On October 19, the CFPB proposed a rule that would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts (see our previous post on this rulemaking here and here). The proposed rule would also establish obligations for third parties accessing a consumer’s data, including privacy protections for that data, and provide basic standards for data access to promote fair, open, and inclusive industry standards.
According to the Bureau, the proposed rule would accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data. According to the CFPB, the proposed Rule would also protect the interests of both consumers and financial firms through:
- Robust protections to prevent unchecked surveillance and misuse of data
- Meaningful consumer control
- A move away from risky data collection practices
- Fair industry standard-setting
Under the proposal, the requirements would be implemented in phases, with larger providers being subject to them much sooner than smaller ones. In addition, the many community banks and credit unions that have no digital interface at all with their customers would be exempt from the rule’s requirements. The proposed rule is the first to implement Section 1033. The CFPB intends to cover additional products and services in future rulemaking.
Comments must be received on or before December 29, 2023.
Putting It Into Practice: The CFPB is proposing to first apply the rule to a subset of covered persons—namely, entities providing accounts subject to the EFTA and Regulation E, credit cards subject to TILA and Regulation Z, and related payment facilitation products and services. Companies within this initial scoping of the proposed Rule ought to review the almost 300 pages of the proposed rulemaking and consider making comments prior to the December 29 deadline.