CFPB Continues to Enhance Regulatory Authority Over Consumers’ Access to Their Financial Data

Published: Jan. 25, 2024

With the comment period recently closed, the content and implications of the Consumer Financial Protection Bureau (“CFPB”)’s  advanced notice of proposed rulemaking warrant particular attention. The proposed Personal Financial Data Rights Rule (“Proposed Rule”) builds upon earlier CFPB guidance, such as the previously announced Consumer Protection Principals, and seeks to give consumers more ways to access their financial information. 

Unlike the prior guidance, the Proposed Rule would mandate specific access and use requirements for three types of entities:

1. Data Providers:

Data Providers are those who control or process consumer financial information such as: “financial institutions” (as defined under Reg. E); “card issuers” (as defined under Reg. Z); or entities that operate any product or service that facilitates payments from a Reg. E account or Reg. Z credit card. The Proposed Rule also includes some exclusions to this definition.

2. Authorized Third Parties:

Authorized Third Parties are those who have been granted access to a consumer’s financial information held by Data Providers. A third party may only obtain such access through compliance with proposed consumer authorization procedures.

3. Data Aggregators:

Data Aggregators are those who provide services to and enable access to Covered Data by Authorized Third Parties. Although Authorized Third Parties are principally responsible for Proposed Rule compliance obligations, many obligations flow down to Data Aggregators as well.

The Proposed Rule would allow consumers to access their financial information (or “Covered Data,1” including account balance, payment details, and transaction information) through an Authorized Third Party who would receive access to the consumer’s financial information through a mandatory, standards-based, Data Provider Interface. In other words, consumers would continue to use the bank’s web portal or application, while Authorized Third Parties could now access the same customer financial information through a Data Provider Interface. Notable requirements for this Data Provider Interface include standards-based, dedicated, uniform, reliable, and secure access.

Significantly, the Proposed Rule does not allow Authorized Third Party access through “any credentials that a consumer uses to access the consumer interface.” This prohibition on credential reuse is largely aimed at stopping the current practice of screen scraping by third parties, such as personal finance management apps that obtain and use consumers’ credentials to log in to Data Provider’s services and extract certain account information. Indeed, the CFPB has characterized this screen scraping as a “risky data collection practice.” Instead, Data Providers will likely offer tokenized authentication and authorization. Tokenized authentication relies upon industry standards, such as OAuth, where applications receive approved access without the need to exchange passwords.

While Data Providers can impose certain restrictions on access to the Data Provider Interface (e.g., outright blocking of access or access frequency limitations), they are required to comply with relevant process obligations, including written governance documents regarding denials of access (policies and procedures) and documentation of the reasonableness of limiting access frequency. Lastly, the Proposed Rule requires Data Providers to address several compliance activities, including establishing and maintaining policies and procedures that address topics such as verification, security, record keeping, and mechanisms to honor consumer third-party access revocation requests.

Authorized Third Parties must also meet similar security obligations while processing Covered Data on behalf of consumers, along with additional authorization and use restrictions. Third parties must obtain consumer authorization to access Covered Data through a clear, conspicuous, and segregated disclosure prior to being granted access. Upon receiving access to consumer Covered Data, the now Authorized Third Party must limit its “collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service,” and the CFPB would prohibit reuse for targeted advertising, cross-selling of other products or services, or sale of Covered Data.

The above is only an overview of the Proposed Rule, so we will continue to monitor how and whether it evolves while the CFPB seeks to accomplish the stated goals of establishing standards for Data Providers and Authorized Third Parties while maintaining fairness, inclusivity, security, and transparency for consumer financial data accessibility and usability.

1 Proposed Rule § 1033.211 provides a detailed definition