On October 27, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced a new regulatory framework (“Framework”) governing “Personal Financial Data Rights,” or, by another name, “open banking.” Conceptually, open banking mandates that financial service providers have open access to consumer financial data held by other financial institutions through the use of application programming interfaces (“APIs”).
The CFPB’s primary aim is to promote consumer “shopping” of financial products and services by ensuring that consumers (1) “won’t have to start from scratch” if they switch financial institutions and (2) will “have the leverage to walk away because they will have access to more tailored products and services.” If adopted by the CFPB, the Framework would reduce the current friction encumbering the flow of consumer data and may encourage reticent consumers to seek products or services from FinTech providers.
The Framework extends a worldwide trend in financial regulation emphasizing open data flows, with the U.S. soon to join the European Union (which adopted the Payment Services Directive (“PSD2”) in 2015) in mandating data transparency. The CFPB aims to increase competition between traditional financial institutions and FinTechs, which it hopes will increase services and decrease prices. However, the mixed European experience shows the limits of the change open banking regulations may foster.
II. Summary of the Framework
Under the Framework, “covered data providers” would be required to provide certain data about a consumer to (a) the consumer and (b) “authorized third parties” via online data portals. The Framework would also place significant obligations on a third party with respect to its collection, use, and retention of consumer information.
b. Covered Data Providers
As proposed, the Framework would apply to covered data providers and information they collect while providing certain specified services. Covered data providers would include “financial institutions” and the information they collect in providing “asset accounts” would be subject to the Framework. Covered data providers would also include “card issuers” and the information they collect in providing “credit card accounts” would be subject to the Framework.
Under this definition, financial institutions would include banks, savings associations, credit unions, and other persons who hold consumer checking and savings accounts, as well as persons that issue an access device and agree with a consumer to provide electronic fund transfer services. Asset accounts would include any checking, savings, or other consumer asset accounts established primarily for personal, family, or household purposes. Card issuers would include any credit card issuer, and a credit card account would include any account offered under an open-end consumer credit plan.
c. Data Scope
The Framework would require covered data providers to make available six specified categories of information:
- Periodic statement information for settled transactions and deposits;
- Information regarding prior transactions and deposits that have not yet settled;
- Other information about prior transactions not typically shown on periodic statements or portals;
- Information concerning online banking transactions that the consumer has set up but that have not yet occurred;
- Account identity information; and
- Certain other information.
Expressly excluded from the requirement to make information available is any confidential commercial information, including algorithms used to derive credit scores or other risk scores.
With respect to periodic statement information, covered data providers would be required to supply, among other items, the following:
- For each transfer, the amount, date, and location of the transfer, and the name of the third party (or seller) to or from whom the transfer was made;
- Any fees charged to the account;
- Any interest credited to an asset account or charged to a credit card account;
- The annual percentage yield (“APY”) of an asset account or the annual percentage rate (“APR”) of a credit card account;
- The current account balance;
- The terms and conditions of the account, including a schedule of fees that may be charged to the account; and
- For an asset account, the account number.
Account identity information includes information such as: name; age; gender; marital status; number of dependents; race; ethnicity; citizenship or immigration status; veteran status; residential address; phone number; email address; date of birth; social security number; and driver’s license number.
Other information required to be made available under the Framework includes: consumer reports from consumer reporting agencies obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer; fees that the covered data provider assesses in connection with its covered accounts; bonuses, rewards, discounts, or other incentives that the covered data provider issues to consumers; and information about security breaches that exposed a consumer’s identity or financial information.
d. Online Data Portals
The Framework would require covered data providers to make the information available in two different ways.
First, when a consumer requests direct access to the information, a covered data provider would be required to make the information available to the consumer through an online financial account management portal, exportable in both human and machine-readable formats, once the covered data provider has enough information to reasonably authenticate the consumer’s identity and identify the information requested.
Second, for third-party requests, covered data providers would be required to maintain a “third-party access portal” where authorized third parties could access consumer information. A covered data provider would only be required to make the information available once the covered data provider had received evidence of the third party’s authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party’s identity.
e. Data Obligations and Restrictions
The CFPB’s Framework also laid out certain obligations third parties seeking consumer information must satisfy. Under the Framework third parties would only be permitted to collect, use, and retain information reasonably necessary to provide the product or service which a consumer has requested. The third party would also be required to make available to the consumer a simple method for revoking their authorization to access the consumer’s information at any point. A third party’s use of consumer-authorized information beyond what is reasonably necessary to provide the product or service that the consumer has requested (“secondary use”) would also be limited under the Framework. Furthermore, once a third party no longer reasonably needs the information to provide the product or service to the consumer, they would be required to delete it.
The third-party obligations would also require that authorized third parties implement certain policies and procedures, including data security standards to prevent harm to the consumer arising from inadequate data security; policies and procedures to ensure the accuracy of consumer information collected (including procedures related to addressing disputes submitted by consumers); and policies for making periodic disclosures to consumers explaining how they may revoke their authorization to access their information and request details about the extent of the third parties’ access to their information.
III. Rulemaking Process
The Framework is not a notice of proposed rulemaking (“NPRM”), nor is it an advance notice of proposed rulemaking – it falls somewhere in the middle. The CFPB (alone among federal agencies other than the Environmental Protection Agency) must put forward any new contemplated regulation for a review process under the Small Business Regulatory Enforcement Fairness Act (“SBREFA”) of 1996 administered by the Small Business Administration (“SBA”). In order to avoid being seen as ignoring the concerns of small businesses raised through the SBREFA process, the CFPB does not submit a full NPRM for review. But the contours of the CFPB’s thinking are easily gleaned from its SBREFA submission.
The CFPB has stated that it expects to issue an NPRM sometime in 2023, with an anticipated adoption date in 2024. To hedge against a resolution of disapproval under the Congressional Review Act by a potential Republican administration in January 2025, we would expect any final rule to be adopted no later than the end of the third quarter of 2025.
IV. Effects of Open Banking in the EU
The CFPB’s proposal is not novel; the EU has experimented with open banking since adopting its revised PSD2 in 2015 and requiring implementation by member countries by 2018. PSD2 requires financial institutions to deliver data access to third-party providers (“TPPs”) with consumer consent and develop APIs through which licensed TPPs can access consumer data.
Almost immediately after PSD2 was implemented, the number of TPPs that acquired licenses shot up, with TPPs increasing by a factor of four in just a few years. According to the results of a broad survey, PSD2 did increase competition, but only to a point. Most new licenses went to existing players with only about a quarter of new licenses acquired by start-ups, so PSD2 appears to have had the most impact on established firms. These firms might be seeking to meet the new requirements or could be seeking to expand their services, rather than compete with new entrants.
The use of open banking in the EU has remained mostly limited to younger, technically adept consumers who already place trust in digital services. PSD2 has not yet changed traditional attitudes and suspicions directed toward data access and aggregation. Therefore, the scope of increased trust and financial inclusion could be limited for older consumers and for those suspicious of opening up their data to risk beyond their familiar bank or other institution.