One of the things I enjoyed about taking AP English in high school was learning about the relationship between reading speed and reading comprehension.

I had never really contemplated that relationship before, and I certainly hadn’t tested my own personal limits for speed and comprehension, but if you’re going to get 4s on the AP English Literature and Language tests (mild brag!), that’s what you need to do.

As it turns out, I can read really fast but with comparatively poor comprehension.

The reason I mention this is that the CFPB dropped the final version of its Personal Financial Data Rights Rule on Tuesday of this week. The rule is 594 pages, which is far too long for me to have read in the last couple of days with perfect comprehension.

However, that didn’t stop me from speed-reading those 594 pages, with something less than perfect comprehension, in order to bring you my early thoughts.

My efforts were aided by a 15-minute interview with Rohit Chopra, Director of the CFPB, which I conducted Tuesday night. We didn’t get a chance to cover everything I was interested in, but he did provide me with some really useful color commentary, which I have sprinkled into my analysis below.

What Didn’t Change?

As regular readers will know, the CFPB released the draft version of this rule one year ago. That Notice of Proposed Rulemaking (NPRM) required entities (both banks and non-bank financial service providers) to build dedicated ‘developer interfaces’ (i.e., APIs) to make data available to consumer-permissioned third parties for financial accounts covered by the rule.

After releasing the proposed rule, the bureau received thousands of comments from banks, fintech companies, trade groups, public policy shops, and consumer advocates. That feedback (which I summarized here) shaped the CFPB’s final rule in several interesting ways.

However, before we get to what changed, I want to quickly recap what didn’t change between the proposed rule and this week’s final rule. Here are the key points:

  • Covered Accounts. The accounts covered by the final rule did not change. It’s still Reg E (deposits, digital wallets, etc.) and Reg Z (credit card) accounts. The bureau declined to add electronic benefit transfer (EBT) accounts, installment loans, wealth management/investment accounts, or payroll data, though it did declare its intention to add additional account and data types through future rulemaking. The only noticeable difference between the proposed rule and the final rule is the clarification that BNPL products that the bureau has already classified as Reg Z accounts (pay-in-4 BNPL) are (as I suspected) in scope for this rule.
  • Requirements for Data Providers. Data from covered accounts must be shared (with the consumers’ authorization) through developer interfaces, including historical data up to 24 months old. These interfaces must meet minimum performance metrics specified by the CFPB, and data providers are not permitted to charge for access to consumers’ data.
  • Requirements for Authorized Third Parties. Third parties that are authorized by consumers to access their data must meet specific disclosure, consent, data retention, and data security requirements. Additionally, they are generally restricted from using consumers’ data for any secondary purposes (though there have been some important changes on that front, which I discuss below).
  • Pay-by-Bank Stays In. Payment initiation remains in the final rule. Banks made a strong push during the commenting period to get payment initiation descoped from the final rule. The CFPB declined to heed this feedback, and in my conversation with Director Chopra, he specifically emphasized pay-by-bank as a use case he was focused on, saying, “I think payments is going to be a really important use case for all of this, and creating more ways that people can pay I think is going to be very exciting.”  

What Changed?

When I asked Director Chopra how the bureau approached incorporating feedback from industry into the final rule, he painted a picture of an industry divided: 

We received a ton of feedback on the proposal, and often that feedback was in direct conflict with each other. Even in the industry, there are diametrically opposed views on whether we should add anything that looks like open banking, and it’s no surprise that there was a major tension between incumbents and challengers.

Fully resolving this tension would have been impossible for the CFPB. There are some banks out there that still do not believe that consumers should be allowed to share their own data, and obviously that’s not a position that the CFPB (or most of the industry) will seriously entertain.

So, instead, the bureau had to make some tough judgment calls. These include:

Tokenized Account Numbers 

TANs are dynamically generated substitutes for account numbers, which can be used to securely initiate payments without requiring the actual account number to be shared. As with many other tokenization use cases, the argument for TANs boils down to security. They are safer for consumers and financial institutions and they allow for more granular fraud management (if a specific TAN is compromised, it can be revoked without having to replace the consumer’s entire account). 

During the commenting period, several fintech companies and data aggregators argued against allowing TANs under the final rule, largely because they would break existing fraud detection and marketing processes, which depend on a centralized account number to track consumers’ activities. They also pointed out that tokenization can and has been used by incumbents to unfairly lock consumers and merchants into their ecosystems.

In its final rule, the CFPB decided to allow for the use of TANs, “as long as the tokenization is not used as a pretext to restrict competitive use of payment initiation information.” This is an important change and the CFPB stated in the rule that it will be closely watching the market to ensure that TANs aren’t used in an anti-competitive way by incumbents. Additionally, the CFPB is requiring that data providers make a truncated account number or other account identifier available, where applicable. This should address the concern about TANs interfering with established fraud detection processes (although it won’t be able to be used for all secondary uses, as I explain below). 

FCRA

As I have written about several times, open banking is one piece of a larger puzzle that the CFPB is trying to assemble for the regulation of the data economy. 

Director Chopra made this point in his comments to me, saying, “a major point of focus for me in the rule was making sure that open banking in the US did not turn into an underworld of data broker mining.” He also referenced the work that the CFPB is doing to modernize the FCRA to better regulate data brokers, “the Fair Credit Reporting Act is our primary law on the books that covers data assembled about consumers and usually for sale. We are trying to also make sure that those rules reflect the realities of today.”

In the comment period for the Personal Financial Data Rights Rule, a lot of questions were asked about how it might overlap with the CFPB’s data broker rulemaking and, more broadly, how the FCRA applies in the world of consumer-permissioned data (this was a particular concern for data providers, which carry significant costs when acting as data furnishers under the FCRA).

In its commentary, the CFPB makes it clear that the final rule does not alter the applicability (or lack thereof) of the FCRA. However, it did make one clarification, which I found quite interesting:

The CFPB would not consider data providers under this final rule to be furnishers solely by virtue of permitting data access pursuant to an authorization that is consistent with the final rule. This is the case even assuming data are provided to a data aggregator that qualifies as a consumer reporting agency. In these unique circumstances, the consumer, and not the data provider, would be the party that is furnishing data to the consumer reporting agency. 

It’s not clear to me yet what impact, if any, this will have on cash flow underwriting, but it’s something to monitor as we move into the implementation phase for the rule.

TPRM

One of the key points of contention in the proposed rule was the standard that a data provider (particularly a regulated bank) would need to meet in order to be allowed to deny access to an authorized third party (like a fintech company).

The original proposal was rather vague on this question, pointing to unspecified “risk management concerns.”

The final rule works to clarify this risk management standard by specifying two distinct buckets of risk, which regulated banks are already required to have documented policies and procedures to address — safety and soundness risks and information security risks.

The idea is to encourage data providers to take a principles-based approach to evaluating new third parties and to base all denials on well-articulated reasons that can be tied back to specific risk management policies and procedures.

When it comes to liability (the other side of the risk management coin), the CFPB declined to provide any hard and fast rules for assigning liability or providing indemnification or safe harbor. The final rule allows for contractual arrangements between data providers and third parties for the purpose of risk management, but it warns data providers against using such arrangements to improperly push for specific terms, especially to escape their legal liability for losses due to unauthorized transactions under Reg E and Reg Z.  

Interestingly, the CFPB left the door open in the final rule for a “credentialing or registry system” that could assist data providers in assessing the risks of third parties and providing reasonable evidence that could inform decisions over access to developer interfaces. The bureau acknowledged that such a system is unlikely to be built in the immediate future but could perhaps be built out eventually by an entity in close coordination with the CFPB and other regulators (FDX feels like a natural choice for this job, even though they are firmly focused on just technical standards for the moment).         

What (Almost) Everyone Agrees On

While the CFPB had to make plenty of tough calls in the final rule. There were a few changes that (almost) everyone agreed were necessary.

The two big ones were compliance timelines and secondary use.

Compliance Timelines

The proposed rule would have required data providers to be in compliance within the following windows based on their size:

  • Depository institutions with $500 billion or more in assets and non-bank companies with $10 billion or more in annual revenue would have had six months.
  • Depository institutions with $50 billion to $500 billion in assets and non-bank companies with less than $10 billion in annual revenue would have had one year.
  • Depository institutions with $850 million to $50 billion in assets would have had two and a half years.
  • And depository institutions under $850 million in assets would have had four years.  

To be blunt, no one in the financial industry thought these timelines were reasonable.

They told the CFPB this, in no uncertain terms, and the CFPB listened!

Here are the new size thresholds and timelines:

  • Depository institutions with $250 billion or more in assets and non-bank companies with $10 billion or more in annual revenue have until April 1, 2026.
  • Depository institutions with $10 billion to $250 billion in assets and non-bank companies with less than $10 billion in annual revenue have until April 1, 2027.
  • Depository institutions with $3 billion to $10 billion in assets have until April 1, 2028.
  • Depository institutions with $1.5 billion to $3 billion in assets have until April 1, 2029.
  • Depository institutions with $850 million to $1.5 billion in assets have until April 1, 2030.
  • And, as they requested, depository institutions under $850 million in assets are exempt. 

Here’s how Director Chopra described the decision to adjust the timelines:

[We] looked pretty carefully at how this would be dealt with by banks and credit unions of all sizes, fintechs of all sizes. We even thought about what the ecosystem would look like once retailers and merchants were plugging in, or investments and securities were plugged in, other payments companies, payroll providers. 

So one of the things where we landed was that we did extend the required compliance period, and part of that was to work out some of the details that need to be done by the private sector. The private sector needs to figure out how it will develop a common set of standards. We are working very hard to process applications by standard setting organizations. I think the industry also controls a lot of the network rules for payments, and many of those need to be updated to reflect the realities of pay by Bank and other solutions. So we did extend the period of time a little bit. 

While I’m guessing that the folks at FDX might bristle a bit at the “the private sector needs to figure out how it will develop a common set of standards” quote, and I personally think the decision to exclude banks under $850 million in assets is silly (those banks’ consumer customers want open banking too! And it’s not like the core providers can’t also enable developer interfaces for their smallest community bank customers), overall, I think the CFPB got this change right.

Secondary Use

The proposed rule included a shockingly strict restriction on third parties processing covered data for secondary purposes – i.e., any collection or use beyond what it is “reasonably necessary” to deliver the product or service requested by the consumer.

The impetus for this restriction is Director Chopra’s concern about the potential misuse of open banking, absent strong and comprehensive data privacy and protection laws, which we lack (at a federal level) in the U.S.:

I spoke a lot to other regulators around the world about how they thought through this and some of those jurisdictions actually already had in place relatively recent data protection laws that could easily apply to the financial sector. We don’t really have that here. We have some state laws, but most of those state laws don’t really apply to companies in the financial services sector, so we had proposed very significant limitations on how consumer permission data could be used, and the overall principle, which got a lot of support, was that you can’t use the data for some entirely different purpose than the consumer expects, and it was a real concern for me that you’d have people offering an auto loan or a credit card, but really just seeking to collect that data for some other purpose altogether, including selling the data or using it to build profiles about people.

I can appreciate the intention here, and I think most industry participants agree that certain secondary uses that are common in the world of data brokers (like reusing data to build behavioral profiles on consumers) are unequivocally bad and should be restricted.

However, the vast majority of the feedback that the CFPB received on its proposed secondary use restrictions, including feedback from entities that are generally very pro-consumer and pro-privacy, was that the bureau had gone too far in restricting secondary use.

So, the final rule makes some small changes to this restriction.

Specifically, the final rule allows for secondary use by authorized third parties under three additional conditions:

  1. Uses that are specifically required under the law, including complying with subpoenas and other requests resulting from judicial process or government regulatory authority.
  2. Uses that are reasonably necessary to prevent fraud or unauthorized transactions.
  3. Uses that are reasonably necessary to improve the product or service that the consumer requested.      

These concessions are significantly less than what many in the financial industry were hoping to see in the final rule (the continued prohibition against de-identified data for secondary uses is puzzling to me), but they are concessions nonetheless. 

We’re Just Getting Started

It’s very exciting to have the finalized Personal Financial Data Rights Rule. It’s a big step forward for the financial industry and for the U.S. as a whole. 

(Editor’s Note — it’s also the culmination of an outrageous amount of hard work by the folks at the CFPB, past and present, most of whom don’t get nearly the attention or appreciation they deserve. My congratulations to them!

That said, it’s by no means the end of the journey.

The work to improve the financial data economy to work better for consumers and small business owners continues. 1033 is just one of the pieces of that puzzle, as Director Chopra described to me:

It’s really interconnected to a lot of the other priorities we pursued, particularly with respect to payments, the future of the mortgage market, And the more I think you’re going to see a real ongoing focus on how to bring this all together over time. I think the vision that many people have is to make account switching much more seamless, to eliminate the frictions when it comes to refinancing. And for me, I think a major goal will be figuring out how to reduce the system’s dependence on credit scores.

And not everyone is going to agree with all of the steps that are taken on that journey. On the same day that the CFPB released the final rule, the Bank Policy Institute (which represents the biggest banks in the country) filed a lawsuit against the CFPB, challenging the rule.

Bottom line — we’re just getting started.

Alex Johnson
Created By
Alex Johnson
Join Fintech Takes, Your One-Stop-Shop for Navigating the Fintech Universe.

Over 36,000 professionals get free emails every Monday & Thursday with highly-informed, easy-to-read analysis & insights.

This field is for validation purposes and should be left unchanged.

No spam. Unsubscribe any time.