The Consumer Financial Protection Bureau (CFPB) has issued its long-awaited final rule on open banking, which would require financial institutions, credit card issuers and other firms to transfer personal financial data to other providers for free at the consumer’s request.
Although last year’s proposal applied to data linked to bank accounts, credit cards and mobile wallets, the final rule applies to payment apps as well. Banks and credit unions with less than $850m in assets are exempt.
Consumer control
The rules are meant to ensure consumers maintain control of their banking history if they switch from one financial institution to another. In other words, they seek to make sure the data surrounding the transfer of financial data, such as transaction records and the information needed to initiate payments, make the move to the new institution – and without a cost to the consumer.
“Too many Americans are stuck in financial products with lousy rates and service,” CFPB Director Rohit Chopra said in a statement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards and more.”
In addition to what Chopra mentioned as a benefit, the rule also may help users with shorter credit histories obtain credit by allowing lenders to access income- and expense-related data held on other platforms, the CFPB said. Plus it may boost security of “pay-by-bank” transactions, the agency said.
Chopra compared the transition to the rules that now allow mobile phone users to switch providers while keeping the same number, and said the coming change should help bring US payments systems more in line with advances in other developed countries.
Privacy concerns, surveillance pricing
Under the rule, third parties can only collect, use or retain data to deliver the product the consumer requested, the CFPB said. That means they can’t secretly use or keep consumers’ data for unrelated business reasons – marking a pivot away from some of the consequences generated by screen scraping.
The CFPB requires that the data be used only for the purposes requested by the consumer, and access cannot exceed one year without explicit reauthorization. When requested by the customer, any institution’s data access must be ended immediately.
“The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer’s data – those companies are acting on behalf of the consumer,” Chopra said in prepared remarks he delivered at a conference organized by the Federal Reserve Bank of Philadelphia.
“The rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief,” he said.
The rule does permit third parties to engage some secondary uses of consumer-authorized data, such as those to improve the requested product or service, though.
Pushback
Banking lobbying groups said the rule could jeopardize consumer data security and exceeded the agency’s legal powers. On the flip side of that argument, the American Fintech Council (AFC) complained the consumer data provisions of the new rules were too restrictive.
AFC represents fintech providers, a number of them in the earned wage access (EWA) space, and the AFC’s Head of Policy and Regulatory Affairs, Ian Moloney, said: “The rule will lead to a reduction in consumer choice, needless customer confusion, the elimination of fair competition and innovation, higher costs and less financial freedom for consumers, and the likely shuttering of smaller providers.”
The open banking rule is a long-overdue activation of Section 1033 of the Dodd-Frank Act, passed 14 years ago, labeled “Consumer Access to Financial Records.”