Securiti AI Recognized as a Customers’ Choice For DSPM By Gartner Peer Insights

View

Understanding the CFPB’s Personal Financial Data Rights Proposed Rule

Published June 6, 2024 / Updated June 27, 2024

Introduction

The Consumer Financial Protection Bureau (CFPB) has proposed a Personal Financial Data Rights Rule (the proposed rule) to implement section 1033 of the Consumer Financial Protection Act of 2010 (Title X of the Dodd-Frank Act), which requires data providers to make available to consumers, upon request, transaction data and other information concerning a consumer financial product or service. In addition to providing for obligations of the data providers, the proposed rule also imposes certain obligations on authorized third parties involved in processing covered data.

Once finalized, the proposed rule would come into effect in phases, with the earliest compliance date being approximately six (06) months after publication of the final rule in the Federal Register and the last compliance date being four (04) years from the publication of the final rule in the Federal Register.

Scope of the Proposed Rule

The proposed rule primarily applies to data providers that control or process covered data concerning a covered consumer financial product or service. However, the data providers that are depository institutions and that do not have a consumer interface are exempt from the requirements of the proposed rule.

Definitions of Key Terms

To appreciate the true scope of the proposed rule, let us understand some key concepts:

1. Data Provider

Data Provider means a covered person, as defined in 12 U.S.C. 5481(6), that is:

  1. A financial institution, as defined in Regulation E;
  2. A card issuer, as defined in Regulation Z;
  3. Any other person who controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.

2. Covered Person

Covered person means:

  1. any person that engages in offering or providing a consumer financial product or service; and
  2. any affiliate of a person described in (a) above if such affiliate acts as a service provider to such person.

3. Covered Data

Covered data means, as applicable:

  1. Transaction information, including historical transaction information in the control or possession of the data provider. A data provider is deemed to make available sufficient historical transaction information if it makes available at least 24 months of such information;
  2. Account balance;
  3. Information to initiate payment to or from a Regulation E account;
  4. Terms and conditions ;
  5. Upcoming bill information; and
  6. Basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service.

4. Covered Consumer Financial Product or Service

Covered consumer financial product or service means a consumer financial product or service, as defined in 12 U.S.C. 5481(5), that is:

  1. An account, as defined in Regulation E;
  2. A credit card, as defined in Regulation Z; and
  3. Facilitation of payment from an account or a credit card.

5. Consumer Interface

Consumer interface means an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by consumers in response to the requests.

6. Developer Interface

Developer interface means an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by authorized third parties in response to the requests.

7. Financial Institution

Regulation E defines a financial institution as a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services.

8. Card Issuer

Regulation Z defines a card issuer as a person who issues a credit card or that person's agent with respect to the card.

9. Account

Regulation E defines an account as a demand deposit (checking), savings, or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes.

10. Credit Card

Regulation Z defines a credit card as any card, plate, or other single credit device that may be used from time to time to obtain credit.

11. Third-Party

Third party means any person or entity other than the consumer to whom the covered data pertains or the data provider that controls or possesses the consumer's covered data.

Obligations of Data Providers

A. Data Provider Interfaces

Data providers must establish and maintain a consumer interface and a developer interface to receive information access requests. In response to requests received through the interfaces, the data providers must make available to a consumer or an authorized third party covered data in a machine-readable file that can be retained by the consumer or authorized third party and transferred for processing into a separate information system.

Data providers must not impose any fees or charges on consumers or authorized third parties for maintaining the interfaces or receiving and responding to access requests.

Requirements for Developer Interface

The developer interface must satisfy the following requirements:

(a) Standardized Format

A developer interface must make the information available in a standardized format, i.e., a format set forth in a qualified industry standard or a format widely used by the developer interfaces of other similarly situated data providers with respect to similar data.

(b) Performance Specifications

A developer interface's performance must be commercially reasonable. To be commercially reasonable, the response time of the developer interface should not exceed 3,500 milliseconds.

(c) Access Cap Prohibition

Data providers must not unreasonably limit the number of requests that the developer interface can receive and respond to. Any such cap/ frequency restrictions must align with the policies and procedures established and maintained by a data provider.

(d) Security Specifications

The data providers should ensure that a third party is not able to access the developer interface using the credentials that a consumer uses to access the consumer interface.

Furthermore, a data provider must ensure that its developer interface is subject to an information security program in compliance with section 501 of the Gramm-Leach-Bliley Act (GLBA). However, if a provider is not subject to section 501 of GLBA, it must implement an information security program required by the Federal Trade Commission's Standards for Safeguarding Customer Information.

Interface Access

Data providers can deny consumers and third parties access to the interface in the following circumstances:

(a) Risk Management

A data provider can reasonably deny a consumer or third-party access to an interface based on risk management concerns.

A denial based on risk management concerns is not unreasonable if it is necessary to comply with section 39 of the Federal Deposit Insurance Act or section 501 of the Gramm-Leach-Bliley Act. Additionally, to be reasonable, a denial must, at minimum:

  1. be directly related to a specific risk of which the data provider is aware; and
  2. be applied in a consistent and non-discriminatory manner.

(b) Lack of Information

A data provider can reasonably deny a third party access to the interface if:

  1. The third-party does not present evidence that its data security practices are adequate to safeguard the covered data; and
  2. The third party does not make the identifying information (as discussed below under Transparency requirements) available in both human-readable and machine-readable formats, and readily identifiable to members of the public.

B. Requests for Information

Upon a request from the consumer or an authorized third party, the data providers are required to make available the covered data in the data provider's control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider. The data providers must ensure that the information is provided in an electronic form and is up-to-date.

Exceptions

The data providers are exempt from making available the following covered data to a consumer or an authorized third party:

  1. Any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors. Information does not qualify for this exception merely because it is an input to, or an output of, an algorithm, risk score, or predictor.
  2. Any information collected by the data provider for the sole purpose of preventing fraud or money laundering or detecting or making any report regarding other unlawful or potentially unlawful conduct. Information collected for other purposes does not fall within this exception.
  3. Any information required to be kept confidential by any other provision of law. Information does not qualify for this exception merely because the data provider must protect it for the benefit of the consumer.
  4. Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.

Responding to Requests

In response to an access request by a consumer, a data provider must make available covered data when it receives information sufficient to:

  1. Authenticate the consumer's identity; and
  2. Identify the scope of the data requested.

Similarly, in response to an access request by an authorized third party, a data provider must make available covered data when it receives information sufficient to:

  1. Authenticate the consumer's identity;
  2. Authenticate the third party's identity;
  3. Confirm the third party has followed the authorization procedures provided under the proposed rule (discussed below); and
  4. Identify the scope of the data requested.

Confirming the Scope of a Third Party’s Authorization

To confirm the scope of a third party’s authorization to access the consumer’s data, a data provider may ask the consumer to confirm the following:

  1. The account(s) to which the third party is seeking access; and
  2. The categories of covered data the third party is requesting to access

Denying an Access Request

A data provider can choose not to make the information available in response to an access request in the following circumstances:

  1. The data are withheld because an exception applies (as discussed above);
  2. The data provider has a basis to deny access pursuant to risk management concerns;
  3. The data provider's interface is not available when the data provider receives a request; and
  4. The request is for access by a third party, and ;
    1. The consumer has revoked the third party's authorization;
    2. The data provider has received notice that the consumer has revoked the third party's authorization; and
    3. The consumer has not provided a new authorization to the third party after the maximum duration period (one year).

Mechanism to Revoke Third-Party Authorization

Data providers are required to provide the consumers with a reasonable method to revoke any third party’s authorization to access their covered data. To be reasonable, the revocation method must, at a minimum, not interfere with, prevent, or materially discourage consumers' access to or use of the data, including access to and use of the data by an authorized third party.

Upon receiving a revocation request from a consumer, a data provider must notify the authorized third party about such a request.

C. Transparency Requirements

Identifying Information

Data providers must make certain identifiable information available to consumers and third parties. The information must be available in both human-readable and machine-readable formats and must be at least as available as it would be on a public website.

A data provider’s identifying information should include the following:

  1. Its legal name and, if applicable, any assumed name it is using while doing business with the consumer;
  2. A link to its website;
  3. Its LEI that is issued by:
    1. A utility endorsed by the LEI Regulatory Oversight Committee, or
    2. A utility endorsed or otherwise governed by the Global LEI Foundation (or any successor thereof) after the Global LEI Foundation assumes operational governance of the global LEI system; and
  4. Contact information that enables a consumer or third party to receive answers to questions about accessing covered data.

Developer Interface Documentation

A data provider must disclose documentation, including metadata describing all covered data and their corresponding data fields, sufficient for a third party to access and use the interface. The documentation must:

  1. Be maintained and updated as the developer interface is updated;
  2. Include how third parties can get technical support and report issues with the interface; and
  3. Be easy to understand and use, similar to data providers' documentation for other commercially available products.

D. Policies and Procedures

Appropriate to the size, nature, and complexity of its activities, a data provider must establish and maintain written policies and procedures to comply with the obligations set forth in the proposed rule. Such policies and procedures must be reviewed periodically and updated appropriately to ensure continued effectiveness.

The policies and procedures must be reasonably designed to ensure the following:

  1. Maintaining a record of the data fields that are covered data in the data provider's control or possession;
  2. Covered data that are not made available in response to an access request because of an exception and the reasons for the application an exception;
  3. In case of denial to a developer interface, a record of the basis for denial and communication of the reasons for denial to the third party as soon as practicable;
  4. In case of denial of an access request, a record of the basis for denial and communication to the consumer or the third party of the types of information denied and the reasons for denial as soon as practicable;
  5. Maintaining and making available accurate covered data;
  6. Retaining records of response to requests for at least three years;
  7. Copies of a third party’s authorization to access data on behalf of a consumer;
  8. Records related to revocation of authorization of a third party by a consumer; and
  9. All other records that are evidence of compliance with the requirements of the proposed rule.

Obligations of Authorized Third Parties

To act as an authorized third party and access the covered data on behalf of a consumer, a third party must comply with the following requirements:

(a) Authorization Disclosure

A third party must provide the consumer with a clear, conspicuous, and segregated authorization disclosure, electronically or in writing, containing the following information:

  1. The name of the third party that will be authorized to access covered data;
  2. The name of the data provider that controls or possesses the covered data that the third party seeks to access on behalf of the consumer;
  3. A brief description of the product or service that the consumer has requested from the third party and a statement that the third party will collect, use, and retain the consumer's data only for the purpose of providing that product or service to the consumer;
  4. The categories of covered data that will be accessed;
  5. A certification statement (as discussed in (b) below); and
  6. A description of the revocation mechanism.

The language of the authorization disclosure should be the same as the language in which the authorization disclosure is conveyed to the consumer. In case the authorization disclosure is in a language other than English, it must include a link to an English version. Similarly, for other languages, a third party can provide links to translations.

(b) Certification Statement

As part of the authorization disclosure, a third party must provide the consumer with a statement certifying that it agrees to comply with its obligations under the proposed rule.

(c) Express Consent

A third party must obtain a consumer’s express informed consent to access the covered data on the consumer’s behalf. For valid consent, a third party should obtain an authorization disclosure signed by the consumer electronically or in writing.

Following are some other obligations of third parties in relation to the collection and use of consumers’ covered data:

A. Collection, Use, and Retention of Consumer Data

A third party must limit the collection, use, and retention of consumer data to what is reasonably necessary to provide the consumer with the requested product or service.

Under the proposed rule, the following activities are not part of, or reasonably necessary to provide, any product or service:

  1. Targeted advertising;
  2. Cross-selling of other products or services; or
  3. The sale of covered data.

B. Maximum Duration and Reauthorization

A third party must limit the duration of collection of a consumer’s data to a maximum period of one year after the consumer’s latest authorization. To continue collecting data beyond the maximum duration, a third party must ask the consumer for a new authorization no later than the anniversary of the most recent authorization from the consumer.

If a consumer does not provide a new authorization, a third party will no longer:

  1. Collect the consumer’s data pursuant to the previous authorization; and
  2. Use or retain covered data that was previously collected unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service.

C. Data Accuracy

A third party must have policies and procedures in place to ensure the accuracy of the consumer’s data received from a data provider. To ensure the accuracy of the covered data, a third party must also take into account the information received from the consumer, data provider, or another third party regarding inaccuracies in the covered data.

D. Data Security

A third party must implement an information security program in compliance with section 501 of the Gramm-Leach-Bliley Act (GLBA). However, if a provider is not subject to section 501 of GLBA, it must implement an information security program required by the Federal Trade Commission's Standards for Safeguarding Customer Information.

E. Data Processing Agreement

Before sharing a consumer’s data, a third party must enter into a binding agreement with another third party, requiring it to comply with all the applicable obligations under the proposed rule

F. Transparency

To ensure transparency and keep the consumers informed, a third party must undertake the following:

  1. Provide the consumer with a copy of the authorization disclosure that is signed or otherwise agreed to by the consumer and reflects the date of the consumer's signature or other written or electronic consent. A third party may deliver a copy of the signed authorization disclosure to the consumer or make it available in a location that is readily accessible to the consumer, such as the third party's interface.
  2. Provide contact information that enables a consumer to receive answers to questions about the third party's access to the consumer's covered data; and
  3. Design and implement policies and procedures to ensure that the third party provides the consumer, upon request, the following information:
    1. Categories of covered data collected;
    2. Reasons for collecting the covered data;
    3. Names of parties with which the covered data was shared;
    4. Reasons for sharing the covered data;
    5. Status of the third party's authorization; and
    6. How can the consumer revoke the third party's authorization to access the consumer's covered data and verification the third party has adhered to requests for revocation.

G. Revocation of Authorization

A third party must establish and maintain an easy-to-access mechanism for the consumers to revoke the third party’s authorization to access their covered data. As soon as a third party receives a revocation request from a consumer, it must notify the data provider and other third parties about such revocation.

Furthermore, on receipt of a revocation request, a third party must not:

  1. Collect the consumer’s data pursuant to the previous authorization; and
  2. Use or retain covered data that was previously collected unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service.

H. Use of Data Aggregator

A third party may use a data aggregator to perform authorization procedures on its behalf; however, it remains responsible for complying with the applicable requirements of the proposed rule. Moreover, the name of the data aggregator and a brief description of services that the data aggregator provides must be included in the authorization disclosure.

I. Policies and Procedures

A third party must establish and maintain policies and procedures to retain records that evidence its compliance with the proposed rule. Such records must be maintained for a reasonable time, not less than three years, from the consumer's most recent authorization.

The records maintained by a third party must include, without limitation, the following:

  1. A copy of the authorization disclosure that is signed or otherwise agreed to by the consumer and reflects the date of the consumer's signature or other written or electronic consent and a record of actions taken by the consumer, including actions taken through a data provider, to revoke the third party's authorization; and
  2. With respect to a data aggregator, a copy of any data aggregator certification statement provided to the consumer separate from the authorization disclosure.

Compliance Dates

The provisions of the proposed rule in relation to making the covered data available and maintaining interfaces will apply to data providers in a staggered manner. Based on their nature, assets, and revenues, the data providers need to comply with the proposed rule in the following manner:

Covered Data Providers Compliance Date
Depository institutions that hold at least $500 billion in total assets Approximately six (06) months after the date of publication of the final rule in the Federal Register
Non-depository institutions that generated at least $10 billion in revenue in the preceding calendar year or are projected to generate at least $10 billion in revenue in the current calendar year
Depository institutions that hold at least $50 billion in total assets but less than $500 billion in total assets Approximately one (01) year after the date of publication of the final rule in the Federal Register
Nondepository institutions that generated less than $10 billion in revenue in the preceding calendar year and are projected to generate less than $10 billion in revenue in the current calendar year
Depository institutions that hold at least $850 million in total assets but less than $50 billion in total assets Approximately two and a half (2.5) years after the date of publication of the final rule in the Federal Register
Depository institutions that hold less than $850 million in total assets Approximately four (04) years after the date of publication of the final rule in the Federal Register

How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with CFPB’s Personal Financial Data Rights Rule by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share


More Stories that May Interest You

What's
New