The Consumer Financial Protection Bureau on Thursday unveiled its long-awaited open banking proposal, a rule it says will give consumers greater control over their financial data by requiring banks to share such data with third parties like fintechs.
The rule, an authority Congress granted the bureau more than a decade ago under Section 1033 of the Dodd-Frank Act, forbids financial institutions from “hoarding a person’s data,” making it easier for consumers to break up with banks that provide bad service, the CFPB said.
The proposed rule gives consumers the right to grant third parties access to information associated with credit card, checking, prepaid and digital wallet accounts.
To comply with the rule, banks would be required to make personal financial data available at no charge to consumers through “safe, secure, and reliable” digital interfaces, the CFPB said.
“This will make it much easier to switch [banks],” CFPB Director Rohit Chopra said on a call with reporters Thursday. “You won't lose your transaction history, which essentially serves as your life ledger. You won't have to start over with a new firm that has less history with you and that is less likely to offer you better deals.”
The proposal seeks to move the market away from screen scraping, a “risky data collection practice” which often requires consumers to share their usernames and passwords with third parties, the CFPB said.
Under the proposal, data providers cannot rely on screen scraping to comply with the obligation to make data available to an authorized third party accessing on the consumer’s behalf, senior CFPB and administration officials told reporters Thursday.
Tiered compliance dates
The CFPB said it recognizes several factors hinder smaller institutions from building interfaces in compliance with the rule, such as size, technological sophistication and reliance on third-party service providers.
As a result, the requirements of the rule would be implemented in phases, the CFPB said.
The rule’s tiered compliance dates start at six months for the largest banks and fintechs, and extend to four years for the smallest firms, senior CFPB and administration officials said.
Community banks and credit unions that have no digital interface with their customers would be exempt from the rule’s requirements, the CFPB said.
Chopra on Thursday said the rule makes clear that companies receiving data can only use it to provide the product the consumer is asking for “and for nothing else.”
“When a consumer permits their data to be used by a company for a specific purpose, it is not a free pass for that company to exploit the data for other uses,” he said.
Firms will not be able to hold on to consumers’ personal financial data indefinitely, Chopra said.
“If a consumer chooses to end the relationship, the firm would have to stop collecting and using the consumer’s data, as well as delete the data it already possesses,” he said.
Chopra said the rule will help accelerate the U.S.’s shift to open banking, aligning the nation more closely with guidelines in place or under consideration in major jurisdictions around the world.
The bureau is interested in covering additional product types in future rulemaking, such as mortgage, auto loans and student loans, senior CFPB and administration officials said.
The proposal comes as the White House in 2021 urged the bureau to launch the open banking rulemaking process, tying the initiative to President Joe Biden’s efforts to boost competition in several sectors, including healthcare, technology and transportation. Chopra spoke at the Money20/20 conference in Las Vegas around this time last year to give an expected timeline for action on open banking.
“One of the competition problems we see in the sector is it is often really daunting for a consumer to switch banks in part because it's difficult to take financial transaction history data to a new bank,” Lael Brainard, director of the White House’s National Economic Council and a former Federal Reserve vice chair, told reporters Thursday. “Today's rule will help ensure financial companies compete based on service quality and pricing, deter junk fees and other confusing practices that consumers distrust and put in place key privacy provisions to ensure companies can't misuse customer data.”
‘A win for consumers’
Fintech stakeholders on Thursday praised the CFPB’s efforts to craft policies around open banking.
“The [Electronic Transactions Association] applauds the CFPB for creating a policy framework around open banking,” said Scott Talbott, who heads the group’s government affairs. “Open banking benefits banks, fintechs and, most importantly, consumers by strengthening their understanding of their financial picture.”
Penny Lee, CEO of the Financial Technology Association, called the proposal “a win for consumers.”
“We look forward to the CFPB creating strong rules of the road that guarantee people’s right to use the digital financial tools they want, regardless of where they bank,” she said. “Looking ahead, we urge the CFPB to implement open banking in a way that prevents anti-competitive behavior from incumbent financial institutions, safeguards consumer data privacy, and fosters innovation in the marketplace.”
Plaid, a fintech that has data sharing agreements with more than 6,500 financial institutions, said it is encouraged by the CFPB’s commitment to consumer data rights and emphasis on promoting competition.
“This rule will help provide more consistent rights and experiences for consumers so that no matter where they bank they can use the apps and services that they want,” a Plaid spokesperson told Banking Dive. “With this guidance, we’re hopeful that banks can now close the final mile on moving to [application programming interfaces] and commit to supporting the ability for their customers to share their data.”
In a statement Thursday, American Bankers Association CEO Rob Nichols said the group welcomes the agency’s “contemplated move” away from screen scraping and its clarification around nonbanks' obligations to protect consumer privacy.
Nichols, however, urged the CFPB to right-size the scope of the rule pertaining to the types of accounts involved and the information that data providers are required to share, as well as address liability and implementation costs.
The CFPB said it is accepting comments on the proposal until Dec. 29, and plans to finalize the rule by next fall.