Proposal to provide consumers “more control” over their personal financial data related to deposit, savings, and credit cards accounts
Regulatory Insights
__________________________________________________________________________________________________________________________________________________
October 2023
The Consumer Financial Protection Bureau (CFPB) proposes a rule to implement Section 1033 of the Consumer Financial Protection Act (2010), commonly referred to as “Open Banking”. The rule would require depository and non-depository entities to share consumer financial data (relating to transactions and accounts) with both consumers and authorized third parties and would establish requirements for third parties accessing the data, including privacy protections and standards for access.
The proposal is outlined below.
Coverage of Data Providers. The proposed rule would apply to entities that control or possess covered data concerning a covered financial product or service including financial institutions providing “Regulation E asset accounts” (e.g., checking, savings), card issuers providing “Regulation Z credit cards”, and other providers of products or services that facilitate payments from a Regulation E account or a Regulation Z credit card (collectively, “data providers”).
Excluded Data Providers. The proposed rule would exclude data providers that do not have a consumer interface, or “an interface maintained to receive requests for covered data and make available covered data in an electronic form usable by consumers in response to the requests”, as of the applicable compliance date.
Covered Data Availability. The proposal would require a data provider to make available to a consumer and an authorized third party, upon request and in a “timely” and “reliable” manner, covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.
Covered Data. Under the proposed rule “covered data” would mean the most recently updated “information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges, and usage data.” This would include:
Exceptions to the Obligation. The proposed rule outlines four exceptions that aim to protect sensitive information from being shared or compromised, while still allowing consumers to access essential financial data. These exceptions include:
Proposed Interface Requirements. As proposed, the rule would require a data provider to maintain a consumer interface and to establish and maintain a developer interface through which data providers could receive requests for, and provide, covered data in electronic, usable form to authorized third parties.”
The proposed rule would also prohibit data providers from imposing fees or charges for establishing or maintaining the required interfaces, or for receiving requests and making covered data available.
Developer Interfaces. The proposed rule includes additional requirements that would apply specifically to developer interfaces:
Data Security. The proposed rule would also require data providers to implement several data security features in their consumer and developer interfaces, including access credentials and data security programs.
Third-Party Access Requests. Upon request from an authorized third party, a data provider would be required to make covered data available when it receives information “sufficient” to:
The proposed rule would permit, but not require, a data provider to confirm the authorization and scope of covered data request with the consumer.
Policies and Procedures. The proposed rule would also require data providers to establish and maintain written policies and procedures to comply with the provisions, including:
Additionally, the proposed rule would permit data providers to offer revocation methods for third party access to consumer data, provided the revocation methods meet specific requirements, including:
Third-Party Authorization Procedures. As proposed, for a third party to become an “authorized third party” it must seek access to covered data from a data provider on behalf of a consumer for the purpose of providing a product or service requested by the consumer. The third party must also:
Reauthorization and Revocation. The proposed rule would also:
Use of Data Aggregator. The proposed rule would require third party authorization procedures when using a data aggregator to assist with accessing covered data on behalf of a consumer, and would impose certain responsibilities and conditions on third parties and data aggregators:
Records Retention. Third parties would be required to establish and maintain policies and procedures designed to ensure retention of records, for a least three (3) years, related to consumer authorizations and compliance with Subpart D of the rule.
Compliance Dates. The proposed rule would provide four (4) tiers of compliance dates, as outlined in the table below:
Tier | Applicable Institutions | Proposed Compliance Date following publication in the Federal Register |
---|---|---|
1 | 1) Depository institutions holding at least $500 billion in total assets and 2) non-depository institutions generating at least $10 billion in revenue in the preceding calendar year or are projected to in the current calendar year. | Six (6) months |
2 | 1) Depository institutions holding between $50 and $500 billion in total assets and 2) non-depository institutions generating at less than $10 billion in revenue in the preceding calendar year or project to in the current calendar year. | Twelve (12) months |
3 | Depository institutions holding between $850 million and $50 billion in total assets. | Thirty (30) months (or 2.5 years) |
4 | Depository institutions holding less than $850 million in total assets. | Four (4) years |
CFPB is seeking public comments on the proposed rule, with a submission deadline of December 29, 2023.
”Open Banking” 1033 Personal Financial Data Rights: CFPB Proposal
Downlaod PDFPoints of View
Insights and analyses of emerging regulatory issues and their impact.
Regulatory Insights View
Series covering regulatory trends and emerging topics
Regulatory Alerts
Quick hitting summaries of specific regulatory developments and their impact.
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.