Three Elements of the CFPB’s Financial Data Rights Rulemaking

The U.S. Consumer Financial Protection Bureau (CFPB), which is tasked to protect consumers from unfair, deceptive, or abusive practices, has had a busy month. The bureau is in the headlines once again this week, this time with an update on the organization’s stance on regulating open banking and open finance.

In an address to the audience at Money20/20, CFPB Director Rohit Chopra laid out the CFPB’s proposal of requirements to protect consumers’ financial data rights. In his keynote, Chopra detailed three aspects of the CFPB’s plan, as well as the organization’s process and timeline to get there.

Requiring financial institutions to set up secure data sharing methods

Chopra said the bureau plans to require financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up API-based data sharing. For now, it looks as if this will be limited to organizations that offer the aforementioned financial products, but Chopra made it clear that the CFPB will add the requirement in the future to those offering products not on the list, such as investing and lending.

The purpose of the rule will be to facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping. The requirement will also serve as a “jumping-off point” for a standardized approach to infrastructure allowing consumer-permissioned data sharing.

Screen-scraping is still a common practice in the U.S. and doesn’t offer customers input into which organizations use their data and how they use it. An API-first approach, like the one Chopra is suggesting, would put an end to screen scraping in financial services.

Stopping institutions from improperly restricting consumers’ access to control over their own data

The CFPB said it is looking at “a number of ways” to stop large traditional financial institutions from restricting consumers’ access to their own data. The group wants to ensure that when consumers opt to share their data, it is only used for the purpose the consumer intends.

This rule intends to target not only financial institutions themselves, which may use consumer data for marketing purposes, but also seeks to target those who use consumer data for nefarious purposes.

“While Americans are becoming numb to routine data breaches, including massive ones like the Equifax failure, we know that more needs to be done to stop this underworld from intercepting even more highly sensitive personal data,” said Chopra.

Chopra did not list specifics on how he planned to give consumers meaningful control while limiting bad actors, but he said that when a consumer gives organizations consent to use their data, the firm should not be able to exploit that data for other purposes.

Preventing excessive control or monopolization of the market

The new set of requirements will seek to limit monopolies and oligopolies present in credit reporting, card networks, core processors, and others by creating a decentralized, open system. “It’s critical that no one ‘owns’ critical infrastructure,” Chopra said.

Chopra cited Big Tech firms and incumbents as those who may set standards to rig the system in their own favor, jeopardizing an open ecosystem.

Next steps

Before these rules come into effect, the CFPB must gather a group of small firms representative of the market to provide input on our proposals. The CFPB is moving fast on this and plans to release a discussion guide for small organizations to make their voices heard this week.

After the CFPB culls input from this group, the organization will solicit input from what it is calling “fourth parties,” or intermediaries that facilitate data transfers.

Once this process is complete, the CFPB will publish a report on the input, which it will use to guide in the process of crafting a rule. The CFPB plans to publish its findings in a report in the first quarter of 2023, will issue the rule in late 2023, and will finalize the rule in 2024. The timing of the implementation relies on feedback from the small firms and intermediaries.

In other news

The news comes at an interesting time for the CFPB. The Fifth Circuit Court of Appeals ruled last week that the organization’s funding structure is unconstitutional. A panel of judges determined that the way the bureau is funded, “violates the Constitution’s structural separation of powers.”

“This isn’t an esoteric point of theory; it means the CFPB cannot do anything unless and until Congress appropriates funding for it,” said Former Deputy Assistant Attorney General James Burnham. “That’s a big deal.”

The CFPB is expected to appeal to the Fifth Circuit and then to the Supreme Court. In the meantime, however, the CFPB’s power in the Fifth Circuit region, which includes Texas, Louisiana, and Mississippi, is limited.

Photo by Polina Kovaleva