Last month the Consumer Financial Protection Bureau (“CFPB”) released a proposed rule that, if enacted, would aim to grant consumers greater access rights to the data their financial institutions hold. The proposed Personal Financial Data Rights Rule (the “Proposed Rule”) signals the first step towards the implementation of regulations aimed at “open banking” that were initially required under the Dodd-Frank Act and is the first proposal to implement Section 1033 of the Consumer Financial Protection Act.
The Proposed Rule would provide consumers the right to request information related to their account transactions, balances, and third-party bill payments from their financial institutions. Consumers would also be able to request information used to initiate ACH transactions, information regarding product and services terms and conditions, and account verification information. Notably, the access rights exclude information that would constitute confidential business information and certain information concerning mortgages, auto loans, and student loans. Financial institutions would be required to make covered data available in a readily usable electronic form to the consumer and, if applicable, a third-party authorized by the consumer, such as other financial institutions, upon request and at no cost.
There is a limited exemption for community banks without “consumer interfaces.” A “consumer interface” is defined in the Proposed Rule as “an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by consumers in response to requests.” The term is intended to encompass consumer-facing digital banking interfaces that allow consumers to make requests for information, such as online banking or mobile banking applications.
While the vast majority of financial institutions offer consumer interfaces, a small number of institutions do not offer any such service. In the CFPB’s view, these smaller institutions generally provide timely and understandable information through ongoing personal relationships to assist customers in making decisions about financial transactions and would be unduly burdened by not having the means to access data covered by the Proposed Rule with the same speed and efficiency that institutions with such interfaces do. The Proposed Rule would not provide a grace period for institutions that do not have a consumer interface as of the effective date but subsequently offer such an interface to their customers. So if any such institution later chooses to offer a consumer interface after the compliance date then those institutions will be expected to comply starting on day 1.
For financial institutions subject to the Proposed Rule, there is staggered implementation. Larger data providers will be subject to compliance sooner than smaller institutions. Financial institutions holding at least $500 billion in total assets would be required to comply within six months of final rule publication. Financial institutions between $50 and $500 billion in total assets would have a compliance timeframe of twelve months. Institutions holding between $850 million and $50 billion would have thirty months or 2.5 years, while institutions holding less than $850 million in total assets would have four years.
Comments on the Proposed Rule are due on or before December 29, 2023.