What the CFPB's open banking rule will do to data privacy, security

CFPB Chief Chopra Testifies Before House Financial Services Committee
Rohit Chopra, director of the Consumer Financial Protection Bureau (CFPB)
Tierney L. Cross/Bloomberg

The Consumer Financial Protection Bureau (CFPB) released its final open banking rule on Tuesday, requiring banks over the next six years to allow customers to share their financial information with third parties like budgeting app providers, lenders and even other financial institutions.

The rules are designed to grant Americans greater agency over their financial data, promoting data privacy through new transparency rules and data security with existing standards from the Federal Trade Commission and prudential regulators.

While banks have complained that the rule opens them up to liability over third parties' handling of consumer data, the rule addresses other security and privacy concerns. Two, according to the CFPB, are that the rules grant greater privacy rights to consumers and greater security by limiting the means third parties may use to access this data to only the most secure available options. A third is that the rule clarifies and builds on the data security standards to which banks and non-bank financial services companies are held.

Here are three ways the CFPB's Personal Financial Data Rights Final Rule will affect data privacy and data security at banks:

Banks, third parties will owe consumers more control over data

When a consumer permits a third party access to their banking data, the bureau's new rule grants the consumer the right to know what financial data the third party collects, where it is stored and with whom it is shared. Banks, fintechs, and any company that consumers grant access to their data will share the responsibility for providing consumers these rights.

Consumers will also gain the legal right to revoke this access at any time. When a person revokes access, the rule mandates the immediate termination of data access and deletion of the data.

The rule also enables consumers to transfer their bank data to another bank. Consumers will not have to pay fees or clear hurdles from companies that make it harder to switch providers, the bureau said.

Rob Nichols, president and CEO of the American Bankers Association, raised some objections to the new rule.

"While we are still evaluating the details of the final rule, it is clear that our longstanding concerns about scope, liability, and cost remain largely unaddressed," said Nichols. "This is disappointing after so many years of good-faith efforts by parties on all sides to improve consumer outcomes."

According to one consumer advocate, the Personal Financial Data Rights Rule finalized Tuesday builds on previous consumer data privacy protections and facilitates competition with the credit bureaus. According to Chi Chi Wu, senior attorney at the National Consumer Law Center (NLCL), the credit bureaus have exercised an "oligopoly" that leaves consumers with little choice.

"This new rule also gives consumers greater control over what data is used and how," Wu said. "It should serve as a model for all data privacy regimes in the United States. It far exceeds the protection of weaker privacy laws that preceded it, such as the Gramm-Leach-Bliley Act."

Building on GLBA, FTC data privacy standards

Under the bureau's new rule, non-bank companies involved in data access must comply with the Federal Trade Commission's (FTC's) Standards for Safeguarding Customer Information, rather than the standard to which banks and credit unions are held: Section 501 of the Gramm-Leach-Bliley Act (GLBA).

"A data provider must apply to the developer interface an information security program that satisfies the applicable rules issued pursuant to section 501 of the GLBA," reads the 594-page final rule. "Alternatively," it goes on, "if the data provider is not subject to section 501 of the GLBA, the data provider must apply to its developer interface the information security program required by the FTC's Standards for Safeguarding Customer Information."

While the final rule itself is extensive, the bulk of it is what the CFPB calls a "preamble" — responses to comments submitted on the bureau's proposed rule, and explanations for why the bureau did or did not change the regulation in response to those rules. The regulation itself is 38 pages in length.

The differential standards for banks and non-banks apply to both data providers' developer interface and third parties' systems for collecting, using and retaining data from these interfaces. In other words, whether a bank or non-bank is providing or taking data, the FTC standard applies to non-banks, and the GLBA standard applies to banks.

While the content of the two standards differ in terms of level of detail and prescriptiveness, the key difference is oversight. Prudential regulators enforce the GLBA with proactive examinations, the FTC enforces its regulations through investigations and law enforcement actions, which are more responsive.

In addition to these requirements, large data aggregators are subject to supervisory examinations by the CFPB, according to the final rule. These examinations, the bureau said, are ongoing.

Data aggregators, according to the rule, serve as a facilitator between data providers and third parties. While not explicitly named as an example of a large data aggregator in the rule, Plaid is a major player in the space.

Screen scraping will effectively be banned

While the final rule does not explicitly ban screen scraping, it does set out rules that will effectively ban the practice in many situations.

The final rule mandates that data providers (e.g. banks) establish and maintain a developer interface (e.g. an API) for secure and standardized data sharing with authorized third parties. The bureau picked the term "developer interface" to be intentionally broad and avoid prescribing APIs specifically, in response to concerns that the rule should not hold banks to using a specific technology.

The final rule prohibits data providers "from relying on a third party's use of consumer credentials to access the developer interface." In other words, a third party can't use the consumer's online banking password to access the bank's developer interface.

The bureau cautioned in its final rule that, once a data provider has established a developer interface, screen scraping attempts by third parties "could well be limited" by the Consumer Financial Protection Act's prohibition on unfair, deceptive, and abusive acts or practices because the third party would be "needlessly exposing consumers to harm" by storing the user's account credentials.

There will be exceptions where screen scraping is permitted, according to the final rule. One example the CFPB highlighted was cases where a consumer permits a third party to access data at a financial institution that is not required to establish a developer interface. Institutions not covered by the rule and not required to maintain a developer interface include those with less than $850 million in assets.

For reprint and licensing requests for this article, click here.
CFPB News & Analysis Data security Data privacy Cyber security Technology
MORE FROM AMERICAN BANKER