Open Banking Developments
On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released its long-awaited "Required Rulemaking on Personal Financial Data Rights" (Proposed Rule) for public comment. The Proposed Rule arises under Section 1033 of the Consumer Financial Protection Act of 2010 (CFPA) and is intended to foster a data access framework for consumers that is safe, secure, reliable, and competitive.
Through the Proposed Rule, the CFPB aims to establish a framework for consumers under which they can authorize third parties to safely collect their personal financial data, and enable access to products and services provided primarily by fintechs. The Proposed Rule is comprehensive in scope and application, with potential impacts to a wide array of data providers, third parties, and data aggregators.
The Proposed Rule notes that comments on the Proposed Rule are due on or before December 29, 2023. We will provide an update with the Federal Register version of the Proposed Rule after it is released.
The CFPB proposes that the effective date occur 60 days after the date of the final rule's publication in the Federal Register, with staggered compliance dates for data providers ranging from one year to four years (based on asset size or revenue).
Related FCRA Proceeding
In parallel with the Proposed Rule, the CFPB is poised to tackle an adjacent matter to the issues raised in the Proposed Rule – credit reporting practices under the Fair Credit Reporting Act. Most recently, the CFPB previewed some potential FCRA amendment topics (see our quick reactions to that preview here). As noted by the CFPB in the Proposed Rule (page 23), an entity engaged in data aggregation for credit reporting purposes, may be acting as a consumer reporting agency. That discussion reflects the delineation between the collection and use of information under the Proposed Rule vs. the FCRA. Accordingly, both providers and collectors of consumer financial information need to pay close attention to the CFPB's FCRA proceeding, together with the Proposed Rule, in order to determine their respective roles and responsibilities as data providers, data aggregators, furnishers and consumer reporting agencies, under each regime.
We frequently represent financial institutions in all aspects of their open banking relationships, including:
- Interpreting and applying regulations and regulatory guidance, structuring and negotiating contracts and data-sharing terms,
- Assessing risk,
- Tracking and evaluating relevant litigation and settlements,
- Structuring and drafting customer disclosures and consents, and
- Launching products and functionality.
We are actively representing FIs and technology providers in connection with the establishment and structuring of data-sharing networks and hubs through which bank customer data is transferred to multiple permissioned recipients. These are alternative, second-generation models for sharing customer data and are intended to enable the networks to be more flexible in addressing open-banking needs.