CFPB Issues Notice of Proposed Rulemaking Related to Open Banking Rule

In a recent Notice of Proposed Rulemaking, the CFPB seeks comments on four issues related to implementation of section 1033 of the Dodd-Frank Act, which requires “covered persons” to make financial transaction data available to consumers and authorized third parties on request.

Under section 1033, “consumer” is defined as an “individual or an agent, trustee, or representative acting on behalf of an individual.”  The previous Personal Financial Data Rights (PFDR) Rule interpreted “representative acting on behalf of an individual” to include third parties accessing consumer data with consumer authorization or as reasonably necessary to provide the requested product or service.  The Bureau seeks comments on, among other questions, whether this interpretation represents the best reading of the statutory language and reflects the plain meaning of the term “representative.”

Under the PFDR Rule, a data provider cannot impose any fee or charge on a consumer or an authorized third party related to required consumer and developer interfaces or requesting or making available covered data.  The Bureau seeks comments on, among other questions, whether this interpretation represents the best reading of the statutory language and who should bear these costs.

Given that various entities would have access to consumer data under the PFDR Rule, the rule provided for certain information security protections, such as prohibiting data providers from relying on third-party screen scraping to access required developer interfaces.  The Bureau seeks comments on the costs and benefits of requiring this level of information security when storing or accessing consumer financial information.

The PFDR Rule required third parties to obtain express informed consent from a consumer before accessing covered data on the consumer’s behalf, provided for specific disclosures to the consumer, and restricted the third party’s collection, use, and disclosure of covered data.  The Bureau seeks comments on, among other issues, whether the PFDR Rule provides adequate protection against data privacy threats, such as the licensing and sale of personal financial information without the consumer’s knowledge.