On Oct 21st, the CFPB unveiled the much-anticipated Personal Financial Data Rights rule, also known as ‘Open Banking’, aimed at enhancing consumer control over financial data and promoting sector competition. This new PFDR rule in many ways aligns with the EU's General Data Protection Regulation (GDPR), which revolutionized the global digital media sphere by bolstering personal data control, institutional transparency, and robust data protection against misuse. Will PFDR have the same impact on financial institutions as GDPR has had on global tech companies? In this week's Roundtable Roundup, we breakdown the PFDR rule and share open questions, notes and reactions from around the industry.

From CFPB Director Rohit Chopra’s prepared remarks:

Today, the CFPB is proposing a rule to activate a dormant authority under a 2010 law to accelerate much-needed competition and decentralization in banking and consumer finance by making it easier to switch to a new provider. The Personal Financial Data Rights rule would help address many of the root causes of sticky banking – by giving people more power to walk away from bad service and enabling small community banks and nascent competitors to peel away customers through better products and services with more favorable rates.

The CFPB will now collect comments on the proposed rule through Dec. 29, 2023, and then probably issue a final rule implementing Section 1033 in the fall of 2024, as Director Chopra noted in his prepared remarks.

Here are the key elements of the proposed rule:

Consumer Control and Data Sharing:

• The proposed rule would require financial institutions to provide consumers and their authorized third parties with electronic access to account information, fostering a shift towards open banking where consumers have control over their financial data.

Increased Competition and Pricing Transparency:

• By preventing financial institutions from hoarding data, the rule is intended to jumpstart competition and enable consumers to switch providers more easily if they are dissatisfied with the services or fees charged by their current providers.

Consumer Protections:

• The proposal includes robust protections to prevent misuse of data, ensuring that third parties authorized by consumers to access data on their behalf cannot use or retain data to advance their own commercial interests, such as ads / targeting.

Notes & Open Questions:

The CFPB outlines their regulatory mandate to create and implement these rules - Page 6:

In 2010, Congress explicitly recognized the importance of personal financial data rights in section 1033 of the Consumer Financial Protection Act of 2010 (CFPA). However, to date, the CFPB has not issued a rule to implement this provision of law.

Many market participants have already sought to develop technologies and standards to facilitate consumer access to personal financial data. The CFPB intends to accelerate the shift to a more open and decentralized system through the issuance of a final rule.

This statement is of particular importance because the CFPB is currently facing a case in front of the Supreme Court arguing that its funding structure is unconstitutional.

The CFPB is responding to exorbitant consumer demand for ‘open banking’ in the United States - Page 10:

The CFPB estimates that at least 100 million consumers have authorized a third party to access their account data. In 2022, the number of individual instances in which third parties accessed or attempted to access consumer financial accounts exceeded 50 billion and may have been as high as 100 billion, figures that vastly exceed the comparable public figures from some other jurisdictions’ open banking systems, even on a per-capita basis

A primary objective of PFDR is to end the practice of 3rd parties / data aggregators using insecure ‘screen scraping’ - Page 12:

Based on feedback received through public comments and stakeholder outreach, there is nearly universal consensus that developer interfaces should supplant screen scraping.

However, such a transition requires certain conditions. First, data providers must commit resources to develop and maintain developer interfaces. While large depository and nondepository institutions might have sufficient information technology budgets to do this themselves, small institutions tend to rely on a few core service providers, and frequently report problems with the services that “cores” offer.

A primary objective of PFDR is to standardize access, data usage and security so financial players large and small can compete on a level playing field. As a result, the following guidelines have been proposed:

• Page 71: No fees can be charged by data providers - there is no mention or regulation of data aggregator costs.

• Page 74: Data providers will not be able to force 3rd parties to use a specific data aggregator

• Page 58: Data providers must provide transaction information (e.g., amount, date, payee, etc.) relating to transactions that are underway, including, for example, debit card transactions that have been authorized but not yet settled and those that have occurred within the last two years (at a minimum).

  • Account balance.

  • Account and routing information (though this can be tokenized).

  • Terms and conditions of the account (e.g., fee schedule, rate, rewards terms, overdraft coverage, existence of an arbitration agreement, etc.).

  • Upcoming bill information (e.g., an upcoming utility bill or a minimum payment).

  • Shareholder information is not mentioned despite that data being readily available via the same API

• Page 138: 3rd parties are required prompt consumers to reauthorize every year

• Page 139: 3rd parties are not allowed to access or store data that is deemed excessive or unnecessary to the consumer’s request / intention

• Page 110: 3rd parties must provide ways to revoke access and cannot discourage revoking access to customer data

Plaid and Fidelity business practices were referenced by CFPB as an impetus for implementing “strong rules” - Page 7:

Plaid for screen scraping

Screen scraping became a significant point of contention between third parties and data providers, in part due to its inherent risks, such as the proliferation of shared consumer credentials and overcollection of data. Aggregators often declined to seek permission from financial institutions they “scraped,” and some methods aggregators used to solicit credential sharing led to litigation.

Fidelity for forcing access to its data via an owned data aggregator, Akoya

Despite these challenges, financial institutions have begun to dedicate more resources to develop open banking infrastructure. This includes multilateral efforts, some of which have been controversial. Other incumbents, most notably large payment networks, have sought to acquire aggregators. Most recently, large payments-focused nondepositories have looked to enter the aggregation space by developing internal business units, sometimes partnering with incumbent aggregators. These efforts indicate the potential for incumbents to mitigate or neutralize competitive threats from open banking, demonstrating the need for strong rules to protect the openness of the system.

The CFPB highlighted specific use-cases that underpin the justification for PFDR but notably left out how data sharing practices among financial institutions impact consumers of US capital markets - Page 12:

Major use cases, which the CFPB understands generally rely heavily or exclusively on data from transaction accounts, include personal financial management tools of all kinds, payment applications and digital wallets, credit underwriting (including cashflow underwriting), and identity verification. While many major use cases began as innovative offerings by third parties, incumbent financial institutions have adopted many of them in response to consumer demand. Many use cases also compete with the core offerings of other types of financial institutions, such as card networks and credit bureaus.

“Open banking” is mentioned as being interchangeable with “open finance” - Page 7:

This Federal Register notice generally uses the term “open banking” to refer to the network of entities sharing personal financial data with consumer authorization. Some stakeholders use the term “open finance” because of the role of nondepositories as important data sources. The CFPB views the two terms as interchangeable, but generally uses “open banking” because that term is more commonly used in the United States.

“Open finance” rules should include brokerage accounts

Engaging in the stock market is a key aspect of a consumer's financial journey, with neobanks like SoFi, MoneyLion, and Betterment providing innovative banking solutions along with entry points to capital markets. Although the current version of PFDR covers both depository and nondepository institutions (such as brokerages), it doesn't standardize the sharing of portfolio information between consumers and third parties. The CFPB plans to encompass more products over time and the technical infrastructure and accessibility guidelines required for PFDR compliance could significantly transform investor relations by offering standardized and cost-effective access to shareholder data. The Roundtable Roundup will be following this topic very closely in the coming weeks and months.

Other Reactions:

Wall Street’s Most Hated Regulator Faces a Fundamental Threat (New York Times)

• Rohit Chopra's aggressive regulatory stance as the CFPB Director has earned him acclaim from consumer advocates but disdain from the financial sector. Bankers refer to him as a “regulator gone rogue.”

• The Supreme Court is set to review a case challenging the CFPB's funding structure, potentially threatening the bureau's autonomy and its past actions.

• Chopra's enforcement actions, like hefty fines on Wells Fargo and litigation against TransUnion and MoneyGram, signify a stringent approach to ensuring consumer protection and financial law adherence.

The U.S. Court of Appeals for the Fifth Circuit's ruling on the bureau's funding being unconstitutional has initiated a cascade of legal challenges against the CFPB.

Rohit Chopra: 'Financial markets are much better off with the CFPB' (Yahoo! Finance)

Significance of CFPB: Chopra asserts the fundamental role of the CFPB in stabilizing financial markets.

Chopra: I think the whole financial markets are much better off with the CFPB there.

Impact on the Mortgage Industry: Chopra indicates that challenges to the CFPB's funding could lead to greater uncertainty in the mortgage sector, potentially exacerbating current pressures.

Chopra: I think many in the mortgage industry are already facing so many challenges when it comes to the higher interest rate environment. We see refinancing activity and loan origination activity go down and this would add even further uncertainty and really cause a lot of headaches for consumers too.

US Payment System and Big Tech: Chopra expresses concerns about the US payment system's trajectory, particularly regarding Big Tech's increasing influence and the potential threats they pose to traditional financial boundaries.

Chopra: One of the things that I think we're seeing in the market is that the US is really lurching toward a market structure that's more like what we see in China. It's worrisome when we don't have a real open and decentralized system that consumers and businesses and new types of startups in the financial sector can all use to get ahead. So we're going to be continuing to look really carefully at how that data harvesting and surveillance is working.

Protection of Consumer Data: Chopra emphasizes the necessity of safeguarding consumers' financial data, ensuring that it isn't used for unintended or exploitative purposes.

Chopra: Americans to have confidence when they share their financial data that those companies aren't reselling it or trafficking it for purposes that the consumer never even wanted.

Credit Union National Association (CUNA) concerned with CFPB personal financial data rights proposal (Link)

“CUNA supports credit union members’ and consumers’ ability to access and share their personal financial data while ensuring that the information remains safe, secure, accurate, and private,” said CUNA President/CEO Jim Nussle. “We are concerned with this proposal, particularly that it would require credit unions to create, maintain, and service interfaces for third parties to access member data, but prohibit charging a fee for services provided. At a time when credit unions are being hit with increasing costs just to serve their communities, we’re very disappointed with requiring credit unions to divert time and resources away from member services to subsidize and provide free services to third parties’ competing businesses.”