Prepared Remarks of CFPB Director Rohit Chopra at the Federal Reserve Bank of Philadelphia on the Personal Financial Data Rights Rule
October 23, 2024 / Source: CFPB
Thank you to everyone at the Federal Reserve Bank of Philadelphia for organizing today’s event. I especially want to thank President Patrick Harker for his service to this region and our country.
Today, the Consumer Financial Protection Bureau has finalized the Personal Financial Data Rights rule, which implements an authority enacted by Congress in 2010 in the aftermath of the financial crisis. The rule will provide more freedom, promote decentralization, and spur greater competition. It is an important step toward ensuring that these principles, embedded in the fabric of our financial system dating back to the earliest days of the republic, are reflected in this digital era.
I’ll start by explaining the problems we are looking to solve with this Personal Financial Data Rights rule required by Congress. Then, I want to describe how the final rule works. I’ll conclude with some next steps to continue moving open and decentralized banking and payments in the U.S. forward.
As always, my remarks reflect the views of the Consumer Financial Protection Bureau and do not necessarily represent the views of any other component of the Federal Reserve System.
What We Need to Fix
In today’s economy, the problems in banking are similar to problems that we see in other sectors. Rather than innovate on providing the best products at the best prices and with the best service, companies have found new ways to boost their bottom line.
For example, rather than constantly create a better product or service, we see “innovation” on how firms can make it harder to cancel or switch. Rather than advertise the true price up front, we see mysterious junk fees pop up later in the process. Instead of making things simple to work across different brands, we find ourselves buying proprietary plugs, switches, and other accessories that only work with specific products.
These types of issues cost consumers billions. When the Federal Reserve started to raise interest rates in 2022, the nation’s largest financial institutions were quick to hike rates on loans, but many barely budged when it came to raising rates on deposits for savers.
Switching a bank account or credit card now involves the risk of screwing up an auto-debit for a bill or incurring an unwanted fee. People are even warned that canceling an account might hurt their credit score or their ability to get another loan.
It’s no surprise that for millions of people across the country, they’re still using the same credit card that they first got when they became an adult. I know I’m guilty of this.
There’s other problems too. Young people start off adulthood with a lousy credit score, if they can even get one at all, since you need a long credit history to get a high score. The same is true for new immigrants and others with little else on their credit report. Since lenders want an automated way to evaluate you, it isn’t always easy to prove that you’re a good credit risk.
When it comes to making payments online or at a store’s checkout counter, the market is rife with monopolistic practices that enrich incumbent networks at the expense of consumers, businesses, and creators.
The results of this are that you pay more for loans and you earn less on your deposits. Fewer people are able to get competitive and affordable credit. Businesses of all sizes pay more to process payments, pushing prices up. All of this hurts the whole economy.
In the U.S., digital technologies are changing this, opening up new opportunities to fix these problems. By allowing consumers to permission their personal financial data, and make it over time more seamless, people can more easily sign up, switch accounts, and take their financial history with them. But, much of the data sharing that does take place today uses unsafe methods – like third parties using login credentials to scrape vast amounts of data from online banking interfaces.
But more importantly, incumbents don’t want to lose their captive customer base. Just like other sectors of the economy, big companies have little incentive to make it easy for you to port and share your data. We’ve seen how they can concoct a slew of reasons to block consumers from these benefits.
Open Banking in the U.S.
One of the best ways to support a vibrant market is to eliminate roadblocks to competition. In the early years of the wireless phone market, switching to a new carrier was extremely cumbersome, requiring you to get an entirely new phone number. The Federal Communications Commission later instituted a policy requiring wireless number portability between carriers. This dramatically reshaped the competitive dynamics, creating incentives to compete on service and prices.
To make our banking and payments market more competitive, it needs to be open and decentralized using a common set of data standards, free of powerful gatekeepers and middlemen that can impose private regulations and extract fees.
Over the last few years, we have been working with players across the ecosystem to sketch out what open banking in the U.S. could look like. By connecting consumer transaction data, payroll data, credit reporting data, retirement and investment balances, payments information, and more, we can accelerate the progress that the U.S. is already making. We also closely studied the experiences with data sharing in other sectors (like in health care) and in open banking frameworks in other jurisdictions.
One foundational aspect is to ensure that incumbents can’t block consumers from controlling and porting their personal financial data. In 2010, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 1033 gives consumers new rights to access their personal financial data in a standardized format, subject to the rules of the CFPB. Since the CFPB never finalized any rules, it was essentially a dead letter. Our final rule today is our first significant rule using this dormant authority.
How the Rule Works
Here’s how the new rule works. If you are a consumer who uses a checking account, credit card, or mobile wallet, your provider holds a lot of your personal information. For example, they may have records of your recent transactions, account balances, upcoming bill payments, and information needed to initiate payments. If you want to use that information to make a payment, apply for credit, or switch banks, your provider might throw up roadblocks to keep you from leaving for a competitor offering you a better deal.
Our rule prevents companies from doing that. That means you can more easily walk away from mediocre products or services and choose financial institutions that offer higher rates for your savings, lower rates on loans, free access to your paycheck before payday, or ways to more effectively manage your finances.
Under the Personal Financial Data Rights Rule, if a consumer chooses, they could allow mortgage lenders to use data from their checking account on their income and expenses in the underwriting process. This data could help supplement and improve the accuracy of traditional credit histories and help more people obtain credit on better terms. Over the long run, this could reduce the system’s dependence on credit scores.
To take another example, the payments infrastructure in the U.S. is lagging behind many other developed countries. By giving consumers the ability to more easily use secure payments information, we can create more options to make payments and facilitate what is often referred to as “pay-by-bank.” This has the potential to make payment options like ACH and FedNow more mainstream. This could also benefit merchants, who face high fees to accept payments through Visa, Mastercard, and other incumbent payment networks. Some merchants have plans to incentivize payments through these alternatives through cashback, discounts, and rewards.
Cash flow underwriting and more intense payments competition are just two possible use cases for consumer-driven data access, but there are countless others. At the CFPB, we believe that products and services powered by consumer-driven data access should continue to improve consumer finance for all.
But what if companies are just pretending to offer you a competing product? What if they really just want to exploit your data for other purposes? We learned a great deal from the experiences in other jurisdictions, and we knew that putting in some meaningful limitations on how permissioned data could be used was critical.
The rule institutes strong privacy protections. It’s pretty simple. A company that ingests consumer’s data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes the consumer doesn’t want.
The Personal Financial Data Rights rule says that consumers can authorize companies to access their data, but those companies then need to act on behalf of the consumer when they access that data. That means companies can’t offer you a payment product that uses your data, but then use your data against you by feeding it to a personalized models that ends up charging you more for an airline ticket or other service. That’s not what you were in the market to get.
Similarly, if you authorize sharing your data with a company so that you can get a cheaper loan, the data needs to be used to provide you that loan, not for other purposes. And it doesn’t matter that the company has included those purposes in legal fine print that you don’t have any practical ability to reject. Our rule also means companies can’t offer something as a pretext to collect data to sell it or use it to target advertisements at them.
The final rule allows companies to use consumer data to improve the product or service the consumer requested, consistent with the goals of jumpstarting competition. But the rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief.
Our rule also recognizes that personal financial data is sensitive, and there are basic protections and rights that should go along with accessing this kind of information. Specifically, the rule ensures that personal financial data is collected and used minimally, stored securely, transferred accurately, and deleted when it’s no longer needed or when the consumer revokes access.
Critically, the rule also strengthens protections by accelerating the shift away from the industry practice known as “screen scraping.” Screen scraping is a still common but risky practice that typically involves consumers providing their account usernames and passwords to third parties who use them to access data indiscriminately through consumer online banking portals. With screen scraping, there are risks of overcollection of data, inaccurate data sharing, and the spread of login credentials.
With respect to implementation, the law asks that the CFPB prescribe standards through the rules, but it also asks that CFPB make an effort to avoid requiring a particular type of technology. I was particularly fixated on these provisions. We know that technical standards are critical to make sure that the system is open and interoperable. Without these standards, each incumbent would create its own set of complicated hurdles.
Rather than micromanage the specifics of open banking, the rule sets out an architecture for standard setting bodies to align on technical standards. Those organizations can seek accreditation from the CFPB, but only if they have a structure and process to develop standards in a fair, open, and inclusive manner. This approach will allow the standards to evolve over time as technology and market needs change.
However, the process can’t be rigged against incumbents or challengers or the public. Standard setting organizations must reflect the full range of relevant interests — consumers and firms, incumbents and challengers, and large and small actors. In June, the CFPB finalized a rule outlining the qualifications for entities to become a recognized industry standard setting body, which can issue standards to help companies comply with the final rule announced today.
What’s Next
While we have finalized this Personal Financial Data Rights rule, there is a lot for us to all work on together in advance of the early 2026 deadline for the largest financial institutions to comply. Here’s just a few of those near-term items:
First, the CFPB is working to prioritize reviewing applications by standard-setting organizations. Several weeks ago, we posted the first application for recognition for public comment, and we are working rapidly to evaluate the application. We are looking to make sure that applicants meet the standards for recognition in the rule. Those applicants must be ready to show that they can set up the right protocols to develop technical standards in a fair way.
Second, the CFPB is continuing to be in constant communication with other financial regulators to advance open banking. The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer’s data – those companies are acting on behalf of the consumer. We are working together to ensure that incumbent fintechs and banks do not engage in tactics to choke off potential competitors.
Third, the industry must update industry-controlled rules on payment networks. In the last few years, the CFPB has repeatedly expressed an urgent need for payment networks to ensure that their rules make sense for the modern age when it comes to payment fraud and errors.
Many payment network rules help to make recoveries from merchants, financial institutions, and others that erroneously or fraudulently receive funds. The pandemic and the rise of more digital payment apps has added new complexity to this. I appreciate that many in the industry would like the CFPB to solve this for them, but these are private network rules. The governing bodies of those private networks need to address this.
Finally, the CFPB will be developing a roadmap for the next set of rules to advance open banking. This first rule covers a wide range of accounts for payments and transactions. We are considering a number of other use cases, such as how to reduce costs and complexity in the mortgage market. During the rulemaking process, there were a number of important issues raised, such as coverage of accounts used for government benefits, like EBT cards, and the ability for nonprofit researchers to use consumer-permissioned data.
The CFPB will also be working on additional guidance and advisory opinions to advance open banking and payments. We will also look for opportunities for other types of financial data, such as those involving investments and securities in retirement plans, to plug into this ecosystem.
Conclusion
In closing, just steps from where we sit today were the sites of major experiments in our country’s history in setting up a financial system. The First and Second Banks of the United States sought to ensure that banking was bolstering the economy of the young republic. Later, a Black servant named Curtis Roberts became the first depositor in the nation’s first savings association, the Philadelphia Savings Fund Society, whose offices were around the corner.
Our history reminds us of how important it is that our banking system advance public purposes without entrenching too much power in the hands of a few.
We knew that a banking system structured to solely support commercial enterprise and only the wealthiest families would lack legitimacy and would fail to provide economic opportunity to most of our people. Instead of concentrating economic power with one or just a few giant players, with distant outposts from where decisions were made, we promoted a system that served individuals and communities in ways that gave them control.
For the U.S. to ensure that our financial system is advancing opportunities for households, businesses, and the economy, our policies must create more power for individuals to avoid being captive and instead exercise their liberty to do business with someone new. The CFPB’s Personal Financial Data Rights Rule is an important step toward reclaiming this history.