Rule2024-25079
Required Rulemaking on Personal Financial Data Rights
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 18, 2024
Effective
January 17, 2025
Issuing agencies
Consumer Financial Protection Bureau
Abstract
The Consumer Financial Protection Bureau (CFPB) is issuing a final rule to carry out the personal financial data rights established by the Consumer Financial Protection Act of 2010 (CFPA). The final rule requires banks, credit unions, and other financial service providers to make consumers' data available upon request to consumers and authorized third parties in a secure and reliable manner; defines obligations for third parties accessing consumers' data, including important privacy protections; and promotes fair, open, and inclusive industry standards.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 222 (Monday, November 18, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 222 (Monday, November 18, 2024)]
[Rules and Regulations]
[Pages 90838-90998]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-25079]
[[Page 90837]]
Vol. 89
Monday,
No. 222
November 18, 2024
Part II
Consumer Financial Protection Bureau
-----------------------------------------------------------------------
12 CFR Parts 1001 and 1033
Required Rulemaking on Personal Financial Data Rights; Final Rule
��Federal Register / Vol. 89 , No. 222 / Monday, November 18, 2024 /
Rules and Regulations��
[[Page 90838]]
-----------------------------------------------------------------------
CONSUMER FINANCIAL PROTECTION BUREAU
12 CFR Parts 1001 and 1033
[Docket No. CFPB-2023-0052]
RIN 3170-AA78
Required Rulemaking on Personal Financial Data Rights
AGENCY: Consumer Financial Protection Bureau.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Consumer Financial Protection Bureau (CFPB) is issuing a
final rule to carry out the personal financial data rights established
by the Consumer Financial Protection Act of 2010 (CFPA). The final rule
requires banks, credit unions, and other financial service providers to
make consumers' data available upon request to consumers and authorized
third parties in a secure and reliable manner; defines obligations for
third parties accessing consumers' data, including important privacy
protections; and promotes fair, open, and inclusive industry standards.
DATES: This final rule is effective January 17, 2025.
Compliance dates: Data providers must comply with the requirements
in 12 CFR part 1033, subparts B and C beginning April 1, 2026; April 1,
2027; April 1, 2028; April 1, 2029; or April 1, 2030, pursuant to the
criteria set forth in Sec. 1033.121(c).
FOR FURTHER INFORMATION CONTACT: George Karithanom, Regulatory
Implementation and Guidance Program Analyst, Office of Regulations, at
202-435-7700 or <a href="https://reginquiries.consumerfinance.gov/">https://reginquiries.consumerfinance.gov/</a>. If you
require this document in an alternative electronic format, please
contact <a href="/cdn-cgi/l/email-protection#b1f2f7e1f3eef0d2d2d4c2c2d8d3d8ddd8c5c8f1d2d7c1d39fd6dec7"><span class="__cf_email__" data-cfemail="0645405644594765656375756f646f6a6f727f466560766428616970">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
Table of Contents
Abbreviations and Acronyms
I. Overview
A. Summary of the Final Rule
B. Market Background
II. The Proposal and Other Procedural Background
A. Outreach
B. Summary of the Proposed Rule
C. 2024 Industry Standard-Setting Final Rule
III. Legal Authority
A. CFPA Section 1033
B. CFPA Sections 1022(b) and 1024(b)(7)
C. CFPA Section 1002
IV. Discussion of the Final Rule
12 CFR part 1033
General Comments Received on the Proposal
A. Subpart A--General
B. Subpart B--Making Covered Data Available
C. Subpart C--Data Provider Interfaces; Responding to Requests
D. Subpart D--Authorized Third Parties
12 CFR part 1001
V. Effective and Compliance Dates
VI. CFPA Section 1022(b) Analysis
A. Statement of Need
B. Data and Evidence
C. Coverage of the Rule
D. Baseline for Consideration of Costs and Benefits
E. Potential Benefits and Costs to Consumers and Covered Persons
F. Potential Impacts on Insured Depository Institutions and
Insured Credit Unions With $10 Billion or Less in Total Assets, as
Described in Section 1026
G. Potential Impacts on Consumers in Rural Areas, as Described
in Section 1026
VII. Regulatory Flexibility Act Analysis
A. Small Business Review Panel
B. Final Regulatory Flexibility Analysis
VIII. Paperwork Reduction Act
IX. Congressional Review Act
X. Severability
Abbreviations and Acronyms
ACH = Automated Clearing House
ANPR = Advance Notice of Proposed Rulemaking
API = Application programming interface
APR = Annual percentage rate
APY = Annual percentage yield
ATO = Account takeover
BLS = U.S. Bureau of Labor Statistics
BNPL = Buy Now Pay Later
EBT = Electronic benefit transfer
FDIC = Federal Deposit Insurance Corporation
FFIEC = Federal Financial Institutions Examination Council
FRFA = Final regulatory flexibility analysis
FTC = Federal Trade Commission
IRFA = Initial regulatory flexibility analysis
LEI = Legal Entity Identifier
MSA = Metropolitan statistical area
NAICS = North American Industry Classification System
NCUA = National Credit Union Administration
NPRM = Notice of Proposed Rulemaking
OCC = Office of the Comptroller of the Currency (U.S. Department of
the Treasury)
OFAC = Office of Foreign Assets Control (U.S. Department of the
Treasury)
OMB = Office of Management and Budget (Executive Office of the
President)
RFI = Request for Information
SBA = U.S. Small Business Administration
SBA Advocacy = U.S. Small Business Administration Office of Advocacy
SNAP = Supplemental Nutrition Assistance Program
SSN = Social Security number
TAN = Tokenized account number
URL = Uniform resource locator
USDA = U.S. Department of Agriculture
I. Overview
A. Summary of the Final Rule
When Congress established the Consumer Financial Protection Bureau
in the Consumer Financial Protection Act (CFPA), it sought to ensure
that markets for consumer financial products and services are fair,
transparent, and competitive.\1\ CFPA section 1033 lets consumers take
action by giving them a right to access their account information and
authorize certain third parties acting on their behalf to access that
information. This right enables consumers to evaluate their account
relationships and switch providers that are not benefiting them, and
allows consumers to authorize third parties to access data on their
behalf to provide valuable products and services they request.
Increased competition can lead to innovation, attractive rates, quality
service, and other benefits.
---------------------------------------------------------------------------
\1\ 12 U.S.C. 5511(a). The CFPA is title X of the Dodd-Frank
Wall Street Reform and Consumer Protection Act, Public Law 111-203,
124 Stat. 1376, 2008 (2010).
---------------------------------------------------------------------------
Specifically, CFPA section 1033(a) and (b) provide that, subject to
rules prescribed by the CFPB, a covered person shall make available to
a consumer, upon request, information in the control or possession of
the covered person concerning the consumer financial product or service
that the consumer obtained from such covered person, subject to certain
exceptions. The information must be made available in an electronic
form usable by consumers. In addition, Congress mandated in section
1033(d) that the CFPB prescribe standards to promote the development
and use of standardized formats for data made available under section
1033.
This final rule carries out these objectives by empowering
consumers to access account data controlled by providers of certain
consumer financial products or services in a safe, secure, reliable,
and competitive manner. When implemented, consumers will be able to
access their own data and authorize third parties to access their data
safely and with confidence that the third party is acting on their
behalf, which means not collecting, using, or retaining consumer data
for the benefit of entities other than the consumer. Consumers and
authorized third parties will be able access data securely, ensuring
that a baseline set of security standards apply across the market. They
also will be able to access data reliably, promoting the accurate and
consistent transmission of usable data. Consumer-authorized data access
under the final rule also will occur in a manner that promotes
competition through standardization and other measures to avoid
entrenching incumbent data providers, intermediaries, and third parties
that
[[Page 90839]]
have commercial interests not always aligned with the interests of
consumers and competition generally.
Coverage
In general, the final rule requires a ``data provider'' to make
``covered data'' about ``covered financial products and services''
available in electronic form to consumers and to certain ``authorized
third parties.'' For this purpose, an authorized third party is a third
party that has complied with the authorization procedures set forth in
subpart D of part 1033.
A ``data provider'' includes depository institutions (including
credit unions) and nondepository institutions that issue credit cards,
hold transaction accounts, issue devices to access an account, or
provide other types of payment facilitation products or services. The
final rule does not apply to certain small depository institutions as
defined in the rule. In general, ``covered data'' includes information
about transactions, costs, charges, and usage. This coverage is
intended to prioritize some of the most beneficial use cases for
consumers and leverage data providers' existing capabilities.
Clarifying the scope of the data access right will also promote
consistency in the data made available to consumers, reduce costs of
arranging for access to such data, and focus the development of
technical standards around such data.
Access Requirements
The final rule generally requires a data provider to make covered
data available to consumers and authorized third parties upon request.
The rule includes a number of functional requirements intended to
ensure data providers make covered data available reliably, securely,
and in a way that promotes competition. A data provider must make
covered data available to authorized third parties in a standardized
and machine-readable format and in a commercially reasonable manner,
including by meeting a minimum response rate with respect to requests
for covered data. A data provider must not unreasonably restrict the
frequency with which it receives or responds to requests for covered
data from an authorized third party. In addition, the data provider
cannot comply with the requirement to make data available to authorized
third parties by allowing the third party to engage in ``screen
scraping,'' an access method that uses consumer credentials to log in
to consumer accounts to retrieve data.\2\ The final rule also prohibits
fees or charges related to consumer and third party data access. The
final rule also requires a data provider to publicly disclose certain
information about itself to facilitate access to covered data and to
promote accountability.
---------------------------------------------------------------------------
\2\ Unless otherwise stated, the term ``screen scraping'' in
this final rule refers to credential-based screen scraping, which is
prevalent in the market today.
---------------------------------------------------------------------------
The rule uses the term ``developer interface'' to refer to the
functionality through which a data provider receives requests for
covered data and makes the data available in electronic form usable by
authorized third parties. Similarly, the rule uses the term ``consumer
interface'' as a label for the functionality with respect to consumer
access. In neither case does the rule require the use of any particular
technology.
Authorized Third Parties
To become an authorized third party, a third party must seek access
to covered data on behalf of a consumer to provide a product or service
that the consumer requested and: (1) provide the consumer with an
authorization disclosure containing certain key terms of the data
access; (2) provide a statement to the consumer in the authorization
disclosure certifying that the third party agrees to certain
obligations set forth in the final rule; and (3) obtain the consumer's
express informed consent to access covered data on behalf of the
consumer by obtaining an authorization disclosure that is signed by the
consumer electronically or in writing.
Under the final rule, a third party must certify to limit its
collection, use, and retention of covered data to what is reasonably
necessary to provide the consumer's requested product or service. For
purposes of this certification, targeted advertising, cross-selling,
and the sale of covered data are not part of, or reasonably necessary
to provide, any other product or service. The final rule includes
examples of uses that are considered reasonably necessary to provide
consumer requested products or services.
In addition to this general limit on collection, use, and retention
of covered data, the third party also must certify to limit the
duration of collection of covered data pursuant to a given
authorization to a maximum period of one year. To continue collection,
the third party must obtain a new authorization from the consumer no
later than the anniversary of the most recent authorization. If a
consumer does not provide a new authorization or if a consumer revokes
authorization, the third party will cease its collection of covered
data and cease its use and retention of covered data that was
previously collected unless use or retention of that covered data
remains reasonably necessary to provide the consumer's requested
product or service.
Under the final rule, a third party must also certify to:
<bullet> Have written policies and procedures that are reasonably
designed to ensure that covered data are accurately received from a
data provider and, if applicable, accurately provided to other third
parties.
<bullet> Apply an information security program to its systems for
the collection, use, and retention of covered data. Generally, the
program must satisfy the applicable rules issued pursuant to the
Safeguards Framework of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C.
6801 et seq. (GLBA Safeguards Framework).\3\
---------------------------------------------------------------------------
\3\ The GLBA Safeguards Framework in this final rule refers the
rules issued by the FTC and the guidelines issued by the prudential
regulators that generally implement the GLBA's data security
safeguards framework, pursuant to sections 501 (15 U.S.C. 6801) and
505 (15 U.S.C. 6805) of the GLBA. See Safeguards Rule, 16 CFR part
314; Interagency Guidelines Establishing Standards for Safety and
Soundness, 12 CFR part 30, app. A (OCC); 12 CFR part 208, app. D-1
(Bd. of Governors of the Fed. Rsrv. Sys.); 12 CFR part 364, app. A
(FDIC); and 12 CFR 748, app. A (NCUA). The GLBA Safeguards Framework
sets forth standards for administrative, technical, and physical
safeguards with respect to financial institutions' customer
information. These standards generally apply to the security and
confidentiality of customer records and information, anticipated
threats or hazards to the security or integrity of such records, and
unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer.
---------------------------------------------------------------------------
<bullet> Provide the consumer with a copy of the authorization
disclosure that the consumer has signed electronically or in writing
and contact information that enables a consumer to receive answers to
questions about the third party's access to the consumer's covered
data.
<bullet> Have reasonable written policies and procedures designed
to ensure that the third party provides to the consumer, upon request,
certain information about the third party's access to the consumer's
covered data.
<bullet> Provide the consumer with a method to revoke the third
party's authorization. Additionally, the third party will certify that
it will notify the data provider, any data aggregator, and other third
parties to which it has provided the consumer's covered data when the
third party receives a consumer's revocation request.
[[Page 90840]]
<bullet> Require other third parties, by contract, to comply with
specified third party obligations before providing covered data to
them.
Data Aggregators
The final rule permits data aggregators to perform the
authorization procedures described in the final rule on behalf of the
third party seeking the consumer's authorization. The third party
seeking the consumer's authorization remains responsible for compliance
with the authorization procedures even if it uses a data aggregator to
perform the authorization procedures. If the third party will use a
data aggregator to assist with accessing covered data, the data
aggregator must certify to the consumer that it will satisfy the third
party obligations discussed above (except the obligation to ensure
consumers are informed, including the obligation to provide a copy of
the authorization disclosure and contact information, and the
obligation to provide a revocation mechanism), and this certification
must be provided to the consumer. The third party may include this
certification in the authorization disclosure or the data aggregator
may provide it separately. Additionally, the third party's
authorization disclosure must include the data aggregator's name and a
description of the services that the data aggregator will provide in
connection with accessing the consumer's covered data.
Policies and Procedures, and Recordkeeping for Data Providers and Third
Parties
The final rule requires a data provider to have written policies
and procedures that are reasonably designed to achieve certain
objectives, including those related to what covered data are generally
made available, how a data provider responds to requests for developer
interface access and requests for information, the accuracy of data
transmitted through an interface, and record retention.
A third party that is a covered person or service provider as
defined in the CFPA (12 U.S.C. 5481(6) and (26)), must establish and
maintain written policies and procedures that are reasonably designed
to ensure retention of records that are evidence of compliance for a
reasonable period of time, not less than three years after a third
party obtains the consumer's most recent authorization.
Financial Products or Services (Part 1001)
The final rule defines financial products or services under the
CFPA to ensure that it includes providing financial data processing.
This provides additional assurance that financial data processing by
third parties or others is subject to the CFPA and its prohibition on
unfair, deceptive, and abusive acts or practices.
B. Market Background
Digitization in consumer finance has the potential to facilitate
more seamless consumer switching and greater competition. Consumers'
ability to easily switch providers of consumer financial products and
services creates strong competitive incentives that result in superior
customer service and more favorable terms for consumers. Consumer-
authorized sharing of personal financial data can produce positive
market outcomes, but without appropriate safeguards it can also lead to
misuse and abuse of consumer data.
Development of Electronic Data Access and Open Banking
Most consumers with a bank account are enrolled in digital banking
through online banking or mobile applications, and more than two-thirds
use it as their primary method of account access.\4\ Consumer
interfaces generally provide free access to information such as
balances, transactions, and at least some terms of service. These
consumer interfaces may provide additional functionality, such as
allowing consumers to move money, manage their accounts, and download
financial data.\5\ Building on these developments, open banking \6\
emerged in the early 2000s, along with interfaces designed for
developers of products or services to request consumer information, and
related industry standard setting activity.\7\ Third parties, such as
personal financial advisors, often outsourced establishing and
maintaining connections with data providers to data aggregators. These
intermediaries largely relied on ``screen scraping.'' Widespread screen
scraping allowed open banking to grow quickly in the U.S. Screen
scraping became a significant point of contention between third parties
and data providers, in part due to its inherent risks, such as the
proliferation of shared consumer credentials and overcollection of
data.\8\
---------------------------------------------------------------------------
\4\ Fed. Deposit Ins. Corp., National Survey of Unbanked and
Underbanked Households (2021), <a href="https://www.fdic.gov/analysis/household-survey/2021report.pdf">https://www.fdic.gov/analysis/household-survey/2021report.pdf</a>.
\5\ For a more detailed discussion of the history of digital
banking, see the NPRM, 88 FR 74796, 74797-98 (Oct. 31, 2023).
\6\ This final rule generally uses the term ``open banking'' to
refer to the network of entities sharing personal financial data
with consumer authorization. Some stakeholders use the term ``open
finance'' because of the role of nondepositories as important data
sources. The CFPB views the two terms as interchangeable, but
generally uses ``open banking'' because that term is more commonly
used in the U.S.
\7\ Maria Trombly, Citibank's Aggregation Portal a Big Draw,
Computerworld (Sept. 18, 2000), <a href="https://www.computerworld.com/article/2597099/citibank-s-aggregation-portal-a-big-draw.html">https://www.computerworld.com/article/2597099/citibank-s-aggregation-portal-a-big-draw.html</a>; Off.
of the Comptroller of the Currency, Bank-Provided Account
Aggregation Services: Guidance to Banks (2001), <a href="https://www.occ.treas.gov/news-issuances/bulletins/2001/bulletin-2001-12.html">https://www.occ.treas.gov/news-issuances/bulletins/2001/bulletin-2001-12.html</a>; CNET, Net earnings: E-commerce in 1997 (Dec. 24, 1997),
<a href="https://www.cnet.com/tech/tech-industry/net-earnings-e-commerce-in-1997/">https://www.cnet.com/tech/tech-industry/net-earnings-e-commerce-in-1997/</a>; Microsoft, OFX Consortium Expands with Bank of America,
Citigroup, Corillian, E*TRADE and TD Waterhouse (Oct. 2, 2001),
<a href="https://news.microsoft.com/2001/10/02/ofx-consortium-expands-with-bank-of-america-citigroup-corillian-etrade-and-td-waterhouse/">https://news.microsoft.com/2001/10/02/ofx-consortium-expands-with-bank-of-america-citigroup-corillian-etrade-and-td-waterhouse/</a>.
\8\ For a more detailed discussion of the history of screen
scraping, see NPRM, 88 FR 74796, 74797-99 (Oct. 31, 2023).
---------------------------------------------------------------------------
In recent years, the open banking system has continued to grow as
consumer reliance on products and services powered by consumer-
authorized data access has expanded. However, this growth has been
uneven, with various disputes among system participants continuing to
arise. Despite these challenges, financial institutions are dedicating
more resources to developing open banking infrastructure, indicating
significant consumer demand for open banking use cases, as well as
interest among incumbents in maintaining some control over the system.
State of the Open Banking System
The CFPB estimates that, as of 2022, at least 100 million consumers
had authorized a third party to access their account data. In 2022, the
number of individual instances in which third parties accessed or
attempted to access consumer financial accounts is estimated to have
exceeded 50 billion and may have been as high as 100 billion, figures
that vastly exceed the comparable public figures from some other
jurisdictions' open banking systems, even on a per-capita basis.\9\
These figures are likely to grow as consumer engagement continues and
use cases expand.
---------------------------------------------------------------------------
\9\ See Press Release, Open Banking Ltd., Open banking marks
major milestone of 10 million users (July 23, 2024), <a href="https://www.openbanking.org.uk/news/open-banking-marks-major-milestone-of-10-million-users/">https://www.openbanking.org.uk/news/open-banking-marks-major-milestone-of-10-million-users/</a>; and Consumer Data Right, Performance, Overview,
API Invocations, <a href="https://www.cdr.gov.au/performance">https://www.cdr.gov.au/performance</a> (scroll down to
``Overview'' dashboard; then, near the top right of dashboard,
select ``Date Slider''; then update date range from ``1/1/2022'' to
``12/31/2022''; then view updated ``API Invocations'' data on the
bottom left of dashboard) (last visited Oct. 16, 2024).
---------------------------------------------------------------------------
The open banking system also engages a large number of entities,
including thousands of depository institutions and third parties. A
growing number of entities now serve as both data
[[Page 90841]]
providers and third parties. For example, many depositories now act as
third parties by offering personal financial management tools, while
some entities offering so-called neobank accounts and digital wallets
act as data providers. Most third party access is effectuated via a
small number of aggregators, although some third parties elect to
access at least some data directly.\10\
---------------------------------------------------------------------------
\10\ For a more detailed discussion of the makeup of the market,
see NPRM, 88 FR 74796, 74798 (Oct. 31, 2023).
---------------------------------------------------------------------------
Third party data access is generally enabled via screen scraping or
developer interfaces.\11\ Based on feedback received through public
comments and stakeholder outreach, there is nearly universal consensus
that safer forms of data access should supplant screen scraping.\12\
However, to this point, such a transition has required data providers
to choose to develop and maintain safer forms of data access, and
required agreement between such providers and third parties on the
resulting terms of data access, both of which have proved to be
challenging propositions.\13\ In spite of these challenges, open
banking use cases continue to emerge and develop. Major use cases
include personal financial management tools, payment applications and
digital wallets, credit underwriting (including cashflow underwriting),
and identity verification. While many major use cases began as
innovative offerings by third parties, incumbent financial institutions
have adopted many of them in response to consumer demand.
---------------------------------------------------------------------------
\11\ For a more detailed discussion of these methods, see id.
\12\ See, e.g., Consumer Fin. Prot. Bureau, Bureau Symposium:
Consumer Access to Financial Records Report, at 3-4 (July 2020),
<a href="https://files.consumerfinance.gov/f/documents/cfpb_bureau-symposium-consumer-access-financial-records_report.pdf">https://files.consumerfinance.gov/f/documents/cfpb_bureau-symposium-consumer-access-financial-records_report.pdf</a>.
\13\ For a more detailed discussion of this transition, see
NPRM, 88 FR 74796, 74798-99 (Oct. 31, 2023).
---------------------------------------------------------------------------
Challenges in the Open Banking System
Though the open banking system in the U.S. has grown considerably,
significant challenges remain to achieving safe, secure, reliable, and
competitive open banking. Divergent interests in the market with
respect to the scope, terms, and mechanics of data access, and problems
with the responsible collection, use, and retention of data have
impeded the transition to safer forms of data access and the
development of market-wide standards. This leads to inconsistent data
access for consumers and market inefficiencies. These dynamics also
impel third parties to rely on intermediaries, which have interests
that may not always advance open banking since they stand to benefit
from existing private network effects.
Market participants' interests may diverge due to interrelated
competitive, legal, and regulatory factors. For example, data providers
may limit the data they share or refrain from sharing altogether to
protect their market position, while third parties may collect more
data than they reasonably need to provide the products or services
sought by the consumer.\14\ Such unnecessary collection, use, and
retention of consumer data by third parties does not benefit consumers
and needlessly encroaches on consumers' privacy interests.
---------------------------------------------------------------------------
\14\ For a more detailed discussion of divergent interests
present in the market and the risks created by particular practices,
including screen scraping, see id. at 74798-99.
---------------------------------------------------------------------------
Impacts of These Challenges on the Open Banking System
The challenges described above have impeded progress on safer forms
of data access and hampered multilateral efforts by industry to
establish open banking standards.\15\ This stasis has forced the open
banking system to depend heavily on a handful of data aggregators that
accrue economic benefits from the system's inability to scale safer
forms of data access and open industry standards. Dependency on a
handful of data aggregators creates incentives for them to rent-seek
and self-preference. In a more open system where safer forms of data
access are appropriately accessible and third parties are easily
verified, third parties and data providers may choose to connect
without intermediaries if they wish, or continue to use them to the
extent they offer compelling value.
---------------------------------------------------------------------------
\15\ For a more detailed discussion of how such progress has
been hampered, see id. at 74799.
---------------------------------------------------------------------------
When the challenges impeding progress described above are resolved,
consumers should be able to safely, securely, and reliably exercise
their data access rights in a competitive open banking system not
dominated by the interests of any one segment of the market.
II. The Proposal and Other Procedural Background
A. Outreach
In addition to the industry and community outreach described in the
proposal,\16\ in 2016, the CFPB published in the Federal Register an
RFI Regarding Consumer Access to Financial Information on topics
including consumer-authorized data access \17\ and in 2020 held a
symposium with stakeholders \18\ and published an ANPR in the Federal
Register.\19\ Pursuant to the Small Business Regulatory Enforcement
Fairness Act of 1996 (SBREFA),\20\ the CFPB in 2022 issued its Outline
of Proposals and Alternatives under Consideration for the Required
Rulemaking on Personal Financial Data Rights (Outline or SBREFA
Outline) \21\ and in 2023 convened a SBREFA Panel,\22\ which issued a
report (Panel Report or SBREFA Panel Report).\23\ In December 2023,
CFPB staff met with the Consumer Advisory Board, the Community Bank
Advisory Council, and the Credit Union Advisory Council to receive
feedback on the proposed rule.\24\
---------------------------------------------------------------------------
\16\ See 88 FR 74796, 74799 (Oct. 31, 2023). This outreach
included the issuance of two sets of market monitoring orders under
CFPA section 1022(c)(4) (described in the proposed rule as the
``Provider Collection'' and ``Aggregator Collection''), and
engagement with CFPB advisory boards and committees.
\17\ See 81 FR 83806 (Nov. 22, 2016). In 2017, the CFPB
published a summary of comments received in response to the RFI and
other stakeholder meetings. See Consumer Fin. Prot. Bureau,
Consumer-authorized financial data sharing and aggregation:
Stakeholder insights that inform the Consumer Protection Principles
(Oct. 18, 2017), <a href="https://www.consumerfinance.gov/data-research/research-reports/consumer-protection-principles-consumer-authorized-financial-data-sharing-and-aggregation/">https://www.consumerfinance.gov/data-research/research-reports/consumer-protection-principles-consumer-authorized-financial-data-sharing-and-aggregation/</a>.
\18\ See Consumer Fin. Prot. Bureau, Bureau Symposium: Consumer
Access to Financial Records: A summary of the proceedings (July
2020), <a href="https://files.consumerfinance.gov/f/documents/cfpb_bureau-symposium-consumer-access-financial-records_report.pdf">https://files.consumerfinance.gov/f/documents/cfpb_bureau-symposium-consumer-access-financial-records_report.pdf</a>.
\19\ See 85 FR 71003 (Nov. 6, 2020).
\20\ Public Law 104-121, 110 Stat. 857 (1996).
\21\ Consumer Fin. Prot. Bureau, Small Business Advisory Review
Panel for Required Rulemaking on Personal Financial Data Rights,
Outline of Proposals and Alternatives under Consideration (Oct. 27,
2022), <a href="https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf">https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf</a>.
\22\ The Panel consisted of a representative from the CFPB, the
Chief Counsel for Advocacy of the Small Business Administration, and
a representative from the Office of Information and Regulatory
Affairs in OMB.
\23\ Consumer Fin. Prot. Bureau, Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Required Rulemaking on Personal Financial Data
Rights (Mar. 30, 2023), <a href="https://files.consumerfinance.gov/f/documents/cfpb_1033-data-rights-rule-sbrefa-panel-report_2023-03.pdf">https://files.consumerfinance.gov/f/documents/cfpb_1033-data-rights-rule-sbrefa-panel-report_2023-03.pdf</a>. As required under the Regulatory Flexibility Act, the CFPB
considered the Panel's findings in its IRFA, as set out in the NPRM.
See 88 FR 74796, 74862 (Oct. 31, 2023). The CFPB considered the
feedback it received from small entity representatives and the
findings and recommendations of the Panel. The CFPB invited other
stakeholders to submit feedback on the SBREFA Outline, which was not
considered by the Panel and is not reflected in the Panel Report.
See <a href="https://www.regulations.gov/document/CFPB-2023-0011-0001/comment">https://www.regulations.gov/document/CFPB-2023-0011-0001/comment</a>.
\24\ This feedback was submitted to the rulemaking docket. See
<a href="https://www.regulations.gov/comment/CFPB-2023-0052-11086">https://www.regulations.gov/comment/CFPB-2023-0052-11086</a> (Community
Bank Advisory Council); <a href="https://www.regulations.gov/comment/CFPB-2023-0052-11087">https://www.regulations.gov/comment/CFPB-2023-0052-11087</a> (Credit Union Advisory Council); <a href="https://www.regulations.gov/comment/CFPB-2023-0052-11088">https://www.regulations.gov/comment/CFPB-2023-0052-11088</a> (Consumer Advisory
Board).
---------------------------------------------------------------------------
[[Page 90842]]
Before and after issuing the proposal, CFPB staff met on numerous
occasions to obtain feedback from staff from the Board of Governors of
the Federal Reserve System, OCC, FDIC, NCUA, and FTC, including on the
subjects in CFPA sections 1022(b)(2)(B) and 1033(e). CFPB staff has
also met with staff from other Federal agencies, including staff from
the USDA, the U.S. Department of the Treasury, the U.S. Department of
Justice, the U.S. Department of Commerce, the Federal Housing Finance
Agency, as well as staff from State agencies.
B. Summary of the Proposed Rule
On October 19, 2023, the CFPB released the notice of proposed
rulemaking for the Required Rulemaking on Personal Financial Data
Rights. The proposal was published in the Federal Register on October
31, 2023, and the public comment period closed on December 29, 2023.
See 88 FR 74796 (Oct. 31, 2023).
Part 1033
The proposal would have implemented CFPA section 1033 by ensuring
consumers and third parties who are authorized to access covered data
on behalf of consumers can access covered data in an electronic form
from data providers. In general, the proposal sought to foster a data
access framework that is safe, by ensuring third parties are acting on
behalf of consumers when accessing their data, including with respect
to consumers' privacy interests; secure, by applying a consistent set
of security standards across the market; reliable, by promoting the
accurate and consistent transmission of data that are usable by
consumers and authorized third parties; and competitive, by promoting
standardization and not entrenching the roles of incumbent data
providers, intermediaries, and third parties whose commercial interests
might not align with the interests of consumers and competition
generally. The proposed rule sought to foster this kind of framework by
direct regulation of practices in the market and by identifying areas
in which fair, open, and inclusive standards can develop to provide
additional guidance to the market. Consistent with the statutory
mandate in CFPA section 1033(d), various provisions in the proposed
rule sought to promote the use and development of standardized formats.
The proposal identified six general objectives to be achieved by its
various provisions.
First, the proposal would have clarified the scope of data access
rights under CFPA section 1033 by defining key terms, establishing
which covered persons would be required to make data available to
consumers, and defining which data would need to be made available to
consumers. Second, the proposal would have established basic standards
for data access by requiring data providers to maintain a consumer
interface for consumers and a developer interface for third parties to
access consumer-authorized data under CFPA section 1033. Data providers
would have been required to make available covered data to authorized
third parties in a standardized format, in a commercially reasonable
manner, without unreasonable access caps, and pursuant to certain
security specifications. In addition, data providers would have had to
follow certain procedures to disclose information about themselves and
their developer interfaces, and to establish and maintain certain
written policies and procedures to ensure compliance with the
provisions of the rule and promote the objectives of CFPA section 1033.
Third, the proposal would have prevented data providers from allowing a
third party to access the system using consumer interface credentials.
This and the proposals described above were intended to transition the
market from screen scraping towards an access method that complies with
CFPA section 1033. Fourth, the proposal would have defined the
mechanics of data access by proposing certain requirements and
clarifications with respect to when a data provider must make available
covered data upon request to consumers and authorized third parties.
Fifth, the proposal sought to ensure third parties are acting on behalf
of consumers through requirements that a third party certify to
consumers that it will only collect, use, and retain the consumer's
data to the extent reasonably necessary to provide the consumer's
requested product or service. The proposed rule also sought to improve
consumers' understanding of third parties' data practices by requiring
a clear and conspicuous authorization disclosure including key facts
about the third party and its practices. Other key protections in the
proposed rule would have included limiting the length of data access
authorizations and requiring deletion of consumer data in many cases
when a consumer's authorization expires or is revoked. Sixth, the
proposal sought to promote fair, open, and inclusive industry standards
by proposing that conformance with ``qualified industry standards''
issued by standard-setting bodies recognized by the CFPB would provide
some indicia of compliance with various rule provisions.
Part 1001
Separately, the proposed rule would have defined financial products
or services under the CFPA in 12 CFR part 1001 to ensure that the
definition includes providing financial data processing. The proposal
explained that this would provide additional assurance that financial
data processing by third parties or others is subject to the CFPA and
its prohibition on unfair, deceptive, and abusive acts or practices.
Comments
The CFPB received approximately 11,120 public comments on the
proposal during the comment period.\25\ Approximately 290 of these
comments were unique, detailed comment letters. These commenters
included data providers and third parties, including banks of different
sizes, credit unions, a variety of nondepository entities, and data
aggregators; \26\ trade associations representing a diverse array of
interests; standard-setting bodies; \27\ consumer advocates; \28\
researchers and a variety of research institutes; members of Congress;
government agencies; law firms; and individual commenters not
affiliated with or representing any organization.
---------------------------------------------------------------------------
\25\ See <a href="https://www.regulations.gov/docket/CFPB-2023-0052/comments">https://www.regulations.gov/docket/CFPB-2023-0052/comments</a>.
\26\ Depending on the context and its activities, a particular
entity might be a data provider, a third party, a data aggregator
acting on behalf of a third party, or some combination thereof. The
description of commenters in this final rule attempts to
characterize the commenter based on the expressed or inferred
capacity in which they provided feedback.
\27\ As used in this final rule, this term refers to nonprofit
entities that described themselves principally as an industry
standard-setting body. The CFPB recognizes, however, that a variety
of other commenters might be involved in standard-setting
activities.
\28\ As used in this final rule, this term refers broadly to all
types of consumer advocates, including privacy advocates and
community groups.
---------------------------------------------------------------------------
In addition, the CFPB considered comments received after the
comment period closed via approximately 60 ex parte submissions and
meetings.\29\ These materials, including all ex parte submissions and
summaries of ex parte meetings, will be available on the public docket
for this rulemaking.\30\
---------------------------------------------------------------------------
\29\ See Consumer Fin. Prot. Bureau, Policy on Ex Parte
Presentations in Rulemaking Proceedings, 82 FR 18687 (Apr. 21,
2017).
\30\ See <a href="https://www.regulations.gov/docket/CFPB-2023-0052">https://www.regulations.gov/docket/CFPB-2023-0052</a>.
---------------------------------------------------------------------------
[[Page 90843]]
The remaining comments included some duplicate submissions (i.e.,
letters with the same content from the same commenter submitted through
multiple channels, or letters with the same content submitted by
multiple people on behalf of the same commenting organization) as well
as comments that appeared to be part of several comment submission
campaigns. Such comment campaigns typically advocated for or against
particular provisions in the proposal and urged additional changes.
These comments were considered by the CFPB along with all other
comments received, including any additional remarks included in
otherwise identical comment letters.
The CFPB received comments on nearly all aspects of the proposed
rule, and on its analyses of the proposed rule's impacts. Relevant
information received via comment letters, as well as ex parte
submissions, is discussed below in subsequent parts of this document,
as applicable. The CFPB considered all the comments it received
regarding the proposal, made certain modifications, and is adopting the
final rule as described in part IV below.
C. 2024 Industry Standard-Setting Final Rule
In June 2024, the CFPB finalized the proposal in part, establishing
attributes a standard-setting body must possess to receive CFPB
recognition for purposes of issuing standards that provide some indicia
of compliance with certain substantive provisions of part 1033, as well
as establishing the application process for CFPB recognition. See 89 FR
49084 (June 11, 2024) (Industry Standard-Setting Final Rule).
III. Legal Authority
A. CFPA Section 1033
CFPA section 1033(a) and (b) provide that, subject to rules
prescribed by the CFPB, a covered person shall make available to a
consumer, upon request, information in the control or possession of the
covered person concerning the consumer financial product or service
that the consumer obtained from such covered person, subject to certain
exceptions. The information must be made available in an electronic
form usable by consumers. Section 1002 of the CFPA defines certain
terms used in CFPA section 1033, including defining ``consumer'' as
``an individual or an agent, trustee, or representative acting on
behalf of an individual.'' In light of these purposes and objectives of
section 1033 and the CFPA generally, the CFPB interprets CFPA section
1033 as authority to establish a framework that ensures data providers
readily make available to consumers and third parties acting on behalf
of consumers (including authorized third parties offering competing
products and services), upon request, covered data in a usable
electronic form. In addition, CFPA section 1033(d) provides that the
CFPB, by rule, shall prescribe standards applicable to covered persons
to promote the development and use of standardized formats for
information, including through the use of machine-readable files, to be
made available to consumers under this section. Moreover, the CFPB
interprets CFPA section 1033 as authority to specify procedures to
ensure third parties are truly acting on behalf of consumers when
accessing covered data. These procedures help ensure the market for
consumer-authorized data operates fairly, transparently, and
competitively.
CFPA section 1033(c) provides that nothing in CFPA section 1033
shall be construed to impose any duty on a covered person to maintain
or keep any information about a consumer. Further, CFPA section 1033(e)
requires that the CFPB consult with the prudential regulators and the
FTC to ensure, to the extent appropriate, that certain objectives are
met.
B. CFPA Sections 1022(b) and 1024(b)(7)
CFPA section 1022(b)(1) authorizes the CFPB to, among other things,
prescribe rules ``as may be necessary or appropriate to enable the
[CFPB] to administer and carry out the purposes and objectives of the
Federal consumer financial laws, and to prevent evasions thereof.'' The
CFPA is a Federal consumer financial law.\31\ Accordingly, in issuing
the proposed rule, the CFPB is exercising its authority under CFPA
section 1022(b) to prescribe rules that carry out the purposes and
objectives of the CFPA and to prevent evasions thereof. This would
include, at least in part, provisions to require covered persons or
service providers to establish and maintain reasonable policies and
procedures, such as those to create and maintain records that
demonstrate compliance with the rule after the applicable compliance
date. CFPA section 1024(b)(7) also grants the CFPB authority to impose
record retention requirements on CFPB-supervised nondepository covered
persons ``for the purposes of facilitating supervision of such persons
and assessing and detecting risks to consumers.''
---------------------------------------------------------------------------
\31\ See 12 U.S.C. 5481(14) (defining ``Federal consumer
financial law'' to include the provisions of the CFPA).
---------------------------------------------------------------------------
C. CFPA Section 1002
Certain provisions of the CFPA, such as its prohibition on unfair,
deceptive, or abusive acts or practices, apply in connection with a
consumer financial product or service. Under CFPA section 1002(5), this
is generally defined as a financial product or service that is
``offered or provided for use by consumers primarily for personal,
family, or household purposes.'' In turn, CFPA section 1002(15) defines
a financial product or service by reference to a number of categories.
In addition, CFPA section 1002(15)(A)(xi)(II) authorizes the CFPB to
issue a regulation to define as a financial product or service, for
purposes of the CFPA, ``such other financial product or service'' that
the CFPB finds is ``permissible for a bank or for a financial holding
company to offer or to provide under any provision of a Federal law or
regulation applicable to a bank or a financial holding company, and
has, or likely will have, a material impact on consumers.'' The CFPB is
exercising this authority in finalizing Sec. 1001.2(b).
IV. Discussion of the Final Rule
12 CFR Part 1033
General Comments Received on the Proposal
High-level and general comments received on the CFPB's proposed
rule to implement CFPA section 1033 are discussed here, followed by a
discussion of comments specifically addressing the rulemaking process,
liability among commercial entities, and overlaps with other consumer
financial laws and CFPB rulemaking activity. Comments received on
specific aspects of the CFPB's proposed rule, as well as regarding the
CFPB's legal authority to adopt specific aspects of the rule, and the
anticipated effects of particular provisions, are discussed in turn in
the sections that follow in this part IV. Comments regarding the CFPB's
analysis of impacts are discussed in parts VI through VIII.
1. High-Level and General Comments on the Proposal
General Support
Most commenters, including data providers, third parties, data
aggregators, trade associations, consumer advocates, and others,
supported the overall goals of the rulemaking articulated in the
proposal. Many commenters supported implementing the data access rights
in CFPA section 1033 to include direct
[[Page 90844]]
consumer and third party access that would allow consumers and
authorized third parties to access data more reliably and securely
compared to current market practices. A research institute commenter
stated that the proposal would assure a robust regime of third party
access with respect to its coverage, while building in flexibility to
allow the regime to evolve along with changes in market standards and
technology.
Many third party commenters, consumer advocates, and others stated
consumer-authorized access would help consumers, including those
underserved by their existing account providers, manage their financial
lives and access new and competing products and services. A community
bank commenter indicated the proposal would help ensure community banks
remain vital in the areas they serve.
Many commenters, including third parties, data providers, consumer
advocates, and others also stated that the rule would generally
increase competition overall by reducing barriers to entry and other
impediments for market participants to compete with incumbent
depository and nondepository institutions. For example, a credit union
commenter stated that the standardization of third party data access
would allow smaller institutions to rely on the same technology as
larger institutions, decreasing incumbents' market power. Other
commenters believed that the proposal's approach to standard-setting
would reduce the influence of incumbents and increase consumers'
bargaining power and access to services offered by different providers.
Some data provider commenters stated that the proposal would support
competition by limiting third party secondary use of consumer-
authorized data and ensuring third parties are subject to a basic
standard for data security.
Some commenters specifically indicated that the rule would have
competitive benefits in certain markets. For example, a trade
association for certain third parties stated that open banking can spur
competition in the payments sector, lowering transaction costs and
mitigating the durable market power of certain incumbents. The
commenter noted that the proposal's prohibition on fees for third party
access would allow cost-sensitive merchants to accept lower-cost
payments.
Commenters also emphasized the benefits of informed consent and
consumer control when sharing data with third parties and the need for
consumer protection in consumer-authorized access. Many data providers,
third parties, consumer advocates, and others also supported the rule's
efforts to protect consumers by enabling them to control their data
effectively. For example, a consumer advocate expressed general support
for the proposal, characterizing it as a strong, protective rule that
would ensure that consumers can share account data free of misuse or
exploitation. This commenter also stated the consumer protections in
the rule should serve as a model for how to safeguard consumer control
and privacy when a consumer grants permission to a business to use
their data.
General Opposition
While many commenters supported the proposal overall, some data
providers, third parties, and others were critical of some or all
aspects of the proposal. A number of data provider commenters,
particularly credit unions and community banks, expressed opposition to
the proposal as a whole, and questioned whether a rule was necessary or
appropriate to achieve the CFPB's stated goals, including with respect
to competition, and questioned the CFPB's legal authority to issue
rules for open banking.
In addition, a wide variety of commenters, including data providers
and third parties, raised what they described as significant concerns
about the costs of the proposal, often with respect to specific
provisions. In particular, data providers were most concerned with
potential compliance costs related to the Fair Credit Reporting Act
(FCRA), 15 U.S.C. 1681 et seq., the costs of providing access to third
parties in compliance with the rule as proposed (including the
prohibition on charging fees for access), the costs associated with
managing third party risk, and how liability would be allocated for
third party breaches or fraud. A number of entities--mainly though not
exclusively third parties that use consumer-authorized data--asserted
that the proposed third party limitation on collection, use, and
retention of covered data would foundationally undermine the rule and
restrict consumers' ability to share their data. A large number of
smaller financial institutions and related trade associations expressed
concern that the proposal would disadvantage small entities.
A variety of commenters suggested that the proposal would undermine
competition in various ways. Some commenters, including research
institutes, third parties, and data providers asserted that the
proposal's coverage was too narrow to support competition. For example,
a data aggregator stated that the proposal's limited coverage of
products and data types would reduce third party innovation, and a
research institute stated that the limited coverage of data providers
would give them an incentive to block data access outside of the rule's
coverage, further limiting third party access to data. A research
institute and a data provider commenter stated that the proposal would
undermine competition by limiting the role of industry standard-setting
bodies that are not recognized by the CFPB.
Some credit union and community bank commenters stated that the
rule as a whole would unfairly force data providers to maintain data
access systems and bear other costs, effectively subsidizing
competition from third parties, particularly as a result of the
proposed fee prohibition for third party data access. Several of these
commenters noted that this result would benefit nondepositories that
are excluded from the data provider definition and would come at the
expense of depository institutions, which would disproportionately
disadvantage credit unions and community banks. Data providers
expressed concern that they would unfairly bear the burden of managing
liability risks presented by nondepository third parties that are not
subject to the same regulatory oversight. Several data provider
commenters expressed concern that third parties would use consumer data
to harm data providers, such as by reverse-engineering sensitive
commercial information. A data aggregator commenter stated that the
proposal would consolidate the market of data aggregators by forcing
data providers to grant access to third parties, ultimately stifling
innovation.
Credit union and community bank commenters also expressed concern
that the proposal would disadvantage them relative to larger and better
resourced data providers. These commenters stated that the proposal
would impose disproportionate and unsustainable costs on smaller data
providers and would force some to exit the market or otherwise
consolidate the banking industry, reducing consumer access to products
and services. A number of commenters stated that smaller depository
institutions that rely on core service providers would be less able to
manage the costs of a prohibition on fees for third party access. One
data provider commenter stated that the proposed rule would force less-
resourced data providers to adhere to standards established by the
largest data providers, which would reduce their profitability. Another
data provider
[[Page 90845]]
commenter stated that forcing some data providers to make data
available to third parties while exempting community banks would put
community banks at a competitive disadvantage relative to large data
providers.
As discussed in part IV.D.4, a variety of third party commenters
expressed concern that the proposed limitation on collection, use, and
retention of covered data would restrict innovation by third parties or
limit the ability of new entrants and providers of new products and
services to provide innovative products. For example, a trade
association representing nondepository institutions argued that the
final rule should allow broader use of covered data for advertising
purposes to support competition, while numerous commenters, including
research institutes and others, expressed concern about the limitation
on use of de-identified data, including for research purposes. Other
commenters argued the proposed limitation on collection, use, and
retention of covered data would not only disadvantage third parties
relative to other market participants, but also reduce the
competitiveness of the U.S. overall. Some commenters also asserted that
the proposed third party obligations, including the limit on
collection, use, and retention of covered data, would put third parties
at a significant competitive disadvantage to data providers that are
unrestricted by the limitations. For example, some commenters stated
that the proposed limitation on a third party's duration of
authorization would disadvantage third parties engaged in payments
relative to incumbents that do not rely on consumer-authorized data.
Some third party commenters also stated that the proposal's allowance
of tokenized account numbers would result in anticompetitive conduct by
data providers.
Several commenters argued that the market for consumer-authorized
data is already competitive and that a rulemaking to increase
competition among data providers, intermediaries, and third parties,
would be unnecessary or would yield few benefits. As evidence of the
level of competition in the U.S., commenters noted that third parties
access (or attempt to access) consumer-authorized data more frequently
in the U.S. than in other countries; noted that the market is already
moving toward the use of APIs and away from screen scraping; and
asserted that the market for data provider products and services
(including for credit card and deposit accounts) is robust and provides
high levels of customer service. Some commenters representing community
banks asserted that consumers are not demanding third party data
access, but that community banks would provide it if consumers did
demand it.
Some commenters, particularly community banks and credit unions
stated that the proposal would not meet its objectives related to
privacy and security for various reasons. Some commenters suggested
this would be the case because of a lack of regular examinations of
third parties. Others took issue more generally with the obligation to
make data available to third parties, which they said would open the
door to fraud and security breaches of personally identifiable data.
Many data providers expressed concern that they would be obligated to
ensure the data security of third parties.
Some data provider and third party commenters also raised concerns
about the CFPB's legal authority for parts of the proposal. Some
commenters also suggested that the CFPB consider consumer data sharing
rules in other jurisdictions in drafting the final rule, but without
clear consensus on what did or did not work in other jurisdictions.
Response to Comments
The CFPB agrees with the general comments about implementing CFPA
section 1033 to ensure data providers not only provide data access to
consumers directly but also provide access for consumers' authorized
third party representatives. As discussed in part III and part IV.C.2,
this aspect of the rule is consistent with the plain language and
objectives of section 1033 and the CFPA more broadly. In addition, the
CFPB agrees that this aspect of the rule will increase opportunities
for both depository and nondepository institutions to provide better
products or services to consumers and enable consumers to manage their
financial lives using data under the control or possession of data
providers.
The CFPB also agrees with commenters that supported the general
approach to third party access. As discussed in part IV.D, the third
party access provisions of the final rule are designed to ensure,
consistent with carrying out the objectives of CFPA section 1033, that
consumers provide informed consent to third parties that access covered
data pursuant to the final rule's framework, that consumers retain
control over third parties' access, and that third parties act on
behalf of consumers when collecting, using, and retaining covered data.
With respect to comments opposing the proposal, including due to
concerns about the impact on competition, the final rule carries out
Congress' objectives in CFPA section 1033(a) and the mandate at CFPA
section 1033(d) to prescribe standards to promote the development and
use of standardized formats. As discussed further in part IV.D.1,
Congress intended for consumers to be able to authorize third parties
to access data under the statute on their behalf. Congress also
directed the CFPB to prescribe standards to promote the development and
use of standardized formats of information. The final rule carries out
those objectives. For more discussion on the costs and benefits of the
final rule, including impacts on competition, see parts VI and VII
below.
The final rule will help ensure that markets for consumer financial
products and services are competitive overall. Consumers will have even
greater ability to take advantage of the many products or services
already available, and data providers will have stronger incentives to
enhance their products and services to retain their customers. The CFPB
disagrees with arguments that consumers are not interested in third
party data access, and notes that many consumers of institutions both
large and small share data with third parties. But even where data
providers already make data available voluntarily, the CFPB has
determined the rulemaking is needed to address the challenges that have
arisen in open banking, as discussed in the proposal. See 88 FR 74796,
74798-99 (Oct. 31, 2023).
As discussed further in part IV.A.3, the CFPB has determined it is
appropriate to implement the product coverage of CFPA section 1033 in a
staged manner. With respect to concerns about data provider incentives
to block screen scraping, those incentives exist independent of the
final rule. As safer forms of data access become functional, the CFPB
expects that parties will move away from screen scraping. However, as
discussed further in part IV.C.3, data providers must exercise caution
when blocking screen scraping outside the rule's coverage.
With respect to the impact on the market for data aggregation, in
the current market, and in the absence of implementing CFPA section
1033, open banking activity has already consolidated to data
aggregators for the reasons discussed in the proposal. See 88 FR 74796,
74798-99 (Oct. 31, 2023). The impact of the rule on the value of
intermediation arises from carrying out congressional intent to make
consumer data more portable, including as a result of the
interoperability objective inherent in CFPA section 1033(d)'s mandate
to
[[Page 90846]]
promote standardized formats. Additionally, whether an authorized third
party relies on an aggregator is a business decision of the authorized
third party. The final rule will reduce costs for authorized third
parties generally, including the cost of using an aggregator, and
should make it easier to access data directly from data providers over
time, due to various aspects of the final rule including the
requirements related to standardized formats, the prohibition on fees,
and the rule's recognition of industry standard-setting as an important
aspect of an effective and efficient open banking system.
With respect to concerns about competitive disadvantages for
smaller data providers, the CFPB is not finalizing the rule with
respect to depository institutions under the coverage threshold at
Sec. 1033.111(d) and is providing smaller data providers that are
covered additional time to comply, as discussed in part IV.A.5. The
rule also presents opportunities for small data providers to better
compete by offering products and services to a wider range of
consumers. One commenter expressed concern that excluding smaller data
providers would disadvantage small data providers relative to large
data providers that continued to have the obligation, but for which
they would not offer developer interfaces. The CFPB disagrees with this
premise and notes that many large data providers are already offering
developer interfaces and that small data providers can participate in
open banking voluntarily.
Some commenters expressed concern that the rule would force small
data providers to rely on standards developed by large data providers
with more resources. During the SBREFA process, the CFPB received
feedback that standardization can reduce costs for small entities,
including data providers and third parties.\32\ Consistent with the
mandate in CFPA section 1033(d), the final rule includes various
provisions to promote the development and use of standardized data
formats. Further, consensus standards (discussed in part IV.A.6 below)
that can serve as indicia of compliance with various rule provisions,
must be issued by a recognized standard setter that demonstrates
balance, as discussed further in the Industry Standard-Setting Final
Rule.
---------------------------------------------------------------------------
\32\ See, e.g., SBREFA Panel Report at 28, 44.
---------------------------------------------------------------------------
With respect to commenters that expressed concerns about
obligations for authorized third parties, including the limitation on
third party collection, use, and retention of covered data, the CFPB
notes that those provisions ensure that consumers provide express
informed consent to third parties that access covered data, that
consumers retain control over third parties' access, and that third
parties act on behalf of consumers when accessing covered data. The
CFPB's responses to commenter concerns related to the third party
authorization procedures and obligations are discussed below in part
IV.D. Further, and as discussed in part IV.D.4, the CFPB disagrees with
commenters' assertions that the rule would competitively disadvantage
third parties relative to data providers. Data providers and third
parties may use data that result from direct consumer relationships
without adhering to the third party authorization procedures and
obligations, and the final rule also does not treat covered data
providers differently than other third parties when they act as
authorized third parties themselves. With respect to comments about the
competitiveness of the U.S. generally, the purpose of this rule is to
ensure that third parties are acting on behalf of consumers. With
respect to comments about third party oversight and data security, see
the discussion below in part IV.3, IV.5, IV.C.4-5, and IV.D.4.
2. Comments Regarding the Rulemaking Process
The CFPB issued the proposed rule on its website on October 19,
2023, and published it in the Federal Register on October 31, 2023,
with comments due by December 29, 2023. Some commenters asserted that
the CFPB's comment period should have been longer. One commenter
disagreed and suggested that requests to extend the comment period were
pretextual efforts to delay implementation.
The Administrative Procedure Act does not specify a particular
period of time for a public comment period,\33\ and the comment period
in this rulemaking was sufficient. This is illustrated by, among other
things, the many detailed comments the CFPB received from stakeholders
of all types, sizes, and viewpoints. Additionally, as noted above in
part II, the CFPB has engaged in extensive public outreach since 2016
related to consumer-authorized data sharing, including through an RFI,
an ANPR, and the SBREFA process. The CFPB also has taken various steps
in response to the specific concerns raised with respect to the
substantive provisions of the proposal. In particular, as discussed in
part IV.A.4, the CFPB has determined to not finalize the rule with
respect to small depository institution data providers.
---------------------------------------------------------------------------
\33\ See 5 U.S.C. 553(c).
---------------------------------------------------------------------------
3. Comments Regarding Liability Among Commercial Entities
Comments Received
Many commenters addressed the general topic of liability. A number
of data provider commenters, academic researchers, and research
institute commenters predicted that the final rule would increase the
volume of sensitive financial data accessed by third parties,
particularly sensitive information to initiate a payment (under
proposed Sec. 1033.211(c)), which they viewed as increasing the risk
of unauthorized transactions or other harms arising from the compromise
of a data provider's or third party's information systems, such as the
risk of inaccurate data transmission. A number of data provider
commenters noted that consumers might seek to hold data providers
responsible for damages, or that data providers would face increased
costs related to reimbursing consumers for a third party having
fraudulently induced the consumer's authorization to access covered
data. These commenters expressed concern that this would subject data
providers to losses arising from liability and other compliance
obligations, such as costs due to Regulation E and Z error
investigations, preventing monetary losses to accounts, seeking
reimbursement from third parties, and safety and soundness standards.
Commenters also noted other laws, including State laws, related to
``fraud,'' ``negligence,'' ``privacy,'' ``identity theft,'' and ``data
security,'' but did not otherwise identify sources of liability.
Several commenters also raised questions about the applicability of the
FCRA, which are described separately below in part IV.4.
Many data provider commenters asserted that the proposal had not
accounted for data providers' potential exposure to liability-related
costs or ensured third parties had incentives to manage liability and
otherwise demonstrate capacity to cover losses directly caused by third
parties. Some of these commenters stated that the proposal had
incorrectly assumed that liability could be allocated adequately
through private agreements (including private payment network rules and
bilateral contracts), the Electronic Fund Transfer Act (EFTA), 15
U.S.C. 1691 et seq., the Truth in Lending Act (TILA), 15 U.S.C. 1601 et
seq., and their implementing regulations. Commenters generally
suggested the CFPB address liability by mandating a comprehensive
approach to assigning liability or safe
[[Page 90847]]
harbors for data providers, clarifying the role of bilateral data
access agreements to allocate liability, or take other steps to reduce
harms that might create liability risk. By contrast, a trade
association representing third parties and a data aggregator stated
that the liability allocation under EFTA and TILA, combined with the
third party data security and privacy obligations under the proposal,
would be adequate to address liability concerns, although these
commenters also expressed concern about relying on bilateral contracts
to allocate liability. One commenter stated that liability should flow
with the data, but that data providers and authorized third parties
should be permitted to allocate liability amongst themselves by
contract.
In particular, a data provider commenter expressed criticisms of
private network rules, stating that they do not give data providers
sufficient ability to recoup losses among multiple third parties, some
of which might not be financially viable or be downstream of the
authorized third party and outside of contractual privity; they do not
provide for a clear liability framework or sufficient fraud or data
security protections for higher-risk ``pay-by-bank'' transactions; and
they do not fully address the costs of error investigations or other
customer service particularly where consumers expect data providers to
make them whole following a data breach.
With respect to bilateral contracts, several data provider and
third party commenters stated that they are costly to negotiate and
enforce (including against third parties that might not be financially
viable), would result in uneven liability allocations across the
market, and would generally protect the interests of the largest data
providers. Several third party commenters also expressed concern that
they might include unnecessary terms based on an overbroad
interpretation of third party risk management obligations or be used to
deny access pretextually.
Data provider commenters also asserted that third party compliance
with GLBA Safeguards Framework, as contemplated under the proposal,
would be insufficient to protect consumers or data providers from
liability risk because third parties would lack incentives to manage
their data security if they were not financially liable for their
conduct, and because they are not subject to supervision. A consumer
advocate commenter also stated that clear expectations for liability
would provide third parties greater incentive to manage data security
risks.
To address these concerns, a wide range of data provider
commenters, a trade association representing third parties, an academic
researcher, and a consumer advocate recommended that the regulatory
text include a comprehensive liability-allocation provision for any
losses arising from the third party's misuse of a consumer's payment
credentials to conduct a fraudulent transaction, losses arising from
the unauthorized access of payment credentials due to a data breach, or
other losses arising from harms occurring from data in that party's
possession. Several data provider commenters and academic researcher
commenters noted that other open banking regimes around the world take
a similar approach. One trade association noted that, while liability
is traditionally determined based on which party has possession of the
data, the rule does not indicate that this is the case. Other data
provider commenters, including a number of credit union commenters,
recommended that the final rule establish a ``safe harbor'' for data
providers required to make data available under the final rule that
protects the data provider from claims from consumers and third
parties. Some commenters presented different versions of such an
approach, such as by conditioning the absence of liability on whether
the data provider had actual knowledge of the third party's data
security risk, or the third party making representations about its data
security practices, or on the third party's possession of a
certification or credential.
While some data provider and third party commenters expressed
concern with reliance on bilateral data access agreements to allocate
liability, some of these data provider commenters stated that they
could be used to address liability concerns. Several data provider
commenters recommended that the final rule address liability by
clarifying that data providers are not precluded from exercising
discretion to comply with prudential safety and soundness obligations,
including third party risk management expectations. Several of these
commenters recommended that data providers be permitted to deny third
parties, including data aggregators, access to a developer interface if
they did not accept contractual terms related to liability, such as
indemnification and insurance obligations. Several data provider
commenters and related trade associations recommended that third
parties be required to have or certify that they have adequate capital
or insurance to cover losses. However, a data aggregator commenter
stated that the rule should affirm the adequacy of the existing
liability framework under EFTA and Regulation E and TILA and Regulation
Z to help limit liability disputes during negotiations of bilateral
data access agreements. Comments related to the role of such agreements
in managing third party risk are discussed in greater detail in part
IV.C.4 below.
Data provider commenters also recommended that the rule address
liability by subjecting third parties to additional data security
obligations, such as the FFIEC information security handbook appliable
to depository institutions (discussed further below in part IV.D) or
CFPB supervision. A research institute commenter also supported
clarifying the CFPB's intent to supervise third parties as a way to
reduce concerns related to liability.
A data provider commenter requested that the final rule clarify
whether the data provider has any liability in the context of specific
provisions of the proposal: (1) if a third party collects more
information than is necessary to offer a specific product or service;
and (2) if a data breach occurs because an authorized third party does
not delete data after a consumer revokes its authorization or does not
timely communicate the revocation to a data aggregator.
Response to Comments
The CFPB has determined it would not be appropriate for this rule
to impose a comprehensive approach to assigning liability among
commercial entities or safe harbors from the requirements of EFTA and
Regulation E or TILA and Regulation Z. The ability of payees to
initiate electronic payments has existed for decades and the Regulation
E concerns raised by commenters are not specific to CFPA section 1033.
Although this rule facilitates sharing of payment initiation
information with third parties so that they can initiate electronic
payments, the rule does not require account write access or otherwise
require payment initiation. Applicable payment authorization
requirements continue to separately apply. As noted in the proposal,
consumers have a statutory right under EFTA to resolve errors through
their financial institution, while private network rules, contracts,
and other laws address which payment market participant is ultimately
liable for unauthorized transfers and other payment errors. As
discussed further below, the U.S. payment system allows non-bank payees
to initiate payments through their depository institution, and those
partner depository institutions
[[Page 90848]]
also bear responsibility for who is allowed to access the payment
networks.
The CFPB is aware that it is common for non-bank payees, such as
utility companies, charities, non-bank lenders, community
organizations, and other billers, to initiate payments through their
depository institution. The payee's depository institution, referred to
as an originating depository financial institution in the context of
ACH payments, is responsible for ensuring that any payments it
initiates on the payee's behalf are correct and authorized, as they are
subject to private network rules and safety and soundness requirements
related to risk management.\34\ Data providers that are Regulation E
financial institutions will continue to have error resolution
obligations for transfers initiated using payment information shared
under this rule, just as they do today when a consumer shares
information with a payee or a consumer's payment credentials are
compromised, and can seek reimbursement from an originating depository
financial institution according to private network rules, contracts,
and commercial law. For example, although a consumer's financial
institution is required to reimburse the consumer for an unauthorized
transfer under Regulation E, ACH private network rules generally
dictate that the receiving depository financial institution is entitled
to reimbursement from the originating depository financial institution
that initiated the unauthorized payment. Similarly, data providers that
are Regulation Z credit card issuers will continue to have error
resolution obligations under TILA. Commenters did not identify a
plausible method through which the proposal would increase the risk of
credit card fraud. The final rule does not require data providers to
make available credit card payment information. For both Regulation E
accounts and Regulation Z credit cards, because the final rule only
requires data providers to share information and does not require that
they allow third parties to initiate payments using that information,
any costs arising from error investigations and the recoupment of
losses by data providers are a function of how private network rules
operate. The final rule does not impinge on such private arrangements.
---------------------------------------------------------------------------
\34\ See, e.g., OCC Bulletin 2006-39, Automated Clearing House
Activities: Risk Management Guidance (Sept. 1, 2006), <a href="https://www.occ.gov/news-issuances/bulletins/2006/bulletin-2006-39.html">https://www.occ.gov/news-issuances/bulletins/2006/bulletin-2006-39.html</a>;
NACHA Operating Rules Section 2.2: Warranties and Liabilities of
Originating Depository Financial Institutions; NACHA Operating Rules
Subsection 2.2.3 Liability for Breach of Warranty (``Each ODFI
breaching any of the preceding warranties shall indemnify each RDFI,
ACH Operator, and Association from and against any and all claim,
demand, loss, liability, or expense, including attorney's fees and
costs, that result directly or indirectly from the breach of
warranty or the debiting or crediting of the entry to the Receiver's
account. This indemnity includes, without limitation, any claim,
demand, loss, liability, or expense based on the ground that the
debiting of an entry to an account resulted, either directly or
indirectly, in the return of one or more items or entries of the
Receiver due to insufficient funds. This indemnity also includes, in
the case of a Consumer Account, without limitation, any claim,
demand, loss, liability, or expense based on the ground that the
failure of the ODFI to comply with any provision of these rules
resulted, either directly or indirectly, in the violation by an RDFI
of the Federal Electronic Fund Transfer Act or Federal Reserve Board
Regulation E.'').
---------------------------------------------------------------------------
Commenters suggested that consumer-authorized data sharing may
create risks to consumers and financial costs to financial institutions
arising from an increased risk of unauthorized transactions and other
errors, especially when data access relies on screen scraping. In
implementing CFPA section 1033, the CFPB is finalizing a variety of
measures to mitigate unauthorized transfer and privacy risks to data
providers and consumers, including allowing data providers to share
TANs; not allowing data providers to rely on credential-based screen
scraping to satisfy their obligations under CFPA section 1033;
clarifying that data providers can engage in reasonable risk management
activities; implementing authorization procedures for third parties
that would require they commit to data access, use, and retention
limitations; implementing policies and procedures regarding data
accuracy; and requiring compliance with the GLBA Safeguards Framework.
These provisions are intended to drive market adoption of safer data
sharing practices. With respect to commenters' suggestions to reduce
costs associated with liability through data access agreements or other
conditions for third parties attempting to access consumer data, see
parts IV.C.4 and IV.D.4. With respect to the suggestion that authorized
third parties certify to consumers as to capital adequacy or insurance,
see part IV.D.1 for discussion of comments.
Finally, the CFPB does not believe it would be appropriate to
attempt to establish a comprehensive approach to addressing liability
(including through safe harbors) for laws it does not administer, such
as State laws dealing with data security, privacy, identity theft,
negligence, and fraud. The extent of data providers' liability for
failure to comply with their obligations under this final rule is
provided for under the CFPA.
The CFPB also notes that commenters did not provide legal analysis
or factual evidence about the likelihood that data providers would
actually incur legal liability under these laws when consumers request,
or Federal law requires, they make data available to a third party that
subsequently misuses or mishandles the data. While some commenters
stated that consumers would be likely to seek to recoup from the data
provider losses arising from third party conduct, it is not clear to
what extent that is likely to occur when losses arise from a third
party to which the consumer requested the data provider make
information available. To the contrary, a trade association commenter
indicated that liability typically resides with the party that
experiences a data breach. Nor did commenters provide evidence of the
extent to which data providers actually defend against claims of such
liability, despite data providers' long-standing practice of consumer-
authorized third party data sharing. To the extent there are complex
factual or legal questions about a data provider's liability for
directly contributing to consumer harm, commenters did not identify
particular scenarios, and the CFPB does not believe it would be
appropriate to make statements about a data provider's liability in
this final rule. As an additional and independent reason, commenters
did not identify the legal authority the CFPB could rely on to modify
laws it does not administer.
4. Comments Regarding Potential Overlaps With Other Consumer Financial
Laws and CFPB Rulemaking Activity
Electronic Fund Transfer Act and Regulation E
Comments
In addition to the liability comments discussed above, some data
provider commenters specifically commented on the applicability of EFTA
and Regulation E. Some data provider commenters asked the CFPB to apply
Regulation E error investigation requirements to all third parties. A
few data provider commenters stated that the CFPB should clarify that
data aggregators are Regulation E service providers, asserting that the
data aggregator is in the best position to control for risks related to
the transactions it permits a consumer to conduct through its system. A
trade association representing data providers asked the CFPB to clarify
that a data access agreement between an aggregator and data provider is
an ``agreement'' for purposes of the Regulation E service
[[Page 90849]]
provider provision. A data provider commenter asked the CFPB to clarify
that, if a third party is a Regulation E financial institution, such as
a digital wallet provider that obtains permissioned data access under
CFPA section 1033, it would have error resolution responsibilities for
payments initiated using data obtained from the developer interface and
that such digital wallet providers should be required to provide their
contact information to consumers.
Response to Comments
The CFPB has determined that it is not appropriate or practical to
deny consumers their statutory right to resolve errors through their
financial institution and this final rule does not change such rights
under EFTA and Regulation E. The Regulation E definition of financial
institution means a bank, savings association, credit union, or any
other person that directly or indirectly holds an account belonging to
a consumer, or that issues an access device and agrees with a consumer
to provide electronic fund transfer services.\35\ The CFPB declines to
expand the scope of the Regulation E service provider provision to data
aggregators, because doing so would limit consumers' ability to resolve
errors and unauthorized transactions through their account-holding
financial institution. Whether a given entity is a service provider for
a given electronic fund transfer will depend on the relationship
between the entities involved in making that individual transfer, not
whether the payee used payment credentials shared under this final rule
to initiate the payment. Negating a consumer's statutory right to go to
their financial institution to resolve errors also would result in an
illogical and harmful error resolution regime. From the consumer's
perspective, they may not know whether an error is related to data that
was shared under CFPA section 1033. The CFPB is aware that some
financial institutions attempted to have consumers enter into
agreements to waive EFTA rights in situations where they shared account
credentials or other information with a third party, even though such
agreements violated the EFTA anti-waiver provision in 15 U.S.C.
1693l.\36\ It was unclear at the time how exactly the depository
institutions intended to enforce this waiver language. One concern was
that it would be used to deny all Regulation E error resolutions rights
to consumers who had shared any information with a data aggregator,
even if the financial institution did not know whether the error was
related to that shared information. It also would be burdensome and
likely infeasible for the consumer to sort out when they should go to
their financial institution for help versus a third party versus
another entity for a transaction that they do not recognize.
---------------------------------------------------------------------------
\35\ 12 CFR 1005.2(i).
\36\ See Consumer Fin. Prot. Bureau, Regulation E FAQs, Error
Resolution: Unauthorized EFTs #8, <a href="https://www.consumerfinance.gov/compliance/compliance-resources/deposit-accounts-resources/electronic-fund-transfers/electronic-fund-transfers-faqs/">https://www.consumerfinance.gov/compliance/compliance-resources/deposit-accounts-resources/electronic-fund-transfers/electronic-fund-transfers-faqs/</a> (last
updated June 4, 2021).
---------------------------------------------------------------------------
Data providers and third parties that are Regulation E financial
institutions--including digital wallet providers, person-to-person
payment providers, entities that refer to themselves as neobanks, and
traditional depository institutions--have and will continue to have
error resolution obligations in the event of a data breach where stolen
account or ACH credentials are used to initiate an unauthorized
transfer from a consumer's account and the consumer provides proper
notice. These error resolution obligations include requirements on the
financial institution to provide consumers with the financial
institution's contact information.
Fair Credit Reporting Act and Regulation V
The proposal noted that a third party engaged in data aggregation
activities could be a consumer reporting agency under the FCRA if it
met the elements of the FCRA's definition of ``consumer reporting
agency.''
Comments
Some commenters addressed the applicability of the FCRA. Many data
providers and data provider trade association commenters stated that
the final rule should provide that data providers are not furnishers
when they provide data pursuant to consumer authorization. These
commenters asserted that the compliance burden of being a furnisher is
significant and could overwhelm smaller financial institutions. They
also argued that, unlike traditional furnishing, data providers sharing
data under CFPA section 1033 are simply facilitating consumers'
requests to access their data.
Other commenters, primarily data aggregators, stated that data
aggregators should not be considered consumer reporting agencies when
they transfer data pursuant to consumer authorization. These commenters
argued that consumer-authorized data sharing is different from the
provision of consumer reports because consumers have control over the
sharing of their data, because data aggregators act as mere conduits
for transmission of the data, and because consumers have direct
relationships with data aggregators. One data aggregator commenter
predicted that if data aggregators could be consumer reporting
agencies, then data providers that are FCRA-covered furnishers would
deny access unless the aggregators agreed to data access agreements
with terms related to indemnification for FCRA liability. A third party
trade association commenter contended that data providers that are
FCRA-covered furnishers could deny access to data aggregators in the
absence of a data access agreement. Other commenters stated that
treating data aggregators as consumer reporting agencies would result
in unintended consequences. For example, a third party trade
association commenter asserted that compliance with the FCRA could
require data aggregators to access and retain more data than they do
currently. And a data aggregator commenter stated that consumers might
be confused if they attempt to correct the accuracy of any information
transferred by a data aggregator, because data aggregators do not hold
the underlying data; therefore, the data held by the data aggregator
may differ from the versions held by the data provider and other third
parties.
Some commenters requested that the final rule exclude FCRA-covered
entities and data from the rule's coverage. Several consumer reporting
agency commenters and a consumer reporting agency trade association
commenter asserted that consumer reporting agencies should be excluded
from coverage because they are already subject to extensive regulation
under the FCRA. A data aggregator commenter suggested that the CFPB
rely on existing authorities and not impose new regulations on the
collection, use, and retention of covered data where such collection,
use, and retention may be addressed by other laws, such as the FCRA.
And a consumer reporting agency commenter stated that consumer reports
should be excluded from the definition of ``covered data'' because
otherwise the limited purposes that authorize consumer reporting
agencies to share consumer reports might conflict with the purposes for
which consumers might authorize sharing of their covered data. The
consumer reporting agency trade association commenter stated that the
proposed limitations on use and retention of covered data might
complicate FCRA compliance by entities offering products that rely on
indefinite consumer authorization, including products that allow
[[Page 90850]]
consumers to self-report rental and utility payment information to
their credit file to enhance their credit histories. Data aggregator
commenters and a third party trade association commenter claimed that
the FCRA's framework is complex and confusing when applied in the
context of consumer-authorized data access. And a data aggregator
commenter asserted that the proposed rule's consumer protections would
be more appropriate for consumer-authorized data access than FCRA
requirements.
Several commenters raised questions about the intersection of the
final rule and the FCRA, including the extent of overlap, duplication,
or conflict between the final rule and the FCRA. These commenters asked
for clarification on various specific questions, including: which
activities would make a data provider an FCRA-covered furnisher; which
use limitation standard applies if consumer-authorized data are subject
to both the final rule and the FCRA; which activities would make a data
aggregator a consumer reporting agency; whether data aggregators that
are consumer reporting agencies would have to provide consumer reports
to consumers at their request; how data aggregators that are consumer
reporting agencies would comply with their FCRA dispute obligations if
data providers are not FCRA-covered furnishers; how data aggregators
that are consumer reporting agencies could maintain accurate consumer
reports given the proposed limits on retention; which uses of covered
data constitute permissible purposes under the FCRA; whether third
parties can be both data aggregators under the final rule and consumer
reporting agencies under the FCRA; whether financial institutions may
combine disclosures and consent forms required by the final rule and
the FCRA; whether specialty consumer reporting agencies may collect and
retain consumer-authorized transaction data to comply with the FCRA;
and whether information from de-identified consumer reports used for
research purposes could also be covered data subject to the proposed
restrictions on secondary use.
Finally, some commenters stated that the CFPB should coordinate the
FCRA and Personal Financial Data Rights rulemakings.\37\ A bank trade
association and credit union trade association stated that until one of
these rules had been finalized, they could not fully understand the
impacts of one rule on the other. A data provider/third party trade
association commenter suggested pausing the FCRA rulemaking until the
Personal Financial Data Rights rulemaking is finalized to fully
understand each rule's impact. A consumer reporting agency commenter,
an industry trade association commenter, and a financial holding
company commenter requested that the Personal Financial Data Rights
final rule be issued before the FCRA proposed rule. The industry trade
association commenter and financial holding company commenter asserted
that concurrent rulemaking adversely impacts the public's ability to
meaningfully comment on each proposal. A bank trade association
commenter recommended postponing compliance with this final rule until
after an FCRA rule is finalized, while a data aggregator commenter
asked the CFPB to wait until after this rule is finalized to address
the applicability of the FCRA to data aggregators. And a research
institute commenter suggested that certain definitions, such as those
relating to data aggregators and FCRA-covered furnishers, be harmonized
between the final rule and the FCRA rulemaking.
---------------------------------------------------------------------------
\37\ The CFPB assumes commenters were contemplating an FCRA
rulemaking with a scope similar to what was described in the CFPB's
FCRA 2023 SBREFA Outline, which included proposals under
consideration related to data broker activities and medical debt
information. See Consumer Fin. Prot. Bureau, Small Business Advisory
Review Panel for Consumer Reporting Rulemaking Outline of Proposals
and Alternatives Under Consideration (Sept. 15, 2023), <a href="https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf">https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf</a>.
---------------------------------------------------------------------------
Response to Comments
As an initial matter, the CFPB has determined that this final rule
does not affect a person's obligations or duties under the FCRA. The
final rule does not alter the types of data, parties, or permissible
purposes covered by the FCRA. Because the final rule does not change
substantive requirements under the FCRA or Regulation V, the commenters
that raised questions about the intersection of the FCRA with CFPA
section 1033 and how to comply with FCRA obligations and duties must
look to the FCRA and Regulation V to determine how to comply with a
particular FCRA requirement. For example, whether a third party, such
as a data aggregator, is a consumer reporting agency under the FCRA
depends on whether the third party falls within the definition of
``consumer reporting agency'' in the FCRA.\38\ Similarly, whether a
certain use of covered data constitutes a permissible purpose is
determined by looking to the FCRA.\39\ This is true with respect to any
question about what a person subject to this final rule must do to
comply with the FCRA and Regulation V.
---------------------------------------------------------------------------
\38\ See 15 U.S.C. 1681a(f) (defining consumer reporting
agency).
\39\ See 15 U.S.C. 1681b (identifying permissible purposes).
---------------------------------------------------------------------------
The CFPB also has determined that the requirements of this final
rule are not inconsistent with the FCRA or Regulation V. Some
commenters noted that certain uses of data might be permitted by the
FCRA but not authorized by the Personal Financial Data Rights rule as
proposed. Compliance with this final rule does not, however, require a
person to violate the FCRA or Regulation V. Therefore, a person that is
subject to this final rule and the FCRA/Regulation V must comply with
both. This is no different than for any person who is subject to
several overlapping laws and regulations. For example, a third party
may have to contemporaneously provide disclosures relating to
Regulation E accounts, Regulation Z credit cards, and the GLBA and
Regulation P. When applicable, a third party subject to all these laws
must satisfy their respective requirements. Complying with CFPA section
1033 and the final rule is no different. Thus, it is unnecessary to
exclude certain parties, such as consumer reporting agencies, or FCRA-
covered uses from the rule's coverage.
The CFPB also received comments about whether data providers are
furnishers under the FCRA. The CFPB would not consider data providers
under this final rule to be furnishers solely by virtue of permitting
data access pursuant to an authorization that is consistent with the
final rule. This is the case even assuming data are provided to a data
aggregator that qualifies as a consumer reporting agency. In these
unique circumstances, the consumer, and not the data provider, would be
the party that is furnishing data to the consumer reporting agency.
This is the case because of a particular combination of circumstances,
including that the data are only shared with the aggregator after the
data provider is asked to do so by the consumer; the data are shared
pursuant to a written authorization designed to ensure that the
consumer has meaningful control of the uses of the specific data that
are shared; the data are further protected by use restrictions to
ensure they continue to be used for the benefit of the consumer; and
the data provider is not exercising its own agency or control or
benefiting from the arrangement, but rather is simply
[[Page 90851]]
facilitating the consumer's decision to furnish.\40\
---------------------------------------------------------------------------
\40\ See, e.g., 12 CFR 1022.41(c)(3) (Under the Furnisher Rule
in Regulation V, when the consumer furnishes information to a CRA
about themselves, the consumer is not considered a ``furnisher.'').
---------------------------------------------------------------------------
The CFPB received comments seeking clarification about whether data
aggregators are consumer reporting agencies under the FCRA. However,
this final rule does not cause data aggregators to incur legal
liability under the FCRA that they would not otherwise assume through
their ordinary operations. Addressing this topic is not necessary to
finalize this rulemaking because whether a data aggregator is a
consumer reporting agency under the FCRA requires a fact-specific
inquiry of considerations beyond the scope of this final rule. Data
aggregators may engage in a variety of activities and have multiple
business models, and whether a data aggregator is a consumer reporting
agency will depend on the satisfaction of all components of the
statutory definition in the FCRA--a determination not affected by this
final rule.
The CFPB disagrees that the sequencing of the Personal Financial
Data Rights and FCRA rulemakings adversely impacted the public's
ability to comment on the Personal Financial Data Rights proposed rule.
After issuing the Personal Financial Data Rights proposed rule, the
CFPB published a proposed rule regarding medical information under the
FCRA. See 89 FR 51682 (June 18, 2024) (Medical Debt Proposed Rule). The
Medical Debt Proposed Rule would remove a regulatory exception in
Regulation V from the limitation in the FCRA on creditors obtaining or
using information on medical debts for credit eligibility
determinations and would limit the circumstances under which consumer
reporting agencies are permitted to furnish consumer reports containing
medical debt information to creditors when making credit eligibility
determinations. The CFPB is also engaged in a rulemaking focused on
data broker activities (Data Broker Rulemaking).
With respect to the sequencing of the Personal Financial Data
Rights and the Medical Debt and Data Broker rulemakings, the fact that
this final rule does not change what a person would need to do to
comply with its existing obligations under the FCRA means that
completing the Medical Debt and Data Broker rulemakings is not
necessary to finalize this rulemaking. The CFPB will consider feedback
received in the course of the Medical Debt and Data Broker rulemakings,
evaluate the further steps it may take in those rulemakings, and will
respond to comments as appropriate.
The CFPB acknowledges that the potential applicability of the FCRA
to uses of covered data under the final rule presents operational
complexity, and the CFPB is taking steps to coordinate the final rule
with the ongoing FCRA rulemakings. As described in part IV.A.5, the
CFPB is substantially revising the compliance deadlines for data
providers under the final rule. The CFPB has determined that the
extension of the compliance deadlines strikes the appropriate balance
between carrying out the objectives of the statute while also providing
an entity covered by the final rule with more time to work through
these operational challenges and understand the entity's compliance
obligations under the final rule in light of the FCRA.
Gramm-Leach-Bliley Act and Regulation P
A few commenters addressed the general applicability of the GLBA
and Regulation P, 12 CFR part 1016. Several commenters asked for
clarity about how financial institutions should comply when data are
subject to both the GLBA and the Personal Financial Data Rights rule.
For example, a bank commenter and a bank trade association commenter
asked which use limitation standard would apply. A third party
commenter suggested that the CFPB rely on existing authorities and not
impose new regulations on the collection, use, and retention of covered
data where the collection, use, and retention of the data may be
addressed by other laws, including the GLBA. A research institute
commenter asserted that consumers might be confused if they received
multiple disclosures.
Response to Comments
The CFPB has determined that the final rule does not affect a
person's obligations or duties under the GLBA. In addition, the CFPB
has determined that the final rule is not inconsistent with the GLBA or
Regulation P. As with the FCRA, some commenters sought clarification
about how a person would comply when data are subject to the GLBA and
CFPA section 1033, including whether the limitations on collection,
use, and retention of data under the final rule would apply where such
limitations are not imposed under the GLBA and Regulation P. While the
GLBA and Regulation P may permit some uses of information that may not
be permitted under the final rule, compliance with the final rule does
not require a person to violate the GLBA or Regulation P. Moreover, the
CFPB expects that a person covered by the final rule is experienced
with managing the respective requirements of applicable State and
Federal laws, including the implementation of overlapping disclosure
requirements.
Other commenters raised broader issues. For example, a data
aggregator commenter suggested that the CFPB should encourage Congress
to amend GLBA or pass a Federal data privacy law. This commenter also
suggested that the CFPB undertake a GLBA rulemaking. These comments are
outside the scope of this rulemaking.
The CFPB declines to rely on existing legal frameworks, including
the GLBA and Regulation P, to regulate consumer privacy. The purposes
and objectives of CFPA section 1033, which are described in part III.A,
differ in certain respects from the purposes and objectives of other
laws (such as the GLBA). The requirements set forth in the final rule
are better suited to the open banking context, and could not be
substituted by applying existing authorities to consumer-authorized
access of covered data.
Comments addressing the GLBA in relation to a specific proposed
provision, such as comments recommending the final rule adopt
Regulation P's privacy protections for third parties, are addressed in
part IV.C and D.4.
CFPA Section 1034(c)
Section 1034(c) of the CFPA generally requires large financial
institutions to comply with consumer requests for information
concerning their accounts in a timely manner, subject to certain
statutory exceptions.\41\ In October 2023, prior to the proposal, the
CFPB issued an advisory opinion on CFPA section 1034(c) that interprets
this provision for the purpose of highlighting the obligations it
imposes upon large financial institutions.\42\ One commenter asked the
CFPB to clarify the extent to which the scope of data covered by CFPA
section 1033 and by the CFPA section 1034(c) advisory opinion overlap,
and how that may impact obligations for data providers.
---------------------------------------------------------------------------
\41\ Specifically, CFPA section 1034(c) applies to insured
depository institutions (including credit unions) that offer or
provide consumer financial products or services and that have total
assets of more than $10 billion, as well as their affiliates.
\42\ Consumer Fin. Prot. Bureau, Consumer Information Requests
to Large Banks and Credit Unions, 88 FR 71279 (Oct. 16, 2023).
---------------------------------------------------------------------------
CFPA sections 1033(b) and 1034(c)(2) both generally apply to
``information in the control or possession'' of a covered
[[Page 90852]]
person ``concerning the consumer financial product or service that the
consumer obtained from such covered person.'' However, the statutes
differ in several respects, including the types of covered persons
subject to, the exceptions to information covered by, and the form in
which information must be provided pursuant to the statutes.
The statutes impose separate obligations on large depository
institutions (including credit unions), and how the statutes impact
institutions' obligations will depend on the facts.\43\ As noted in the
advisory opinion:
---------------------------------------------------------------------------
\43\ As noted in the advisory opinion, the CFPB does not
interpret section 1034(c) to preempt or otherwise supersede the
requirements of other Federal or State laws and regulations designed
to protect privacy and data security, including, for example, any
restrictions that may be imposed in the CFPB's upcoming rule
implementing section 1033. See 88 FR 71279, 71279 n.27 (Oct. 16,
2023).
[S]ection 1033 governs consumer authorized third-party access to
data made available in electronic form in connection with third-
party provision of other products or services--including for
example, the provision of a potentially competing account offering.
This is why, for example, section 1033 is limited to data available
in the normal course, and why section 1033 requires data to be `made
available . . . in electronic form.'\44\
---------------------------------------------------------------------------
\44\ See id. at 71279 n.23.
See also part IV.C regarding a comparison between CFPA sections
1034(c) and 1033 with respect to the final rule's prohibition on fees
for data access.
5. Other Comments
A number of commenters sought information on how the CFPB will
conduct oversight of third parties. Commenters stated that many
authorized third parties are outside the CFPB's enforcement or
supervisory jurisdiction, and asserted that data aggregators pose
relatively greater risks to consumers than authorized third parties.
Some commenters also asked whether the CFPB would consider complaints
from industry participants when setting supervision and enforcement
priorities, and asked that the CFPB encourage consumers to submit
complaints to its consumer complaint program.\45\ Several commenters
sought information on how the CFPB would provide guidance after the
final rule is issued. In addition, a consumer advocate recommended that
the CFPB engage in a consumer education campaign to inform consumers of
their rights under the rule. The commenter explained that improved
consumer understanding of consumer-authorized data sharing would
increase consumer confidence in sharing data and protect them from bad
actors.
---------------------------------------------------------------------------
\45\ See generally Consumer Fin. Prot. Bureau, Submit a
complaint about a financial product or service, <a href="https://www.consumerfinance.gov/complaint/">https://www.consumerfinance.gov/complaint/</a> (last visited Oct. 17, 2024).
---------------------------------------------------------------------------
SBA Advocacy requested that the CFPB determine whether the final
rule is necessary in light of current State law (citing the California
Consumer Privacy Act as an example) and whether the final rule
conflicts with State laws. Other commenters questioned whether the CFPB
had taken proper account of international open banking regimes in
developing the proposal.
With respect to questions about how the CFPB intends to enforce and
supervise for the requirements that apply to third parties, Sec.
1001.2(b) of the final rule provides additional assurance that
financial data processing by third parties, among others, is subject to
the CFPA. This includes enforcement and, where appropriate,
supervision, by the CFPB. In addition, the CFPB and FTC coordinate law
enforcement activities regarding the offering or provision of consumer
financial products and services by covered persons within the FTC's
jurisdiction under the FTC Act, including conducting joint
investigations where appropriate, to minimize duplication of efforts
and burden on FTC-covered industry participants. This may include
coordination on enforcement activities regarding the CFPA prohibition
on unfair, deceptive, or abusive acts or practices and the FTC
Safeguards Rule. The CFPB also coordinates with State attorneys general
and State regulators. With respect to questions about the role of
consumer complaints in establishing supervision and enforcement
priorities, the CFPB prioritizes supervisory and enforcement activity
on the basis of risk, taking into account, among other factors, the
size of each entity, the volume of its transactions involving consumer
financial products or services, the size and risk presented by the
markets in which it is a participant, the extent of relevant State
oversight, and any field and market information that the CFPB has on
the entity. Such field and market information can include, for example,
information from complaints and any other information the CFPB has
about risks to consumers and to markets posed by a particular entity.
In response to comments advocating for CFPB supervision of third
parties, including data aggregators, the CFPB's supervisory authority
is defined by the CFPA. The CFPB agrees that supervision of data
aggregators is important. Supervisory examinations over one or more
data aggregators, including larger participants in the consumer
reporting market, are scheduled or ongoing,\46\ and the CFPB will
continue to engage in this supervision as necessary.
---------------------------------------------------------------------------
\46\ See Supervisory Highlights, Issue 30, Summer 2023, 88 FR
52131, 52142 (Aug. 7, 2023).
---------------------------------------------------------------------------
With respect to guidance after the final rule is issued, the CFPB
plans to make available a range of resources to assist with effective
implementation of the rule, including a small entity compliance guide.
The CFPB also has a regulatory support program that can provide
assistance. With respect to comments about improving consumer awareness
of their rights under this rule, the CFPB notes that the consumer
protections in this rule are intended to ensure that consumers can
access their own data and can authorize access by third parties that
are acting on their behalf. For more discussion of consumer awareness
of third party access, see part IV.D below. The CFPB intends to further
consider how to increase consumer awareness of and confidence in
authorized third party data access.
The CFPB has considered State law and international legal
frameworks to inform the final rule's approach to data providers'
obligations to make data available upon request and third parties'
obligations to act on behalf of consumers in order to access such data.
Several States impose obligations on businesses to make information
available to consumers in a portable, structured format, where
technologically feasible.\47\ Several States also impose privacy
obligations on businesses. However, these State laws differ in terms of
their scope and substantive requirements. In addition, a number of
States include exemptions for businesses or data covered by certain
Federal consumer financial laws, like the GLBA.\48\ The CFPB believes
it is appropriate to carry out congressional intent to issue Federal
regulations pursuant to CFPA section 1033, including the
interoperability objectives of CFPA section 1033(d), by issuing
requirements applicable nationwide to promote safe, secure, reliable,
and competitive data access. The CFPB is not aware of conflicts between
State law and the final rule. See parts VI and VII for further
discussion of the impacts of State law.
---------------------------------------------------------------------------
\47\ See, e.g., Cal. Consumer Privacy Act of 2018 section
1798.130(a)(3)(B)(i)-(iii).
\48\ See, e.g., id. section 1798.145(e). See also SBREFA Outline
at 46 n.50.
---------------------------------------------------------------------------
As part of this rulemaking, the CFPB has considered international
open banking models, as discussed in the proposed rule and further
below. The CFPB's authority and policy approach
[[Page 90853]]
in this final rule are not identical to those of other jurisdictions.
In particular, as discussed in part IV.3, IV.C.2, and elsewhere in part
IV, the final rule does not require data providers to initiate
payments, unlike some other open banking regimes. The final rule
instead implements CFPA section 1033 with respect to a data provider's
obligation to make available covered data to consumers and third
parties authorized to access such data on their behalf. The CFPB has
taken account of the experience of international jurisdictions in
developing the final rule generally and as discussed in part IV.C.2
with respect to the prohibition on fees for third party access, part
IV.C.3 with respect to commercially reasonable performance standards,
and the final rule's approach to screen scraping, as discussed in part
IV.D.1. The CFPB believes any differences between the approach of this
final rule and those of other jurisdictions are appropriate in light of
the particular market and regulatory frameworks applicable to the U.S.
See parts VI and VII for further discussion of international
jurisdictions.
A. Subpart A--General
1. Overview
Subpart A of the final rule establishes the coverage and
terminology necessary to implement CFPA section 1033 for this rule,
beginning with Sec. 1033.101, which describes the authority, purpose,
and organization of the regulation in part 1033. Subpart A defines the
coverage of the final rule, sets forth tiered compliance dates, defines
terms appearing throughout the regulatory text, and, as finalized in
the Industry Standard-Setting Final Rule, sets forth criteria for
recognized standard setters.
2. Authority, Purpose, and Organization (Sec. 1033.101)
In the proposed rule, the CFPB proposed Sec. 1033.101(a) to
describe the CFPB's legal authority to issue the rule for the purposes
described in proposed Sec. 1033.101(b). Proposed Sec. 1033.101(c)
described the organization of the proposed rule within part 1033. The
Industry Standard-Setting Final Rule finalized the language in proposed
Sec. 1033.101(a) and a more limited version of proposed Sec.
1033.101(b) and (c), to reflect the limited purpose and organization of
the Industry Standard-Setting Final Rule. The CFPB did not receive
comment on the proposed rule's proposed language in Sec. 1033.101.
In this final rule, the CFPB is not making changes to the legal
authority language in Sec. 1033.101(a) that was finalized by the
Industry Standard-Setting Final Rule. The CFPB is amending the language
finalized by the Industry Standard-Setting Final Rule at Sec.
1033.101(b) and (c), as originally proposed by the proposed rule, to
reflect the purpose and organization of this final rule. Final Sec.
1033.101(c) also refers to the appendix containing standard setter
recognition procedures that was finalized as part of the Industry
Standard-Setting Final Rule. Other than with respect to Sec. 1033.101,
the final rule published in this Federal Register document does not
amend any of the provisions of the Industry Standard-Setting Final
Rule. The regulatory text published in this Federal Register document
restates the regulatory text finalized in the Industry Standard-Setting
Final Rule (other than with respect to Sec. 1033.101) for clarity and
ease of reading.
3. Coverage of Data Providers (Sec. 1033.111(a) Through (c))
Proposal
Section 1033(a) applies to ``covered persons,'' as defined in the
CFPA. In the proposal, the CFPB explained its intent to implement the
broad coverage of CFPA section 1033 through this and supplemental
rulemaking. For this first rule to implement coverage and other
substantive provisions of CFPA section 1033(a), the CFPB proposed to
define a subset of covered persons that would be required to make data
available with respect to certain consumer financial products or
services: Regulation E asset accounts, Regulation Z credit cards, and
products or services that facilitate payments from a Regulation E
account or a Regulation Z credit card. The CFPB explained that the last
of these categories would clarify that the proposed rule would cover
all consumer-facing entities involved in facilitating Regulation E
account and Regulation Z credit card transactions.
In the proposed rule, the CFPB discussed how payment data from
these products and services support common beneficial consumer use
cases today, including transaction-based underwriting and payment
initiation. Specifically, the CFPB proposed in Sec. 1033.111(b) to
define covered consumer financial product or service to mean (1) a
Regulation E account, a defined term that would have the same meaning
as defined in 12 CFR 1005.2(b); (2) a Regulation Z credit card, a
defined term that would have the same meaning as defined in 12 CFR
1026.2(a)(15)(i); and (3) the facilitation of payments from a
Regulation E account or Regulation Z credit card. The CFPB proposed in
Sec. 1033.111(c) to define data provider to mean a covered person, as
defined in 12 U.S.C. 5481(6), that is (1) a Regulation E financial
institution, as defined in 12 CFR 1005.2(i); (2) a Regulation Z card
issuer, as defined in 12 CFR 1026.2(a)(7); or (3) any other person that
controls or possesses information concerning a covered consumer
financial product or service the consumer obtained from that person. In
example 1 to Sec. 1033.111(c), the CFPB proposed to provide an example
that a digital wallet provider is a data provider. The CFPB requested
comment on the proposed definitions.
The proposed rule also explained that the CFPB was considering
adding EBT-related data to the final rule, or reaching EBT cards in a
subsequent rulemaking. State and local administered needs-tested
benefits are exempt from EFTA coverage by statute. When distributed
electronically, needs-based benefits established under State or local
law or administered by a State or local agency are primarily issued to
consumers via EBT cards. EBT-related data are mainly accessed directly
by the consumer through private entities that have contracted with
State or local governments that administer programs for Federal
Government agencies. The CFPB requested comment on whether the most
appropriate way to solve issues related to EBT data accessed directly
by the consumer is through section 1033 of the CFPA, and whether it
should do so as part of this first rulemaking related to payments data
or a subsequent rule under CFPA section 1033. The CFPB also requested
comment on third party practices related to consumer-authorized EBT
data, and the benefits and drawbacks of enabling third party access to
EBT-related data, including with respect to data security.
Comments
Many commenters, including third parties and consumer advocates,
stated that the proposed coverage was too narrow. Advocated additions
included all covered persons and financial products and services under
the CFPA, all Regulation Z creditors (such as mortgage, auto, and
payday lenders), payroll providers, holders of tax records, electronic
bill presentment providers, investment products, retirement accounts,
and small business lenders. Some third party commenters asserted that
data providers will otherwise restrict or fail to offer access to these
data. One bank data provider commenter stated that the narrow scope of
coverage could cause consumer confusion. A non-bank data provider that
also acts as a third party stated that
[[Page 90854]]
coverage should be broader because much or all of the covered data are
already made available by banks today.
Conversely, many data provider commenters requested narrower
coverage, and that the CFPB clarify the rule's applicability,
particularly with regard to pass-through payments and payment
facilitation providers. Some commenters asked for specific exclusions
for products or entities that they asserted are excluded from the
CFPB's authority under the CFPA, such as corporate credit cards and
merchants. Several third party and trade association commenters asked
the CFPB to clarify that the rule does not cover other entities that
initiate payments on the payee's behalf, such as embedded payment
service providers that provide payment processing services exclusively
for merchants, third party marketplaces operated prominently in the
name of their affiliate company, and loan servicers. One non-bank data
provider that also acts as a third party asked the CFPB to exclude
online marketplaces and ride sharing apps. Two data provider trade
associations asked the CFPB to exclude inactive or closed accounts.
Two trade associations commenting on the CFPB's TILA interpretive
rule regarding credit products marketed as BNPL,\49\ along with a
provider of BNPL products, stated that the Personal Financial Data
Rights rule should not apply to BNPL providers because they lacked
notice that such providers are card issuers under Regulation Z and that
the proposal did not adequately account for the impact on BNPL
providers. A third party trade association supported coverage of BNPL
providers as data providers, explaining in a comment on the CFPB's TILA
interpretative rule that it supports the consumer right to share their
balance and transaction information for any and all of their credit
accounts. A few bank data provider trade associations commenting on the
TILA interpretive rule recommended that the CFPB clarify that nonbank
BNPL providers are held to the same standards as banks with regard to
consumer protections generally.
---------------------------------------------------------------------------
\49\ Truth in Lending (Regulation Z); Use of Digital User
Accounts To Access Buy Now, Pay Later Loans, 89 FR 47068 (May 31,
2024).
---------------------------------------------------------------------------
With regards to pass-through payments, bank data providers, a large
nondepository data provider, and trades representing bank and
nondepository data providers stated that data related to those products
would be duplicative, introduce errors, provide limited consumer
benefit relative to the increased burden on digital wallet providers,
and conflict with their belief that the account-holding bank should
control access to that data. One data provider trade association
asserted that data providers should only be permitted to share data
that is unique to them. The commenter stated that banks cannot conduct
due diligence on the authorized third party that is requesting data
access through the digital wallet provider, and this could lead to
consumer confusion and other risks. The commenter asserted that these
digital wallets do not possess data pertaining to a consumer financial
product or service that the consumer obtained from the data provider.
Some bank data provider commenters cited security and liability
concerns about allowing pass-through payment providers to share data
with third parties, rather than requiring the third parties to go to
the underlying bank.
A few commenters stated that the proposal was unclear as to whether
any entity that controls or possesses covered data would have
obligations under the rule, even if a consumer did not obtain a covered
consumer financial product or service from the data provider and even
if the data do not concern a covered consumer financial product or
service. A few trade associations and other commenters asserted that
the CFPB needed to clarify whether point of sale terminal providers and
other payment service providers are covered under Sec. 1033.111(c).
One bank trade association asked the CFPB to clarify that the
obligation to make available covered data would not apply to consumers
who are domiciled outside of the U.S., stating that without this
clarification foreign requirements for data protection and privacy will
be triggered, impacting data handling and protection that vary widely
across countries.
The CFPB received many comments from individual consumers, consumer
groups, other nonprofit organizations, third parties, and Members of
Congress in support of covering EBT providers in this stage of the
rulemaking. Their reasons were similar to those raised during the
SBREFA process, including how consumers would benefit from increased
access to their EBT data and how such access could help identify fraud.
Some of these commenters also asserted that excluding EBT providers
from this rulemaking could worsen existing issues related to data
access and service. A few commenters supported a subsequent rulemaking
to cover EBT providers if they are not covered under this rule.
Some commenters, including industry trade associations and a Member
of Congress, cautioned against including EBT providers in this or any
future rulemaking. Although these commenters raised concerns the CFPB
considered in the proposed rule, like the potential for fraud to
increase and the lack of EFTA protections, some commenters also
asserted that the CFPB is not the right agency to address EBT data
access. These commenters asserted that Congress specifically excluded
EBT from being regulated as demand deposit accounts and instead largely
granted authority to regulate EBT to USDA. A payments trade association
commenter cautioned that agencies that administer EBT will not have
contractual relationships with entities involved with third party
access and therefore these entities will not need to comply with
certain restrictions put in place by the governing agencies.
Final Rule
For the reasons discussed herein, the CFPB is finalizing Sec.
1033.111(a) through (c) as proposed, with some clarifying changes to
the definition of covered consumer financial product or service in
Sec. 1033.111(b)(3). This facilitation of payments prong in Sec.
1033.111(b)(3) is finalized to include facilitation of payments from a
Regulation E account or Regulation Z credit card, excluding products or
services that merely facilitate first party payments. For purposes of
part 1033, a first party payment is a transfer initiated by the payee
or an agent acting on behalf of the underlying payee. First party
payments include payments initiated by loan servicers.
As in the proposal, Sec. 1033.111(c) defines data provider to mean
a covered person, as defined in 12 U.S.C. 5481(6), that is: (1) A
financial institution, as defined in Regulation E, 12 CFR 1005.2(i);
(2) A card issuer, as defined in Regulation Z, 12 CFR 1026.2(a)(7); or
(3) Any other person that controls or possesses information concerning
a covered consumer financial product or service that the consumer
obtained from that person. Example 1 to paragraph (c) states that a
digital wallet provider is a data provider.
Payment data from these products and services support common
beneficial consumer use cases today, including transaction-based
underwriting, payments, deposit account switching, and comparison
shopping for bank and credit card accounts. Data from checking
accounts, savings accounts, and other Regulation E accounts allow a
consumer or third party to view a consumer's income, expenses, fees,
and spending. Digital wallet providers hold similar valuable data that
can provide a complete understanding of a consumer's
[[Page 90855]]
finances. Today, a digital wallet can initiate payments from multiple
credit cards, prepaid accounts, and checking accounts. A digital wallet
can facilitate payments from accounts that the digital wallet provider
offers through depository institution partners, or from linked accounts
issued by other institutions (sometimes referred to as pass-through
payments). Regulation Z credit cards are increasingly used as payment
devices for everyday expenses, and credit card transaction data have in
some cases become interchangeable with Regulation E account transaction
data. Given the foreign applicability provisions of Regulation E and
Regulation Z, covered consumer financial products and services in this
rule are limited to products and services obtained by consumers who
reside in the U.S. See Regulation E comment 3(a)-3 and Regulation Z
comment 1(c)-1 for a discussion of foreign applicability.
Covering Regulation E accounts, Regulation Z credit cards, and
payment facilitation products and services leverage existing
infrastructure for consumer-authorized data sharing, thus facilitating
implementation. Data providers generally share these covered data on
consumer interfaces today, and some share covered data with third
parties. Given how consumers' payment data are commonly shared and can
be used to access consumer funds or track household spending, it is
appropriate to prioritize these data for greater protection under this
rule. As discussed in part IV.C and D, the CFPB is also finalizing a
number of measures to foster a safe and secure data access framework.
In addition, consumers benefit from being able to permission access
to digital wallet pass-through data and the marginal burden on digital
wallet providers is generally limited. Digital wallet providers and
entities that refer to themselves as neobanks generally qualify as
Regulation E financial institutions; some also may be Regulation Z card
issuers. Digital wallet providers that facilitate pass-through payments
typically also provide a funds-holding asset account or credit card, so
would already be subject to the requirements of this rule, including
the requirement to maintain interfaces under Sec. 1033.301. The few
digital wallet providers who do not yet offer these products in
conjunction with their pass-through products tend to be very large,
sophisticated technology companies that commonly access and use data as
third parties. Although digital wallet providers today typically
qualify as Regulation E financial institutions under Sec.
1033.111(c)(1), including Sec. 1033.111(c)(3) provides clarity that
all digital wallet providers are data providers and ensures coverage as
payment products evolve. This provision makes clear that the rule
covers consumer-facing entities involved in facilitating Regulation E
account and Regulation Z credit card transactions, except, as discussed
below, products or services that merely facilitate first party
payments. Given that digital wallet providers--including pass-through
providers--typically are Regulation E financial institutions, the
marginal compliance burden of including the payment facilitation prong
is limited.
Moreover, the potential consumer benefit is clear. Digital wallets
are ubiquitous today, with both remote and point of sale acceptance.
Some companies that originated as non-financial providers, such as
search engines, social media companies, and retail merchants, are
steadily offering asset accounts and credit cards themselves--sometimes
leveraging data they have obtained from depository institutions for
underwriting or other purposes. As consumers increasingly connect
multiple financial products to these non-bank providers, and these
providers increasingly offer asset accounts and credit cards in
conjunction with other services, non-bank providers may control or
possess different or more robust covered data than the underlying
depository institution. Consumers may also find it more convenient to
permission access through the digital wallet provider or other payment
facilitation provider, and may expect to be able to do so. Accordingly,
requiring digital wallet data providers to make available data for both
pass through and non-pass through accounts may best align the rule with
consumer expectations, ease sharing for consumers who connect multiple
payment methods to their digital wallets or otherwise frequently use
their digital wallets, and provide consumers with access to more robust
payment transaction data. The CFPB agrees with commenters that pass-
through data providers should not be required to make available
information to initiate payment to or from a Regulation E account under
Sec. 1033.211(c); changes to the covered data provision are discussed
below in connection with subpart B.
The CFPB is clarifying the definition of covered consumer financial
product or service in Sec. 1033.111(b)(3) to exclude situations where
an entity is solely facilitating first party payments, such as a
merchant or mortgage loan servicer initiating a payment from the
consumer's account to itself. First party payments are distinct from
payment facilitation products. Accordingly, the CFPB is finalizing
Sec. 1033.111(b)(3) with language to explicitly exclude products or
services that merely facilitate first party payments. For purposes of
this definition, a first party payment is a transfer initiated by the
payee or an agent on behalf of the underlying payee. First party
payments include payments initiated by a loan servicer.
Situations where an entity is merely initiating a payment to itself
for a product or service it provided to the consumer would not be
enough to qualify as a covered consumer financial product or service.
For example, a mortgage servicer that merely initiates a payment to
fulfill the consumer's mortgage obligation would not qualify as
facilitation of payments under Sec. 1033.111(b)(3), as the mortgage
servicer is initiating a payment to itself or is otherwise acting an
agent to the underlying mortgage holder. Similarly, an online merchant
initiating a payment to itself for goods it sold directly to the
consumer, or a utility company initiating payment to satisfy a
consumer's electric bill, would not qualify as facilitation of payments
under Sec. 1033.111(b)(3). However, some first party payments continue
to fall within the definition of covered consumer financial product or
service, such as situations where the data provider is initiating a
transfer to itself in conjunction with a product that facilitates
payments to other payees, or the data provider is otherwise providing a
Regulation E or Regulation Z account. For example, Sec. 1033.111(b)
includes a digital wallet provider initiating a transfer from an
external bank account to the consumer's digital wallet held by that
same provider, a digital wallet provider initiating a pass through
transfer from the consumer's Regulation E or Regulation Z account to
another payee that participates in the debit or credit card network,
and a credit card provider initiating a credit card payment from the
consumer's external bank account to itself.
As stated in Sec. 1033.201(a)(1), a data provider's obligation to
make available data is limited to covered data in the data provider's
control or possession concerning a covered consumer financial product
or service that the consumer obtained from the data provider, in an
electronic form usable by consumers and authorized third parties. For
clarity, the CFPB is adding language to Sec. 1033.111(a) to reiterate
that a data provider's obligations are limited to covered data
concerning a covered consumer financial product or
[[Page 90856]]
service that the consumer obtained from the data provider.
With regard to excluding products that are not subject to the
CFPB's authority, any such exclusions would be superfluous, potentially
confusing, and create risk that they would be misused to undermine
coverage of payment facilitation products that do fall within the
CFPB's authority. The Sec. 1033.111(b) definition of covered consumer
financial product or service is expressly limited to a consumer
financial product or service as defined in 12 U.S.C. 5481(5). The CFPB
has decided not to add exclusions, such as an exclusion for online
marketplaces that are not otherwise subject to the CFPB's authority,
because that may create detrimental loopholes for products that also
provide a payment facilitation or other Regulation E access device
function. For example, an online marketplace may involve payments to
the data provider for products or services sold by that same data
provider, but also facilitate payments to other merchants.
The CFPB intends to implement CFPA section 1033 with respect to
other covered persons and consumer financial products or services
through future rulemaking. The CFPB declines to expand the scope of
covered data and consumer financial products and services in this final
rule. Prioritizing Regulation E accounts, Regulation Z credit cards,
and payment facilitation products and services advances competition
goals across a broader range of markets while addressing pressing
consumer use cases and risks. The CFPB also has considered that the
marginal risks to consumers of including these covered consumer
financial products and services is limited by Regulation E and
Regulation Z error protections applying to all the products covered by
this final rule; in addition, most (if not all) such covered data are
shared with third parties to some extent today. The CFPB has considered
that EBT cards are exempt from EFTA coverage by statute, but that
pursuant to the Consolidated Appropriations Act of 2023, the USDA has
been directed to engage in a rulemaking and issue guidance on EBT card
security practices. The Spring 2024 Unified Agenda shows that this USDA
rulemaking is in the proposed rulemaking stage, indicating that
completion of a final rule remains some period away.
In order to determine coverage, entities need to determine whether
they control or possess covered data concerning a covered consumer
financial product or service that the consumer obtained from that
entity, and whether they otherwise meet the definition of data provider
in Sec. 1033.111(c). This coverage determination is the same for all
entities, including those that in providing BNPL products may qualify
as card issuers under Regulation Z. BNPL providers had sufficient
notice of their potential inclusion in the rule because they received
notice that the CFPB proposed to cover Regulation Z card issuers and
credit cards under CFPA section 1033.
4. Coverage Threshold for Depository Institution Data Providers (Sec.
1033.111(d))
Proposal
In Sec. 1033.111(d), the CFPB proposed to exclude from the
requirements of this rule data providers that are depository
institutions without a consumer interface. The CFPB noted that such
institutions tend to be very small, may not have resources to support
or maintain online or mobile banking systems, and may use a
relationship banking model that provides a more personalized
relationship with their customers. The CFPB also proposed to limit the
exclusion to depository institutions, preliminarily determining that
the complicating factors that exist for depository institutions are
less likely to exist for nondepository institutions. The proposed rule
also noted that nondepository institution data providers within the
scope of the proposed rule tend to use business models built on the
ability to innovate using technology and to move quickly to implement
technological solutions. The CFPB sought comment on various issues,
including whether different or additional criteria, such as an
institution's asset size or activity level, should be taken into
consideration when determining what depository institutions would be
covered by the rule.
Comments Received
Though a few commenters stated that all institutions should be
required to comply with the rule, the vast majority of those who
commented on this provision stated that some institutions should not.
Many credit union, bank, and credit union and bank trade associations
commenters stated that the proposed exemption was too limited. Many of
these commenters also stated that coverage should be based on asset
size, instead of the presence of a consumer interface, and suggested
thresholds ranging from $850 million to $10 billion in total assets.
Others stated that number of deposit accounts or customers should be
relevant to coverage, or that depository institutions under a certain
size should be able to ``opt out'' of the rule's requirements. A few
credit union trade association commenters and one credit union
commenter stated that there should be tiered exemptions where different
tiers of depository institutions would not need to comply with various
requirements of the rule: data providers with no consumer interface
should be completely excluded, depository institutions that meet the
SBA definition of a small business should only be required to provide a
consumer interface, and minimum technical specifications should not
apply to developer interfaces of depository institutions holding less
than $50 billion in assets.
Several nondepository entity trade association commenters and one
technology service provider commenter stated that nondepository
institutions that do not have digital banking should be exempt from the
rule. One nondepository institution trade association commenter stated
that there are many nondepository institutions that do not have a
consumer interface, including debt collectors.
While one bank commenter stated that depository institutions that
elect to eliminate their consumer interfaces after the rule's effective
date should not remain subject to the rule, a nondepository entity
trade association commenter stated that they should. One nondepository
entity trade association commenter stated that depository institutions
should be given a grace period to comply with the rule's requirements
when establishing a consumer interface while another stated that they
should not. Finally, SBA Advocacy stated that the CFPB should consider
third party exemptions that will not compromise data security and
privacy.
Final Rule
For the reasons discussed herein, the CFPB is finalizing Sec.
1033.111(d) with modifications. Unlike the proposed rule, final Sec.
1033.111(d) bases coverage on a depository institution data provider's
total assets, not on the presence of a consumer interface. As in the
proposed rule, all nondepository institution data providers are covered
by the rule.
Final Sec. 1033.111(d) states that the requirements of subparts B
and C do not apply to data providers defined under Sec. 1033.111(c)(1)
through (3) that are depository institutions that hold total assets
equal to or less than the SBA size standard for the data provider's
appropriate NAICS code for commercial
[[Page 90857]]
banking, credit unions, savings institutions and other depository
credit intermediation, or credit card issuing, as codified in 13 CFR
121.201. The current size standard for all the relevant NAICS codes is
$850 million. Section 1033.111(d) also states that, if at any point, a
depository institution that held total assets greater than that SBA
size standard as of the final rule's effective date, subsequently holds
total assets below that amount, the requirements of subparts B and C
continue to apply. Section 1033.111(d)(1) provides information on how
to determine the SBA standard based on specific NAICS codes. Section
1033.111(d)(2) explains that total assets held by a depository
institution are determined by averaging the assets reported on its four
preceding quarterly call report data submissions to the FFIEC or NCUA,
as applicable, or its submissions to the appropriate oversight body to
the extent it does not submit such reports to the FFIEC or NCUA.
Relatedly, and as more fully discussed in the discussion of compliance
dates, Sec. 1033.121(c) addresses how to determine compliance dates
for depository institutions that hold total assets at or below the SBA
size standard but that subsequently cross that threshold.
Unlike the proposed rule, the final rule bases coverage on the
total assets held by a depository institution data provider and
provides those entities a reasonable amount of time to comply with the
part's requirements upon reaching the coverage floor. Asset size is a
more accurate proxy than the mere existence of a consumer interface to
help approximate a depository institution's resources and ability to
comply with the rule's requirements. An institution that may offer a
basic consumer interface may nevertheless not possess the resources or
technological sophistication to upgrade that interface and create a
compliant developer interface. A depository institution's total asset
size, however, provides information about an institution's size,
sophistication, and relative resources to comply with the rule because
an institution's size measured by assets will generally correlate with
its resources. In addition, the CFPB does not have information to
indicate that any depository institution data provider over the current
$850 million size standard lacks a consumer interface.\50\
---------------------------------------------------------------------------
\50\ If there were hypothetically such depository institutions,
their number would be very small and creating an exemption solely
for such institutions would add complexity to the regulatory regime
and not be proportionate.
---------------------------------------------------------------------------
Under the final rule, to streamline compliance, the specified
depository institution data providers are not subject to any
requirement to make data available through an interface. However, most
depository institution data providers with total assets at or below the
current $850 million size standards already have some form of consumer
interface, and the CFPB expects that such institutions will continue to
provide their customers with that service. The CFPB also understands
that many depository institution data providers with total assets at or
below the current $850 million size standards make at least some
covered data available to consumer-authorized third parties, and
expects that such institutions will continue doing so, including by
offering developer interfaces when the benefits of doing so are
commensurate with the institution's resources.
As with the proposed rule, the final rule covers all nondepository
institution data providers. Though a few commenters stated that
nondepository institution data providers without consumer interfaces
should not be covered by the rule's requirements, they did not offer
grounds to rebut the proposed rule's determination that nondepository
institution data providers lack the same complicating factors that
exist for their depository institution counterparts. Nondepository
institution data providers within the scope of the final rule tend to
use business models built on the ability to innovate with respect to
technology and move quickly to implement technological changes and
solutions.
As explained, the final rule does not cover depository institution
data providers that hold total assets below the SBA size standard for
the specific NAICS code that encompasses each depository institution
data provider subject to this rule. The size standard for each of the
named NAICS codes, currently $850 million, is re-evaluated by the SBA
at least once every five years. In theory, the size standards of the
named NAICS codes could diverge during that re-evaluation. The CFPB has
determined that, given the historical standards, the likelihood of that
occurring is minimal.
The CFPB believes the SBA size standard is an appropriate threshold
to determine depository institution data provider coverage at this
time. Several credit union trade associations and a trade association
of community banks stated that an $850 million threshold would address
concerns about the costs of providing data access to third parties
under the terms of the rule. In particular, a credit union trade
association believed such a threshold would be appropriate to address
concerns about the ability of smaller credit unions to remain
competitive, noting that those below the threshold might discontinue
services if they had to comply with the rule. As discussed further in
part VI.E.1, many community banks, credit unions, and trade
associations commented that they expect the costs for small depository
institutions of providing required data access to be much higher than
those estimated by the CFPB in the proposal. Though they did not
provide additional data or information that would allow the CFPB to
precisely update the cost estimates, the CFPB acknowledges that small
depository institutions might face additional challenges in
implementing the rule at this time. The CFPB believes that the SBA size
standard is an appropriate metric to ensure the rule does not unduly
burden entities that are not dominant in their field and may have
difficulty competing under the rule without sacrificing products or
services.
At least one bank trade association commenter recommended generally
that the coverage threshold be $10 billion in total assets, although
the commenter stated that if the threshold is not set at $10 billion,
then an asset threshold of $850 million would be appropriate.\51\ This
commenter did not provide reasoning for this position, and based on
other comments received, the CFPB believes depository institutions with
assets above the SBA size standard in the final rule will not face the
same types of constraints as those below. For example, a credit union
trade association recommended that credit unions with assets between
$850 million and $50 billion should be subject to the data provider
requirements of the rule, with the exception of minimum technical
performance requirements. As discussed in part IV.C.3, the CFPB has
made the minimum response rate requirement in Sec. 1033.311(c) more
flexible relative to the proposal and has lengthened the compliance
timelines for all data providers. Further, not covering depository
institutions with total assets of $10 billion and under would not cover
a large share of total accounts, at approximately 31 percent of covered
accounts. In contrast, setting the threshold at depository institutions
with more than $850 million in total assets
[[Page 90858]]
excludes approximately 10 percent of covered accounts.
---------------------------------------------------------------------------
\51\ The CFPB also received one comment from a software
developer stating that, until an accreditation process has been
developed, financial institutions with less than $10 billion in
assets should not be required to comply with the rule.
---------------------------------------------------------------------------
For now, in light of the reasons herein, the CFPB is not extending
coverage to depository institutions with assets of $850 million or
below. However, the CFPB anticipates that, as the process of building
out systems capable of complying with the rule's requirements plays out
and data providers, core providers, and other vendors work to
streamline the resources and processes necessary to comply, the costs
of compliance will go down, potentially making coverage for smaller
depository institutions more appropriate. Relative to the alternative
of a higher coverage threshold such as $10 billion in assets, covering
a larger share of depository institution data providers with this
rule--and, in particular, covering depository institution data
providers that use the same vendors and core providers as smaller
depository institutions--increases the likelihood that resources to
facilitate third party access will be available for smaller depository
institution data providers that seek to integrate them in the future.
The CFPB will continue to monitor market conditions and engage with
relevant vendors and other service providers to determine if changes to
the rule's coverage are warranted.
Section 1033.111(d)(2) states that a depository institution data
provider's total assets are calculated by averaging its assets reported
on its four preceding quarterly call report submissions to the FFIEC or
NCUA, as applicable. Averaging total assets over a year provides a more
accurate financial picture than using the total assets at one point in
time. Additionally, the SBA calculates whether a specific institution
meets its size standards by averaging the assets reported on its four
quarterly financial statements for the preceding year. See 13 CFR
121.201 n.8.
Section 1033.111(d)(3) outlines the process by which a depository
institution data provider determines total assets when there is a
merger or acquisition where the surviving depository institution does
not have four quarterly call report submissions. The surviving
depository institution shall use the combined assets reported on the
quarterly call report submissions by all predecessor depository
institutions for quarterly assets prior to the merger. For quarterly
assets after the merger or acquisition, quarterly assets shall be
determined by using the assets reported on the quarterly call report
submissions by the surviving depository institution. Total assets shall
be determined by using the average of the quarterly assets for the four
preceding quarters, whether the quarterly assets are the combined
assets of the predecessor depository institutions or from the surviving
depository institution. The rule does not include explicit instructions
on how newly formed depository institution data providers with no
predecessor depository institutions determine total assets. The
regulatory text is clear that four quarterly call report submissions
are necessary to determine total assets and thus, a newly formed
depository institution data provider with no predecessor depository
institutions will determine total assets once it has four of its
quarterly call report submissions available to make that determination.
As of the rule's effective date, depository institution data
providers must determine their total assets by averaging their assets
on the four preceding call report data submissions. If that total falls
under the coverage threshold, the institution is not then subject to
the rule's requirements, but it must continue to calculate total assets
going forward based on the formula laid out in Sec. 1033.111(d)(2) to
determine if its assets have increased enough such that it becomes
covered by the rule.\52\
---------------------------------------------------------------------------
\52\ Section 1033.121(c) describes compliance dates for
depository institution data providers that hold total assets less
than the SBA size standard as of the effective date but subsequently
cross that threshold.
---------------------------------------------------------------------------
The final rule does not allow depository institution data providers
to fall out of coverage because their asset holdings dip from above to
below the threshold. Once a depository institution data provider has
become capable of building and maintaining data access in accordance
with the rule's requirements, it will need to meet the data access
requirements of the rule; ongoing costs of compliance will be minimal,
even if their total assets held have diminished.
5. Compliance Dates (Sec. 1033.121)
Proposal
The CFPB proposed in Sec. 1033.121 to stagger data provider
compliance dates into four tiers, so as to ensure timely compliance
based on asset size or revenue, depending on the type of data provider.
A number of factors might affect how quickly a data provider could
comply with the rule, including, for example, a data provider's size,
relative technological sophistication, use of third party service
providers to build and maintain software and hardware systems, and, in
the case of many data providers, the existence of multiple legacy
hardware and software systems that increase cost or otherwise impact
their ability to layer on new technology. Nondepository institution
data providers do not face these same obstacles. They do not have as
many vendors and information technology systems that would need to be
connected, and implementation could generally occur in-house. Thus,
they could move faster to implement the rule's requirements. In
preamble, the CFPB noted that data providers might need to transition
third parties to developer interfaces in a staggered order; proposed
Sec. 1033.321 provided flexibility in that respect.
Subject to the limitations of proposed Sec. Sec. 1033.321 and
1033.111(d), proposed Sec. 1033.121 would have required data providers
to make data access available by four compliance dates, all tied to
publication of the final rule in the Federal Register: (1) depository
institutions with $500 billion in total assets and nondepository
institutions that generate $10 billion in revenue in the preceding
calendar year or that are projected to generate $10 billion in revenue
in the current calendar year would have been required to comply
approximately six months after Federal Register publication; (2)
depository institutions with between $50 billion and $500 billion in
total assets and nondepository institutions that generate less than $10
billion in the preceding calendar year and are projected to generate
less than $10 billion in the current calendar year would have been
required to comply approximately one year after Federal Register
publication; (3) depository institutions with between $850 million and
$50 billion in total assets would have been required to comply
approximately 2.5 years after Federal Register publication; and (4)
depository institutions with under $850 million in total assets would
have been required to comply approximately four years after Federal
Register publication.
The CFPB sought comment on a number of issues, including whether
different or additional criteria should be taken into consideration
when determining compliance dates, on the structure of each tier, and
whether nondepository institutions should be included in all tiers. The
CFPB also sought comment on whether the final rule should include
language clarifying the time allowed to fully transition third parties
to data access, so as to ensure that data providers do not impede
timely third party access to an interface while also accounting for
reasonable risk management.
[[Page 90859]]
Comments Received
Most commenters that addressed this section stated that a tiered
implementation schedule was appropriate, while a few nondepository
entity trade association, consumer advocate, and bank trade association
and bank commenters stated that such implementation would incentivize
data aggregators and third parties to prioritize and work with larger
entities and would temporarily create gaps in consumer data access
across the market. One consumer advocate commenter also stated that
tiered compliance may inadvertently disadvantage smaller institutions
because the current speed of digital transformation can benefit larger,
more resourced providers who will have a head start on developing norms
for interfaces while less resourced providers will have less of a say
in how those interfaces are developed. A nondepository entity trade
association and a research institute commenter suggested that the CFPB
should allow transition time once an API is available to move access
gradually to the API and provide for a transition period rather than
final compliance dates. Commenters did not specify how the final rule
should structure a transition period without final compliance dates. A
data aggregator and a third party nondepository entity commenter also
suggested that the final rule impose different compliance dates on
different requirements in the final rule. One data aggregator commenter
suggested specific API endpoints by which to set different deadlines
for specific separate requirements.
Most commenters who addressed this section recommended that
compliance dates account for the timeline for development of consensus
standards (with some specific suggestions regarding standard file
format and developer interface standardized format) and occur after the
CFPB's recognition of a standard-setting body, occur after the issuance
of a qualified industry standard, or some combination of the above. See
the discussion of Sec. 1033.311(b) in part IV.C.3 below regarding the
timing of the issuance of consensus standards by recognized standard
setters.
Though a consumer advocate and a couple third party nondepository
commenters saw the proposed compliance dates as appropriate, the
majority of commenters, including banks, credit unions, credit union
and bank trade associations, and nondepository entity trade
associations, on this section described them as too short. Commenters
explained that data providers would need to work with third parties,
taking care not to put existing consumer account connections at risk
when migrating and onboarding third parties to compliant data access,
and would also need to ensure compliance with other rules, including
any FCRA rules issued by the CFPB. Bank, credit union, and bank and
credit union trade association commenters also noted many other actions
data providers would have to engage in to comply, including updating
public-facing websites to meet disclosure requirements, generating and
publishing performance metrics, ensuring data are provided in a
standardized format, ensuring support for required data elements that
are not currently shared, build new functionality pertaining to
machine-readable files accessible for consumers, and managing new
access duration requirements, among other actions. Credit union trade
association commenters described the potential for a bottleneck in the
proposed third tier because it would cover over 1,000 banks and credit
unions, and requested an additional tier that would allow five years
for implementation. One bank commenter stated that banks with less than
$10 billion in total assets exclusively rely on third parties to
provide digital banking, including bill payment portals, and core
processing systems. One law firm commenter stated that nondepository
institution data providers would have the most burden in complying
because they are less likely to already have interfaces and policies in
place to timely receive and respond to requests for data. Different
commenters offered various time periods for how long compliance should
be. Suggestions ranged from allowing an additional six to 18 months for
all tiers, 24 months for the largest data providers, four to six years
for small providers, and at least 10 years for all data providers.
Some bank, bank trade association, third party nondepository
entity, and nondepository entity trade association commenters requested
compliance dates for third parties and aggregators. One stated that the
CFPB should ensure that the compliance date for the largest data
providers is feasible not only for the relevant data providers but also
for data recipients. Another stated that there should be a 12-month
compliance period for aggregators and merchants that use aggregators,
and a six-month grace period thereafter for aggregators to cure any
technical violations that do not result in direct instances of consumer
harm.
Finally, one bank trade association commenter asked for
clarification as to how ownership structure influences which tier an
entity falls into as some entities are comprised of multiple types of
companies.
Final Rule
For the reasons discussed herein, the CFPB is finalizing Sec.
1033.121 with revisions to increase the number of compliance date
tiers, redefine the types of depository institutions included in each
tier, change the metrics used to define the types of data providers
included in each tier, extend compliance deadlines for all tiers, and
provide clarification for how depository institution data providers
determine compliance deadlines when their total assets do not meet the
threshold for coverage as of the effective date but subsequently cross
that threshold. Specifically, Sec. 1033.121(b) provides that, in the
first tier, depository institution data providers that hold at least
$250 billion in total assets and nondepository institution data
providers that generated at least $10 billion in total receipts in
either calendar year 2023 or calendar year 2024 must comply by April 1,
2026. In the second tier, depository institution data providers that
hold at least $10 billion in total assets but less than $250 billion in
total assets and nondepository institution data providers that
generated less than $10 billion in total receipts in both calendar year
2023 and calendar year 2024 must comply by April 1, 2027. In the third
tier, depository institution data providers that hold at least $3
billion in total assets but less than $10 billion in total assets must
comply by April 1, 2028. In the fourth tier, depository institution
data providers that hold at least $1.5 billion in total assets but less
than $3 billion in total assets must comply by April 1, 2029. In the
final tier, depository institution data providers that hold less than
$1.5 billion in total assets but more than $850 million in total assets
must comply by April 1, 2030.
Data providers must have established functioning developer and
consumer interfaces required under Sec. 1033.301(a) that are
technically capable of complying with the requirements in subparts B
and C of part 1033 by their compliance deadline. For example, developer
interfaces must be able to make available all covered data (as defined
in Sec. 1033.211) in a standardized format (Sec. 1033.311(b)) and be
capable of performing in a commercially reasonable manner (Sec.
1033.311(c)). Some data providers will be able to receive requests from
authorized third parties for covered data through their developer
interface by then. However, the CFPB recognizes that other data
[[Page 90860]]
providers may need to transition existing third party access
arrangements or otherwise onboard new third parties after their
compliance deadline as necessary to avoid violating other legal
obligations and to manage the technical integration process.
The CFPB recognizes that data providers may need time to onboard
third parties in a staggered manner in accordance with sound risk
management. It is permissible under the final rule to manage the
onboarding process a staged manner, to the extent permitted under Sec.
1033.321. As discussed further in part IV.C.4 below, a data provider
could rely on Sec. 1033.321 to deny a third party access to the
developer interface temporarily, consistent with policies and
procedures reasonably designed to comply with safety and soundness
standards of a prudential regulator (among other legal obligations),
and if the denial complies with Sec. 1033.321(b). Once a third party
has access to the developer interface, a data provider must respond to
requests for covered data in accordance with the rule.
It will raise significant concerns if a data provider seeks to rely
on Sec. 1033.321 to justify noncompliance with the technical
requirements of subparts B and C of the final rule, such as those
impacting functionality, commercially reasonable performance, or
security of the developer interface. Such requirements are independent
of whether a data provider can deny a third party access under Sec.
1033.321. For example, it likely would be impermissible for a data
provider to deny a third party access under Sec. 1033.321 temporarily,
in connection with onboarding, solely because the data provider's
developer interface could not scale to achieve the 99.5 percent
response rate required under Sec. 1033.311(c)(1) for periods with a
high volume of requests.
To be clear, Sec. 1033.321 does not allow data providers to delay
access during the onboarding process unreasonably. For example, a data
provider could not manage the onboarding process in an inconsistent or
discriminatory manner. Establishing policies and procedures to manage
the onboarding process as expeditiously as possible in a way that
properly accounts for relevant risk management considerations will help
ensure data providers do not unlawfully avoid their obligations to
implement CFPA section 1033. In managing the onboarding process, data
providers are also subject to the rule's anti-evasion provision in
Sec. 1033.201(a)(2) and other applicable consumer financial laws,
including the prohibition on unfair, deceptive, or abusive acts or
practices.
Section 1033.121(a) provides that a data provider's compliance date
is based upon the calculation of total assets or total receipts, as
appropriate. Section 1033.121(a)(1) also provides that, for depository
institution data providers, total assets are determined by averaging
the assets reported on its 2023 third quarter, 2023 fourth quarter,
2024 first quarter, and 2024 second quarter call report data
submissions to the FFIEC or NCUA, as applicable, or its submissions to
the appropriate oversight body to the extent it does not submit such
reports to the FFIEC or NCUA. With respect a commenter's request to
clarify how ownership structure influences which tier a depository
institution falls into for compliance purposes, the regulatory text
makes clear that a depository institution data provider looks to the
total assets it reports on its call report data submissions. Section
1033.121(a)(2) provides that, for nondepository institution data
providers, total receipts are calculated based on the SBA definition of
receipts, as codified in 13 CFR 121.104(a). Section 1033.121(c) states
compliance timelines for depository institution data providers that do
not meet the coverage threshold as of the rule's effective date, but
that subsequently cross that threshold. It provides that a depository
institution data provider has a reasonable amount of time to comply
with the rule after exceeding the size standard, and that the
reasonable amount of time shall not exceed five years. This period is
counted from the submission of a data provider's fourth call report
described in the asset size calculation in Sec. 1033.111(d)(2), the
analysis of which, under such calculation, results in an asset size
that crosses the size threshold.
The compliance periods for each tier in the final rule will ensure
that data providers of different sizes and resources will have the
appropriate amount of time to comply, in part, because the largest,
most resourced data providers will be complying first and smaller
depository institution data providers who are most likely to be relying
on core providers and other third parties will be split into
additional, smaller, more manageable tiers. The largest data providers,
many of which already have the required interfaces in development, have
until April 1, 2026, to comply, which will provide them with sufficient
time to meet the rule's requirements. Comments received from the
largest depository institution data providers, as well as data provider
trade associations and a few smaller banks and credit unions, requested
24 months for the largest depository institution data providers to
comply, but also noted that many of the largest depository institution
data providers already have interfaces that could be adapted to comply
with the final rule's requirements when issued and did not specify why
24 months would be necessary to build the developer interface required
by the rule. In addition, some commenters requesting 24 months
identified aspects of implementation related to onboarding third
parties onto a developer interface and processing requests. As
discussed above, data providers must have established functioning
interfaces by their compliance dates and are permitted to manage
granting third parties access to the developer interface, consistent
with Sec. 1033.321.
The second tier of data providers will have more than two years to
comply, which will allow them to learn from the experience coming into
compliance of the first tier of data providers; the same is true for
the third tier of data providers with more than three years for
compliance. The fourth and fifth tiers, which constitute the smallest
depository institution data providers by asset size and the entities
most likely to depend on core processors or other third parties to
assist with compliance, will be able to learn from the experiences of
the data providers that had to comply earlier and should have a
smoother transition than they might otherwise. These periods balance
the need for effective compliance with the provision of sufficient time
to ensure a smooth transition and minimize time between tier compliance
to ensure that any temporary data access gaps will be short lived. The
CFPB has revised the compliance date tiers in response to comments, to
reduce the total number of depository institutions in each tier. This
should reduce the burden on core processors and other third parties,
easing overall compliance efforts.
Consistent with the proposed rule, nondepository institution data
providers must comply with the final rule's requirements as part of the
first or second tiers. But these tiers now have more time to achieve
compliance. Further, though one law firm commenter stated that
nondepository institution data providers are most likely not to already
have interfaces and policies in place to timely receive and respond to
requests for data, this assertion does not negate the CFPB's finding,
through the SBREFA process and ongoing market monitoring, that such
data providers do not have as many vendors and information
[[Page 90861]]
technology systems that will need to be connected and that
implementation by nondepository institution data providers can occur
in-house without the need to engage core processors or other third
party vendors. These data providers also tend to have business models
that are based on the ability to adopt to technological innovations
relatively quickly. Thus, these data providers will be able to move
more quickly to implement the rule's requirements.
The final rule clarifies that, for purposes of determining an
institution's compliance date, a depository institution data provider
must look at the average total assets over a defined year of call
report data. Averaging total assets over the course of one year
provides a more accurate picture of asset holdings than just using
assets as of the end of a single calendar quarter. A nondepository
institution data provider must look at its total receipts, as
calculated based on the SBA definition of receipts in 13 CFR
121.104(a). The SBA definition of receipts is widely used in many
regulations and provides a comprehensive, consistent definition for
nondepository institution data providers to benchmark their revenue.
These provisions will ensure that all institutions are using consistent
metrics to determine compliance periods.
Section 1033.111(d) addresses asset limitations to coverage for
depository institution data providers and specifies asset calculation
methods. Section 1033.121(c) discusses compliance timing for depository
institution data providers that are at or below the asset threshold at
the effective date but later exceed the applicable threshold. This
provision allows such institutions a reasonable time to comply after
they exceed the applicable threshold, not to exceed five years. The
smallest depository institution data providers subject to the rule's
requirements as of the rule's effective date will have approximately
five years to comply, making this a logical ceiling for compliance
timing for depository institution data providers that subsequently
become subject to the rule's requirements. However, as more time passes
and more institutions implement the rule's requirements, compliance
will become less onerous, less expensive and require less time. Thus,
what constitutes a reasonable amount of time for compliance may evolve
downward with time.
The final rule does not set explicit compliance dates for third
parties because they are unnecessary. The CFPB is providing additional
time for the largest data providers to come into compliance with the
rule, which will give third parties and aggregators additional time to
prepare for implementation of the rule. In addition, transitioning the
market from screen scraping will further incentivize third parties and
aggregators to meet the requirements to request proper access under the
terms of the rule. See part IV.4 above for a discussion of whether data
providers complying with this rule are furnishers under the FCRA.
6. Definitions (Sec. 1033.131)
Card Issuer, Covered Consumer Financial Product or Service, Covered
Data, Data Provider, Financial Institution, Recognized Standard Setter,
Regulation E Account, and Regulation Z Credit Card
Consistent with the proposed rule, the coverage-related terms--card
issuer, covered consumer financial product or service, covered data,
data provider, financial institution, Regulation E account, and
Regulation Z credit card--are listed under Sec. 1033.131 with cross-
references to the full definitions in Sec. Sec. 1033.111 and 1033.211
(covered data).
The term recognized standard setter, which was finalized in the
Industry Standard-Setting Final Rule, is also listed under Sec.
1033.131 with a cross-reference to the full definition in Sec.
1033.141. As finalized in that rule, the term refers to a standard-
setting body with certain attributes listed in Sec. 1033.141(a)
(finalized as part of the Industry Standard-Setting Final Rule),
including recognition by the CFPB pursuant to certain application
procedures. The CFPB began accepting applications from standard-setting
bodies seeking recognition in the summer of 2024.
Authorized Third Party
The CFPB proposed under section 1033(a) to require data providers
to make available covered data to certain third parties ``acting on
behalf'' of a consumer. The CFPB proposed in Sec. 1033.131 to define
the term authorized third party as a third party that has complied with
the authorization procedures described in proposed Sec. 1033.401.
Proposed Sec. 1033.401 specified what requirements a third party would
have to satisfy to become an authorized third party, and thus be
entitled to access covered data on behalf of a consumer.
Few commenters addressed the proposed definition of authorized
third party. A third party commenter stated that data aggregators
sometimes function as authorized third parties. The commenter
recommended that the rule clarify how the definition applies to a data
aggregator that follows the authorization procedures, stating that the
definitions of authorized third party and data aggregator could be
modified to note that an entity could be both. More generally, several
commenters raised concerns about the scope of third parties that should
be permitted under the rule to access covered data on behalf of
consumers. These comments are addressed in part IV.D.1 below.
For the reasons discussed herein, the CFPB is adopting the
definition of authorized third party as proposed to mean a third party
that has complied with the authorization procedures in Sec. 1033.401.
As discussed in more detail in part IV.D, the authorization procedures
are designed to ensure that third parties accessing covered data under
section 1033(a) of the CFPA pursuant to the rule's framework are
``acting on behalf'' of a consumer, and therefore consistent with the
definition of consumer in CFPA section 1002(4). This definition of an
authorized third party provides a term to designate which third parties
are entitled to access consumer information, on the consumer's behalf,
pursuant to the rule's framework.
It is not necessary for the definition of authorized third party to
specify that a data aggregator may also function as an authorized third
party in other circumstances. A third party may play different roles in
different circumstances. However, for a particular request for access
to covered data, an entity would play only one role. The definition of
authorized third party (like the definitions of data aggregator and
data provider) is designed only to identify what role an entity plays
for that particular request for access to covered data.
Consensus Standard
The CFPB proposed in Sec. 1033.131 to define the term qualified
industry standard to mean a standard issued by a standard-setting body
that is fair, open, and inclusive in accordance with Sec. 1033.141(a),
which includes CFPB recognition. In the Industry Standard-Setting Final
Rule, the CFPB addressed comments regarding the proposed qualified
industry standard definition, the attributes of a standard-setting
body, and the process for CFPB recognition. The Industry Standard-
Setting Final Rule revised the definition of qualified industry
standard in proposed Sec. 1033.131 and renamed it a ``consensus
standard.''
While the Industry Standard-Setting Final Rule adopted this term,
it did not
[[Page 90862]]
address the role consensus standards would play in this final rule. The
CFPB generally proposed that conformance to a qualified industry
standard would provide ``indicia,'' or partial evidence, of data
providers' and third parties' compliance with specified provisions.
Generally, conformance to a qualified industry standard would not be
required to comply nor would it constitute compliance with a specified
provision.\53\ No provision in the proposal would have required a data
provider or third party to comply with a qualified industry standard.
---------------------------------------------------------------------------
\53\ The one exception to that approach was with respect to the
proposed requirement that a data provider's developer interface make
covered data available in a ``standardized format'' in proposed
Sec. 1033.311(b). In that case, adherence to a qualified industry
standard would have been deemed to satisfy the requirement. The
final rule instead uses the indicia-of-compliance approach in that
context, for the reasons explained in the discussion of final Sec.
1033.311 below.
---------------------------------------------------------------------------
Many commenters addressed the role consensus standards should play
in the implementation of the final rule. Generally, commenters
supported inclusion of standards set by voluntary standard-setting
bodies, and focused on whether the standards should be indicia of
compliance or something else, such as a safe harbor. Some commenters
believed consensus standards should play no role in the final
rulemaking and should rather be wholly determined by private standard-
setting bodies.
One civil rights group commenter supported the proposal's approach
to weighing standards as indicia of compliance. Further, data provider
commenters preferred to consider compliance with consensus standards as
an indicator of compliance rather than a requirement for compliance.
Some data provider and third party commenters recommended that
consensus standards provide a legal safe harbor for compliance with
various provisions of the final rule. These commenters suggested that a
safe harbor would provide certainty and clarity to market participants
and would encourage participants to invest in the setting of and
compliance with appropriate standards. Further, commenters expressed
concern that some participants may not expend the resources to conform
to consensus standards if doing so could still result in noncompliance
with regulatory requirements. Additionally, some bank commenters
recommended that if the rule does not employ consensus standards as
safe harbors, it should instead use a ``commercially reasonable''
standard. These commenters expressed concern that the ``indicia of
compliance'' terminology could receive excessive weight by market
participants, and effectively become the implicit compliance regime of
the rule.
A variety of commenters opposed the framework for recognizing
standard-setting bodies. Some commenters stated that CFPA section 1033
does not address the CFPB's authority to recognize standard-setting
bodies as capable of issuing consensus standards for data providers and
third parties, and that the proposed standards framework could conflict
with prudential requirements imposed on data providers. One research
institute commenter opposed the consensus standards framework on the
grounds that the Federal Government should not interfere with the
internal governance of private standard-setting bodies.
Generally, the CFPB has determined that consensus standards can
usefully serve as indicia of compliance for various provisions stated
throughout the final rule. If the final rule provided safe harbors, as
some commenters suggested, recognized standard setters could play a
regulatory role, rather than a consensus standard-setting one. Such an
approach would also ignore the fact that a standard may be insufficient
in some respect (for example, for incompleteness given the rule
requirement on point) or in particular, idiosyncratic circumstances.
The indicia of compliance framework maintains part 1033 as the
applicable legal standard while giving due weight to a fair, open, and
inclusive consensus standard as evidence of compliance with the
rule.\54\ Consensus standards can assist entities in fulfilling their
legal obligations but do not relieve an entity from its duty to confirm
that it is complying with the rule.\55\ By the same token, consensus
standards are not mandates.
---------------------------------------------------------------------------
\54\ In this respect, the CFPB encourages recognized standard
setters to ensure a consensus standard complies with the final rule
and that they maintain procedures that allow regulated entities to
straightforwardly evidence their conformance to a consensus standard
at negligible cost.
\55\ The CFPB may be able to provide additional guidance about
particular consensus standards, especially if market participants
seek that in particular cases. However, that is different from
providing a safe harbor for all the consensus standards that may
have some bearing on rule compliance, as requested by some
commenters.
---------------------------------------------------------------------------
While some commenters advocated for a ``commercially reasonable''
test as a substitute for consensus standards, the CFPB believes that
looking exclusively at commercial reasonableness would ignore the
potential benefits of more specific consensus standards developed
through a fair, open, and inclusive process involving all stakeholders.
As discussed below, in the context of Sec. 1033.311(c)(1), a developer
interface must provide a response within a commercially reasonable
amount of time and indicia of such a response includes conformance to
an applicable consensus standard.
Regarding the comment opposing Federal Government involvement in
the governance of private standard-setting bodies, the CFPB notes that
it has a legitimate interest in ensuring that standard-setting bodies
follow an appropriate process when issuing standards as to which
conformance carries some indicia of compliance with a CFPB rule.
Moreover, no existing or future private entity is required to become a
CFPB-recognized standard-setting body, and a range of external
standards may continue to be of utility and value to regulated entities
even if they are not consensus standards adopted by recognized standard
setters. The CFPB is finalizing the provisions of the final rule that
cite consensus standards using its rulemaking authority under CFPA
section 1033(a) and (d) and section 1022(b)(1). These provisions carry
out the objectives of section 1033 by encouraging the development of
fair, open, and inclusive industry standards that will facilitate
implementation of the final rule.
Regarding some commenters' concern that consensus standards could
conflict with prudential requirements, CFPA section 1033(e) requires
that the CFPB consult with the prudential regulators and the FTC so
that certain objectives are met. In compliance with this provision,
prior to issuing the Industry Standard-Setting Final Rule the CFPB
consulted on several occasions with staff from the prudential
regulators and the FTC to discuss various aspects of the rule,
including criteria for and processes with respect to standard-setting
bodies. Such discussions were, in part, to achieve effective alignment
between the Industry Standard-Setting Final Rule and prudential
requirements. The CFPB has conducted further consultations after the
release of the Industry Standard-Setting Final Rule and is not aware of
conflicts with prudential requirements. In addition, because consensus
standards serve as indicia, nothing in a consensus standard could
legally override a Federal legal obligation, prudential or otherwise. A
hypothesized conflict, accordingly, could not be meaningful.
Details about the role of consensus standards with regard to
particular requirements of the final rule can be found in the
discussion below.
[[Page 90863]]
Consumer
The CFPB proposed in Sec. 1033.131 to define the term consumer for
purposes of part 1033 to mean a
[…truncated; see source link]Indexed from Federal Register on November 18, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.