The Consumer Bankers Association (CBA) has weighed in on the Consumer Financial Protection Bureau’s (CFPB) proposed rule on personal financial data.
The rule would implement section 1033 of the Dodd-Frank Consumer Financial Protection Act of 2010. Specifically, it says a covered entity, like a bank, must make available to consumers, upon request, transaction data and other information concerning a consumer financial product or service that the consumer obtained from the covered entity.
CBA officials said the organization supports the underlying principles of open banking and how it may enhance consumer experiences. However, they said there are key issues – such as details about who among market participants are covered, what consumer data is transferred, and how data is transferred and protected – that require thoughtful consideration by the bureau in light of industry feedback on the proposal.
For example, the CBA is concerned with the general trend toward shifting many costs and responsibilities, including the monitoring of certain market participant behavior, onto data providers, including banks.
“The Bureau should undertake the responsibilities or distribute these costs and responsibilities more equitably across stakeholders in the open banking ecosystem the Bureau is creating. This approach is surprising given how other open banking jurisdictions have addressed these issues, such as the allocation of liability…CBA advises the Bureau to reexamine several of the technical details of the rulemaking – such as the scope of coverage, elements of the data to be shared, and expectations for third parties – to better achieve the Bureau’s stated goal of enhancing consumer access to their data,” CBA leaders wrote in a comment letter to the CFPB.
CBA also made several recommendations to improve the rule. Among them, they would like to see the CFPB do the following:
Broaden Scope of Covered Data Providers: Adopt a broad scope of coverage for not just asset accounts, but also for credit products, like captive auto loan accounts, and non-bank credit alternatives, like Buy Now Pay Later Products and Electronic Benefit Transfer Cards.
Prohibit Screen Scraping: Expressly prohibit the use of screen scraping by third parties and data aggregators of any data made available through a developer interface, not just covered data. Shift the obligation away from banks and to the bureau itself to supervise, assess, and pursue enforcement actions against third parties and data aggregators that improperly engage in screen scraping or other violations of Federal consumer financial laws.
Revise Allocation of Liability: Require third parties and, if applicable, data aggregators, as part of the certification statement, to certify they will accept liability in instances in which a consumer’s credentials are misused to initiate a fraudulent transaction by such party or are impermissibly acquired by another actor through a data breach the party experienced. Mandate third parties and data aggregators be adequately capitalized and carry sufficient indemnity insurance to satisfy liability obligations, and also obligate third parties to certify as part of the certification statement that they are adequately capitalized, have accepted their liability obligations, and are carrying sufficient indemnity insurance.
Increase Compliance Timeframes: Adopt a two-track compliance timeframe based on whether the bureau has recognized a standard-setting body as an issuer of qualified industry standards. If the bureau has recognized at least one standard-setting body, then the largest data providers should have a minimum of 12 months, but preferably 18 months, to come into compliance. If the bureau has not recognized at least one standard-setting body, then the largest data providers should have a minimum of 24 months to come into compliance.
“CBA hopes that the Bureau will thoughtfully consider and publish a final rule that is meaningfully informed by the recommendations in this comment letter,” CBA officials concluded in the letter.