s Assoc., supra note 8.

[20] Am. Banker’s Assoc., supra note 8.

[21] Hill, supra note 14.

[22] Consumer Bankers Assoc., supra note 17.

[23] Bank Policy Institute, supra note 15.

[24] CFPB Newsroom, supra note 7.

[25] Id.

[26] Id.

March 10, 2023

Stroock Client Alert

By: Stephen J. Newman, Jimmy L. Ma

Introduction

In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), which included Section 1033. Subject to rules prescribed by the Consumer Financial Protection Bureau (the “CFPB”), Section 1033 generally requires financial service providers to make financial data concerning a consumer available to that consumer.[1] On October 27, 2022, the CFPB finally unveiled its plans to issue a regulation (the “CFPB Open Banking Rule”) implementing Section 1033.[2] The CFPB Open Banking Rule[3] proposes giving consumers the right to control and share their financial data with banks and non-bank financial institutions through the use of application program interfaces (“APIs”). The rule is said to move the financial services industry towards “open banking,” which refers to the practice of giving financial services firms access to customer banking and other financial data to facilitate the development of new types of products and services for consumers.[4] If implemented, the CFPB Open Banking Rule is thought to be one of the most significant data privacy laws promulgated by a federal agency. This article discusses what and who the CFPB Open Banking Rule covers, the purpose of the rule, issues confronting the rule, and the timeline for implementing the rule.

Who And What Is Covered By The CFPB Open Banking Rule

The CFPB Open Banking Rule applies to “covered data providers,” which include:

  1. banks;
  2. credit unions;
  3. any “other persons” that hold consumer accounts and issue debit cards, credit cards, and prepaid cards; and
  4. entities that issue an access device and agree to provide electronic fund transfer services, like mobile wallets and electronic payment products.[5] 

The CFPB explained that it focused on these covered data providers because they implicate consumers’ payment and transaction data. Notably, some consumer finance actors that are not covered by the CFPB’s plans include auto lenders, nonbank mortgage lenders, and installment lenders.[6] The CFPB has said that its rules may cover more financial products in the future.[7]

The CFPB Open Banking Rule requires covered data providers to make available the following six categories of consumer financial information:

  1. Periodic statement information for settled transactions and deposits;
  2. Information regarding prior transactions and deposits that have not yet settled;
  3. Other information about prior transactions not typically shown on periodic statements or portals (including card networks, ATM networks, automated clearing house networks, check-collection networks, and real-time payment networks);
  4. Online banking transactions that the consumer has set up but that have not yet occurred (i.e., payments set up in advance);
  5. Consumer identity information (e.g., name, address, date of birth, social security number, citizenship or immigration status, phone number, marital and veteran status, race and ethnicity, and number of dependents); and
  6. Additional miscellaneous information (e.g., consumer reports from consumer reporting agencies, fees that are assessed against a consumer’s financial account, any incentives that the covered data provider offers to consumers, and any security breaches that exposed the consumer’s identity or financial information).

Interestingly, the CFPB Open Banking Rule does not appear to grant banks any discretion to deny requests to access consumer financial information, which raises issues discussed further below.[8]

To protect against the unauthorized transfer of consumer information to third-party financial service providers, the CFPB has stated that an “authorized third-party” must:

  1. provide an “authorization disclosure” to inform the consumer of key terms of access;
  2. obtain the consumer’s informed, express consent to the key terms of access contained in the authorization disclosure; and
  3. certify to the consumer that it will abide by certain obligations regarding collection, use, and retention of the consumer’s information. 

The CFPB is also considering proposals that:

  • limit a third-party’s collection, use, and retention of financial data (e.g., reselling a consumer’s data for unauthorized uses);
  • require third parties to implement data security standards;
  • relate to data accuracy and dispute resolution; and
  • relate to disclosures regarding third party obligations.

Rationale For The CFPB Open Banking  Rule

CFPB Director Rohit Chopra has explained that the CFPB Open Banking Rule is intended to boost market competition in the financial sector by “empowering people to break up with banks that provide bad service” and by enabling people to take their financial data with them to other institutions that offer better financial products and services.[9] New or small financial firms would be able to use the financial data to build and offer products, services, and mobile apps to compete with large financial institutions.

The aggregation of a consumer’s financial data provides a financial overview of the consumer, which banks and financial technology companies (“fintechs”) can use to tailor services, recommend products, and improve consumer experiences. Such data is useful for mobile apps, such as Mint, that help users budget and gain insight into their transactions and spending habits across multiple financial accounts. 

People have also argued that standardizing the use of APIs to transfer financial data will be a safer alternative to the use of screen scraping where a website or mobile app uses a consumer’s log-in credentials to access a financial account, which poses security and privacy risks.[10] In contrast, an API is a standardized interface software that data providers would use to authenticate the consumer and send requested information without requiring a consumer to share their credentials with a third party.

Risks Implicated By The CFPB Open Banking  Rule

Contrary to Director Chopra’s comments, some banking trade groups have noted that there has been limited adoption of APIs because the technology is too expensive, especially for smaller financial institutions.[11] According to the National Association of Federally-Insured Credit Unions, the CFPB Open Banking Rule “could have the opposite of its intended effect: rewarding the largest, most technologically, sophisticated companies at the expense of credit unions and other community institutions focused on relationship banking.”[12] As such, the American Bankers Association (the “ABA”) has suggested that banks should be permitted to charge access fees to help pay for data-sharing portals.[13]

Critically, the CFPB Open Banking  Rule is silent regarding the allocation of liability for any misuse, theft or fraud that could occur after a bank complies with a consumer’s instruction to transmit data externally.[14] According to the Bank Policy Institute (the “BPI”), consumers will “likely look to their bank rather than the data recipients to make them whole for a loss or other harm that befalls the customer.”[15] The BPI has suggested that a bank's liability should end when the data leaves their portal, or banks should be indemnified by the party responsible for any loss or harm suffered by a consumer, which would incentivize third parties to enhance their data security and privacy practices.[16] The Consumer Bankers Association (the “CBA”) has stated that “liability for consumer recourse should be imposed on the party that was in control of the consumer’s data at the time of the breach or action.”[17] Meanwhile, the Consumer Data Industry Association, which represents credit reporting companies, has urged the CFPB to exclude credit report information from the CFPB Open Banking Rule because the Fair Credit Reporting Act “already provides for consumer access to the information.”[18]

Banking trade groups have expressed concerns that fintechs and other third-party financial service providers may not have the same rigorous cybersecurity and privacy standards as traditional banks and credit unions, which are examined regularly by the CFPB and prudential regulators.[19] The United States currently lacks uniform regulations or policies that can address data privacy and security related to open banking. As such, the ABA has urged the CFPB to expand the scope of its rule to include data aggregators and data recipients.[20] 

Banking trade groups have also said that banks should have the right to reject data-sharing requests if they believe the data recipient does not meet their data security standards.[21] Indeed, the CFPB Open Banking Rule has been criticized for not adequately addressing situations where fraudsters or hackers pose as legitimate data recipients. Consumers may also find it hard to keep track of who has access to their data. The CBA expressed concerns that “data providing banks would have no way of confirming whether the consumer actually made the request, and scammers could create fake authorizations.”[22] In light of the myriad of issues confronting the CFPB Open Banking Rule, it is no surprise that the BPI has said that, “data providers should not be required to make data available to any third party that is unwilling to accept liability for loss or harm that results after the data leaves the data provider’s portal.”[23]

Timeline For Implementing The CFPB Open Banking   Rule

The CFPB plans to publish a report in the first quarter of 2023 about public comments it received, which were due on January 25, 2023.[24] Before issuing a proposed rule, the Small Business Regulatory Enforcement Fairness Act requires that the CFPB convene a panel of small businesses that represent their markets to provide input on the CFPB’s proposals.[25] The CFPB will issue rules later this year, and then finalize and implement the rules in 2024.[26] We will continue to monitor these legal developments.


[1] Section 1033(a) of Dodd-Frank Act says: “[A] covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account, including costs, charges, and usage data.” 12 U.S.C. § 5533; Pub.L. 111-203, Title X, § 1033, July 21, 2010, 124 Stat. 2008.

[2] The CFPB has been slow to promulgate a rule implementing Section 1033 and, instead, spent several years trying to assess consumer access to financial data, requesting public comment regarding such access in 2016, and then issuing a 2017 outline of principles for consumer-authorized financial data and aggregation. See CFPB, Request for Information Regarding Consumer Access to Financial Records, 81 Fed. Reg. 83806 (Nov. 22, 2016), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy; CFPB, Consumer Protection Principles: Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 18, 2017), available at https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. On July 14, 2021, the Biden Administration issued an executive order encouraging the CFPB to consider “commencing or continuing a rulemaking under Section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovate financial products.” Exec. Off. Of The Pres., Promoting Competition in the American Economy, E.O. 14036 (July 14, 2021), available at https://www.federalregister.gov/documents/2021/07/14/2021-15069/promoting-competition-in-the-american-economy.

[3] CFPB, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights: Outline of Proposals and Alternatives Under Consideration (Oct. 27, 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf

[4] Congressional Research Service, Open Banking, Data Sharing, and the CFPB’s 1033 Rulemaking (Sept. 9, 2021), available at https://crsreports.congress.gov/product/pdf/IN/IN11745

[5] The CFPB notes that the rule is intended to include “financial institutions” as defined by Regulation E, and “card issuers” as defined by Regulation Z.

[6] Evan Weinberger & Andrea Vittorio, Small Banks Urge CFPB to Phase in Open Banking Tech Requirements (Correct), Bloomberg Law (Jan. 30, 2023), available at https://news.bloomberglaw.com/banking-law/small-banks-urge-cfpb-to-phase-in-open-banking-tech-requirements

[7] CFPB Newsroom, Director Chopra’s Prepared Remarks at Money 20/20 (Oct. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20/

[8] Am. Banker’s Assoc., Outline of Proposals and Alt.’s Under Consideration for Required Rulemaking on Personal Financial Data Rights (Jan. 25, 2023), available at https://www.aba.com/-/media/documents/comment-letter/cl1033datasharing20230125.pdf?rev=fb01be49ef614dda8f9bcfcc87ec1823

[9] Gabrielle Saulsbery, CFPB aims to give ‘open banking’ rule teeth in 2024, Banking Dive (Oct. 26, 2022) available at https://www.bankingdive.com/news/cfpb-open-banking-rule-consumer-data-2024/635017/

[10] Weinberger, supra note 6.

[11] Id.

[12] Id.

[13] Am. Banker’s Assoc., supra note 8.

[14] Jon Hill, Banks Say CFPB Data Rules Need ‘Clear Liability Standard', Law360 (Jan. 26, 2023), available at https://www.law360.com/articles/1569384

[15] Bank Policy Institute, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial

Data Rights: Outline of Proposals and Alternatives Under Consideration (Jan. 25, 2023),

 available at https://www.law360.com/articles/1569384/attachments/0

[16] Id.

[17] Consumer Bankers Assoc., Feedback on Small Business Advisory Review Panel for Required Rulemaking on

Personal Financial Data Rights - Outline of Proposals and Alternatives under Consideration (Jan. 25, 2023), available at https://www.law360.com/articles/1569384/attachments/2

[18] Id.

[19]Hill, supra note 16; see also Weinberger, supra note 6; Am. Banker’s Assoc., supra note 8.

[20] Am. Banker’s Assoc., supra note 8.

[21] Hill, supra note 14.

[22] Consumer Bankers Assoc., supra note 17.

[23] Bank Policy Institute, supra note 15.

[24] CFPB Newsroom, supra note 7.

[25] Id.

[26] Id.

Professionals