WhitepapersarrowMX Comments on the CFPB’s Required Rulemaking on Personal Financial Data Rights

MX Comments on the CFPB’s Required Rulemaking on Personal Financial Data Rights

resource cover image
gradient background

MX applauds the Consumer Financial Protection Bureau (CFPB) for advancing the cause of financial empowerment by proposing a rule that would make enforceable the Congressional directive that consumers have access to data regarding their financial products and services. And to do so in a way that mitigates financial risks and reduces potential consumer harm. The NPRM under under Dodd-Frank Act Section 1033 is an important milestone in making sure consumers have the right to access and control their financial information.

MX’s mission is to empower the world to be financially strong. At the core of delivering on our mission is the ability for consumers to access, direct, and control their financial data to improve their financial outcomes. MX believes that financial data should be accessible and actionable for all consumers to better enable decisions, experiences, and outcomes. We also believe that increased competition, a level playing field, and increased digital innovation can help improve financial outcomes for consumers.

We believe that the success of the financial industry, future innovation, and the financial health of Americans can all be greatly enhanced by increased clarity of data rights and the implementation of this rulemaking. 

Following are MX’s recommendations to enhance the proposed rule and what it means for our clients, partners, and the consumers we collectively serve. 

A Narrow Scope Could Narrow Benefits

MX is concerned that the narrow scope of the proposed rule could “lock in” the market, by leading holders of consumer financial data that are not covered by the rule to block consumer data access for the long term. This could discourage further innovation and competition that depends on an enforceable right to data access, as well as prevent data from being used to benefit consumers to the fullest extent possible. 

To address these concerns, MX recommends:

  • Expand the definition and scope of data providers to go beyond Regulation E “financial institutions,” Regulation Z “card issuers,” and payment facilitators. Institutions outside of these defined areas hold a significant amount of consumer financial data. We believe consumers should be able to access and share their financial data to enable product comparison services for credit and savings products, automatic coupons, public benefit accounts, tax preparation services, retirement accounts, loyalty programs, investment advisory, brokerage services, and payroll services.
  • Ensure that data necessary for beneficial use cases remains available — both now and in the future. For instance, additional information not currently defined as “covered data” by the proposed rule supports use cases that benefit consumers and reduce harm by providing higher fidelity data sets to be used in fraud models, enabling competitive offers for credit products, and demonstrating how deposits could generate higher returns by switching to higher yield savings or investment vehicles.
  • Expand permitted data uses to allow those that are pro-consumer and pro-competition. While MX supports data usage limitations that protect the consumer, the proposed rule would likely prevent authorized third parties from using permissioned data in a manner that would benefit the consumer and support increased competition and innovation. This can include data enhancement services that make transaction data more understandable for consumers, leveraging data for product improvements, and enabling insights for consumers such as cash flow projections, financial wellness trends, etc. 

Vague Compliance Obligations Could Mean Varied Compliance 

In some cases, the proposed rule provides high-level guidance on data provider and third-party obligations that could cause confusion and varied approaches to maintaining compliance with the final rule without clarification. This also could lead to consumer harm and hinder competition and innovation across the market. 

Here are a few key areas that require additional clarity: 

  • Non-discriminatory access. The industry currently works with a one-to-many model, with intermediaries providing the ability to scale to multiple data recipients. To be compliant with the rule, data providers must be able to demonstrate that they are enabling access to data recipients, including intermediaries, on a non-discriminatory basis. 
  • Tokenized Account Numbers (TANs). While there are privacy and security advantages to the use of TANs, the technology is still at an early stage and lacks standardization, which creates risks for consumers, merchants, and financial services providers.  
  • Access caps. Data providers should not be permitted to restrict the total amount of covered data that third parties request over a given period of time, as each of these requests would be consumer-authorized and reasonably necessary to provide the product or service. 
  • Third-party obligations. The CFPB can ensure that authorized third parties understand their obligations and what it takes to satisfy them. This clarity is especially important given a data provider’s unilateral authority to decline requests for access to consumer data based on its assessment of whether the third party has followed the authorization procedures, such as consumer disclosures and consent, and the third party’s data security.
  • Consumer consent and authentication. Consumer consent needs to be clear, conspicuous, and specific in all cases to accelerate understanding of consumer actions while reducing friction. In addition, the CFPB should make it clear which party is responsible for capturing consent and ensure there are standards on how that consent is captured consistently.
  • Technical and interface standards. The CFPB is looking to name a Standards Setting Body (SSO) to set and maintain technical and interface standards. We believe the current interoperable standard developed by FDX has been successful in accelerating the adoption of secure data sharing, and FDX is well-positioned to continue driving consensus among diverse stakeholders regarding emerging standards of Open Banking.

Implementation Takes Time

The compliance period needs to accommodate the operationalization of the API — and allow for existing agreements to continue while connections through a developer interface are being established. It takes time to code up to an API and register all data recipients. It may also take significant time to resolve data access disagreements or address risk management concerns. And, it will take additional time to implement and transition from scraped to API connections in a way that doesn’t unduly interrupt consumer access. 

Proposed CFPB Compliance Rollout Timeline

Basic Open Banking API Implementation Timeline

What’s Next

We believe this rule should augment and enhance the current benefits that consumers receive through data-driven technology today — and not reduce current access or scope. Complying with the new rule, while upholding existing functionality, will be critical to ensuring consistency — and reducing harm — for consumers.

The CFPB is currently reviewing the more than 11,000 responses providing comments on the proposed rule. We can expect more engagement and questions from the industry and members of Congress over the next 6 or more months as the CFPB evaluates comments and makes revisions ahead of a final rulemaking likely in late Fall 2024. During this interim, financial institutions and fintechs have an opportunity to join the conversation with industry groups like FDX and engage with the U.S. Senate Banking Committee or House Financial Services Committees.

In addition, here’s 6 ways financial institutions and fintechs can prepare now for the implementation of the final rule:

1. Data Governance

Data flows across multiple departments and lines of business within an organization, making it important to have a clear picture of how data moves through the organization and where it sits. Map out who owns each data element that will be covered under new rulemaking and the processes involved within each line of business that could impact the ability to satisfy requirements. 

2. Current Data Traffic

Do you have a clear picture of the data in and data out at your organization today, including consumer consent? Audit all current data traffic to understand the parties involved, types of data accessed, permissions, etc. 

3. Partner Relationships

Review your third party agreements to ensure that current partners can satisfy new requirements related to data security, privacy, availability, and retention.

4. Budget Allocation

Given the nature of budgeting cycles, if you don’t begin talking about budget needs today, you’ll be behind when Dodd-Frank Act Section 1033 goes into effect. Start talking with your finance, legal, and third party management partners internally today to prioritize budget spend necessary to meet new obligations. 

5. Additional Data Uses

Depending on where the final rule lands, how you manage secondary use cases may need to change. Research any impacts to your products or services based on secondary use cases of data and develop mitigation strategies.

6. Consumer Consent

Review and update disclosure statements and authorization processes for consumers to ensure disclosures are in plain English for consumers and that you can meet updated requirements. 

Want to learn more? Read MX’s full comment letter to the CFPB.

11K+ Industry Comments, 10 Common Themes 

A Summary of Key Themes based on Industry Responses to CFPB Requests for Comment

1. Scope of Data. Is it Enough?

The proposed rule contemplates applying to a small subset of covered entities, including those that provide asset accounts subject to Regulation E, credit cards subject to Regulation Z, and payment facilitators. This leaves out a majority of the financial ecosystem and significant amounts of consumer financial data, including loans, investments, retirement accounts, and more.

2. Restrictions on Secondary Use Cases. Will This Hamstring Consumer Benefits?

Proposed limitations on secondary use cases would prevent companies from using consumer-permissioned data in a manner that would benefit the consumer and support increased competition and innovation. 

3. Risks and Liability. Who’s on the Hook? 

Ambiguity in liability definitions could create varying interpretations that lead to more confusion. Many comments call for more explicit statements related to third party risk management and liability for mishandling of data or data breaches. 

4. Fees. Should Reasonable Fees Be Allowed? 

The current proposed ruling does not allow for financial institutions to charge for data access, at this point in time. Comments from the industry are split amongst FIs who want to charge and industry groups who believe costs will negatively impact consumers. 

5. Technical and Interface Standards. Does a Named SSO Need to Come Before the Final Rule? 

Many responses agree with the premise of an industry standards-setting body (SSO) but worry about the practicalities and timing. For instance, several ask the CFPB to designate an SSO prior to the final rulemaking to ensure little disruption to the data sharing environment and avoid delays in the industry’s ability to implement this rule. 

6. Transitioning from Screen Scraping. How Do We Do This Most Effectively?  

The proposed rule doesn’t provide guidance on how to manage the transition from screen scraping to an API without disrupting operations or consumer access to data. Comments ask for clarity to ensure data providers don’t simply shut off access to comply with the rule but find a way to keep data flowing during this transition. 

7. Consent and Authentication. How Do We Keep it Safe and Easy for Consumers? 

While there is universal support for strong authorization and authentication protocols to keep consumer data safe, comments encourage the CFPB to look for ways to streamline consumer consent to avoid creating added friction and placing additional undue burden on the individual and to clarify authentication processes to minimize risks. 

8. Tokenized Account Numbers. Too Soon? 

TANs can provide some security and privacy advantages. But, they lack standardization today, which creates increased risks for consumers, merchants, and financial services providers. 

9. FCRA and Data Broker Rules. How Do We Manage the Overlap? 

Many comments ask the CFPB to clarify how Section 1033 rules overlap with other rules like the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Several regulations overlap significantly, and the combined impact on financial providers is not yet fully understood.

10. Implementation Timeline. Is There Enough Time to Become Compliant?

Many are raising concerns about the proposed compliance timelines citing the need for more time to meet requirements and operationalize an API — without interrupting consumer access in the meantime.