Quick Readout: CFPB Issues Long-Awaited Open Banking Proposal
Quick Readout: CFPB Issues Long-Awaited Open Banking Proposal
On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) issued its long-awaited proposed rule to facilitate what it views as open banking. The proposed rule would implement Dodd-Frank Act Section 1033 (12 U.S.C. § 5533), imposing new requirements on financial institutions to provide certain customers (and their authorized third parties) with electronic access to account information.
With the proposed rule, the United States is set to join the European Union, Hong Kong, and Australia in using regulation to push the market toward open banking and to encourage the development of open banking products and services. As noted in our recent client alert, the Biden Administration has indicated that the proposed rule could assist regulators in ensuring “financial companies compete based on service quality and up-front pricing, deterring junk fees.” In a press release, the CFPB doubled down on this messaging, indicating that the proposed rule is intended to “supercharge competition, improve financial products and services, and discourage junk fees.” In prepared remarks, Director Chopra noted that the proposed rule “would require that financial firms offering transaction accounts – like checking accounts, prepaid cards, credit cards, and digital wallets – give you access to your personal financial data, so you can share or transfer the data to another provider.” But Director Chopra added that “[c]ompanies receiving data can only use it to provide the product people asked for, and for nothing else.”
The authorizing statutory provision for the proposed rule, Section 1033, requires a covered person to make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from the covered person, including information relating to any transaction, series of transactions, or to the account, including costs, charges, and usage data.
As drafted, the proposed rule would apply to any “covered financial product or service,” which would be defined as any “account” as defined in Regulation E § 1005.2(b), any “credit card” as defined in Regulation Z § 1026.2(a)(15)(ii), and any product or service that facilitates “payments from a Regulation E account or Regulation Z credit card.” However, the CFPB has signaled that it intends to cover more products under future Section 1033 rulemaking.
The proposed rule would require financial institutions that provide covered products and services (defined as “covered data providers”) to make available to consumers (or authorized third parties) data that relates to the consumer’s covered account(s). In addition to covered data provider obligations, the proposed rule also contains obligations for third parties accessing covered data on behalf of an individual consumer. These obligations provide standards and restrictions on the collection, use, and retention of consumer information being accessed.
The proposed rule is the next step in the CFPB’s 1033 rulemaking process that began with the CFPB’s October 2020 advance notice of proposed rulemaking. The proposed rule also follows the CFPB’s March 30, 2023 Final Report on the Small Business Review Panel consultation process, through which it considered the economic impact that a proposal could have on small entities.
Comments on the proposed rule will be due by December 29, 2023. Director Chopra indicated that, after reviewing comments received, the CFPB “will look to finalize the rule by next fall.”
Morrison Foerster has been tracking U.S. regulatory developments on open banking and, in particular, the CFPB’s activity to implement Section 1033, for several years. Our team is in the process of analyzing the intricacies of the proposed rule and will provide detailed analysis on the impact it may have on companies, the U.S. financial market, and the data privacy landscape.
Be on the lookout for our forthcoming in-depth analysis of the proposed rule, which will analyze the how the proposal may impact data security, liability for data breaches, the creation of technological standards, potential compliance costs, and other implications for consumers, banks, fintechs, and others.