Section 1033 of the Dodd-Frank Act states that consumers have the right to access their own bank account and transaction data in a usable electronic format. This provision mandates that the CFPB adopt a rule relating to data access. However, the timeline for this rule has been fluid, in part due to the CFPB’s full agenda and the time needed by Rohit Chopra, the CFPB’s new director and a former member of the Federal Trade Commission, to make his own determinations about the rule.
In the absence of data-access regulations, consumers using digital apps face many uncertainties. Any delay to the rule would be a setback for both consumers and fintechs given the mass adoption of mobile apps – many offered in partnerships with banks – to help consumers manage their finances. Some industry experts now think the CFPB will convene a small-business review panel in April. A panel would meet with regulated small businesses, likely including rural and community banks, for advice on how to minimize the impact of a rule on small entities, and would be considered by many to be the start of the rulemaking process, since the CFPB would then be required to provide an outline of its proposal.
The rule has been eagerly anticipated because it would address the ability of aggregators and other fintechs to obtain consumers’ bank account data through screen scraping and application programming interfaces. These firms seek broad access to help consumers manage their money, but banks and consumer advocates generally want the CFPB to narrow the scope of data collected and provide increased security, privacy and other protections.
Putting it Into Practice: The rule is expected to establish data-security and privacy standards to allow consumers to give third-party companies access to their financial data. In addition, the rule will determine the scope of what data a consumer can authorize, set limits on data use and establish a framework of consent to ensure consumers sign off on what information can be accessed or sold. Significantly, the rule also is expected to bring data aggregators under CFPB supervision. But some banks and others worry about consumers giving third parties too much control, the potential for security and privacy breaches, and a bank’s proprietary information about fees and other pricing getting released in the exchange. The CFPB also is expected to clarify legal liability for issues such as data breaches. So there is no doubt that the rule, when adopted, will have a major impact on consumers, fintechs and banks.