Banks question proposed CFPB rule over personal financial data rights
The active period at the Consumer Financial Protection Bureau continued on Thursday, as the CFPB proposed a rule that the regulator said would accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data.
The bureau indicated the proposed Personal Financial Data Rights rule activates a dormant provision of law enacted by Congress more than a decade ago.
The proposed rule is the first proposal to implement Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal financial data sharing standards and protections.
The CFPB said it intends to cover additional products and services in future rulemaking.
“With the right consumer protections in place, a shift toward open and decentralized banking can supercharge competition, improve financial products and services, and discourage junk fees,” CFPB director Rohit Chopra said in a news release. “Today, we are proposing a rule to give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices.”
The Consumer Bankers Association immediately pushed back against some of the assertions the CFPB made with sharing this rule proposal, including a mandate that would state banks and other providers subject to the rule would have to make personal financial data available, at no charge to consumers or their agents, through dedicated digital interfaces that are safe, secure, and reliable.
“CBA member banks continue to support a well-regulated marketplace that fosters competition, spurs innovation, and provides consumers the certainty of knowing their financial data is safe and secure. As consumer expectations regarding the access and control of their personal financial data continues to expand, protecting the integrity of consumer data remains a core priority for all of our member banks,” CBA president and CEO Lindsey Johnson said in a statement.
“Since the passage of the Dodd-Frank Act, the financial services industry landscape has evolved drastically due to the increasing prevalence of non-bank third parties and data aggregators. Consumer data, logins, and passwords are collected and monetized by ‘agents,’ ‘trustees,’ and ‘representatives,’ presumably acting on their behalf, but operate without consumers’ control or even awareness. Many of these entities that are collecting, storing, and selling this consumer information are not subject to the same rigorous data security and privacy standards as well-regulated and supervised financial institutions, putting consumers and their sensitive financial information at risk,” Johnson continued.
The CFPB contends consumers’ access to their financial data is inconsistent from one financial institution to another. Even among companies that do share data at a customer’s request, the bureau said the terms of the sharing vary greatly.
“This lack of norms in the market allows incumbents to play games to their own customers’ detriment — including hiding or obscuring important data points like prices. This undercuts the ability of small or upstart institutions to compete with incumbents, even when people want their data shared,” bureau officials said.
Under the proposed Personal Financial Data Rights rule, consumers would have the power to share data about their use of checking and prepaid accounts, credit cards, and digital wallets.
“This would allow them to access competing products and services without worrying that their data might be collected, used, or retained to serve commercial interests over their own,” the CFPB said. “Importantly, people could be certain that their data would be used only for their own preferred purpose—and not for financial institutions or tech companies to surveil and manipulate.”
Under the proposal, the CFPB indicated the requirements would be implemented in phases, with larger providers being subject to them much sooner than smaller ones.
In addition, the bureau said the many community banks and credit unions that have no digital interface at all with their customers would be exempt from the rule’s requirements.
“CBA looks forward to working with the bureau on developing a final Section 1033 rule that achieves the statutory intent of the law to ensure consumers have greater access to their own personal financial data, and that uniformly protects consumers’ data across banks and non-banks, establishes clear liability standards for all parties, and affords consumers control in how their data is accessed and used,” Johnson went on to say.
The complete notice of proposed rulemaking can be reviewed via this website.