In our previous post, we delved into the CFPB’s proposed personal financial data rights rule and its implications for the financial services industry. The proposed rule was open for comments from the public but with a short deadline of October 19 – December 29, 2023.
As expected the CFPB received a large number of comments on the proposed rule. As it analyzes these comments and prepares the final rule, we thought it would be useful to give an overview of what the industry felt about the proposed rule.1
Who commented on the proposed rule?
Despite the short deadline for comments, CFPB received a voluminous 11,083 comments! We took a look at when these comments were submitted and saw some interesting points (Image 1).
As predicted, there was a sharp increase just before the December deadline. But what’s interesting is that immediately in the new year, we see a massive increase in comments. Digging deeper into this, we read through the comments and found that most of these comments were from individuals asking for the inclusion of electronic benefit transfer (EBT) accounts in the final ruling. The similar cookie-cutter language used in the comment letters seemed to indicate that this was the result of an influence campaign by some fintech company. This actually comprised about 90% of the overall responses!
The remaining 10% of responses were distributed across Banks, Credit Unions, Fintechs, Industry associations and advocacy groups.
Common ground in the public comments
The proposed rule addresses three stakeholder communities, viz., data providers, data aggregators, and third parties. Across these communities, there were a few common points of agreement:
- Almost all of the commenters were in agreement with the objectives behind CFPB’s rule
- Commenters were unanimous in expressing concerns about CFPB’s aggressive timelines for implementation. Banks wanted a tiered implementation timeline of not less than 24 months as opposed to the CFPB’s suggestion of 6 months
- Commenters were also aligned in requesting that CFPB allow for a standards setting organization (SSO) to define the common standards to be followed for data interfaces. FDX seemed to be a preferred option across commenters
- Across data providers, both banks and credit unions wanted a tiered exemption for institutions that were below a particular size similar to those available under Durbin
- Many commenters wanted exemptions for data that were already covered under existing regulations (e.g., FCRA). Data providers further wanted data enhancements to be excluded. Data enhancements could include analytical enrichment of customer data, transaction, and risk scoring, etc. In addition, exemptions were also sought for data deemed to be confidential under law, or historical data that was difficult to retrieve
7 insights from the public comments on points of disagreement
While the key stakeholders had some common points of agreement, there were 7 distinct regulatory areas where various stakeholders had differing points of view.
- The end of screen scraping?
Data providers like banks and credit unions were unanimous in requesting that the CFPB explicitly prohibit “screen scraping” once interfaces are introduced to access the data. Data aggregators and third parties, while agreeing with the principle of ending “screen scraping”, wanted a grace period under which both methods could co-exist until a final transition to data interfaces. CFPB will likely need to find a middle ground between these two positions in the final rule.
- The f(r)ee data buffet
Data providers wanted CFPB to allow them to charge reasonable fees that would allow them to recoup the cost of building the interfaces and maintaining ongoing compliance. Data aggregators and third parties, on the other hand, wanted no fees. Credit bureaus were cited as an example of all stakeholders benefitting from the free sharing of data. Given the pushback from data providers on this aspect, including questions on the cost analysis used to justify this rule, CFPB may need to revisit this in the final rule.
- Payments initiation: in or out?
Data aggregators and third parties wanted all payment initiation information to be included in covered data. Data providers were reluctant to include the same citing potential for misuse and issues with security. CFPB will need to strike a balance between data provider concerns and those of aggregators and third parties. In particular, they will need to decide if payment initiation should be included in the final rule. Historically, in other jurisdictions like the EU, regulators have treated open data and payment initiation separately, due to the sensitive nature of payment initiation information.
- Drawing the risk management and liability faultline
Data providers sought two important clarifications or concessions from the CFPB. First, they wanted to be permitted to conduct their own risk assessments on aggregators and third parties that request data from them. Secondly, they wanted liability for privacy and security of data to lie with the party accessing and processing the data. Data providers, in fact, wanted safe harbor on liability when they rely on attestation of data security from the data requestors. When it comes out with the final rule, CFPB will need to be clear on where the liability for data breaches lies.
- Necessary friction in consumer authentication and authorization?
Data providers want customer authentication and authorization to happen on their platforms so that customer consent is unambiguously captured. Data aggregators and third parties were apprehensive that doing so might introduce friction in the process of consent, leading to higher drop-offs. There was also disagreement among them on the proposed 1-year expiry of consent.
- The dimensions of data coverage across time and depth
Data providers, in addition to seeking exemptions, also wanted the scope of data to be narrower. Some suggestions for scope reduction included:
– Limiting Terms & Conditions data to only cost, charges and fees applicable
– Limiting Rewards data to the aggregate rewards balance instead of granular transaction level rewards
– Limiting Bill payment data to historical bills paid rather than future bills due
Data aggregators and third parties wanted the scope of data to be widened and even wanted new account types like Electronic Benefit Transfer (EBT) accounts included.
- Interpreting consent for secondary use of data
Data aggregators and third parties are against preventing them from using data for purposes other than those consented to by the customer. Their argument is that this would prevent them from building better products for their customers. Data providers, however, are aligned with CFPB’s recommendation and want the data use to be restricted to only that which the customer agreed to. In addition, they want to explicitly have sale of data, use of data for targeted advertising, and de-identified data excluded from the scope of allowed data use.
Analyzing the comments reveals a fascinating tug-of-war between data providers and data aggregators over how customer data is opened up. Data providers like banks and credit unions, in particular, require modern, API-ready, and permissioned core systems to be able to deliver on many of the requirements of the proposed rule. Being able to comply with the proposed rule solely depending on legacy technology will be an uphill task and data providers need to start investing now in modernizing their legacy technology to be ready to comply with both the current rule and any future developments.