- Uses of lnformation Limited to “What is Reasonably Necessary”
- Use of Deidentified Data Not Within Scope
- Screen Scraping Survives
After a yearslong lead-up, the Consumer Financial Protection Bureau (CFPB) published its final “open banking” rule in October. The rule effectuates the section of the Consumer Financial Protection Act, which charged the CFPB with establishing standards and protections for the third-party acquisition and use of consumer banking and other financial data.[1]
Why was this rule necessary?
Many consumers rely on mobile payment apps to send and receive money, invest or manage their finances. To provide such services and in order for such services to gain access to a consumer’s data held by a financial institution, consumers in the past have been asked to hand over their online banking login credentials to app operators (or data aggregators/fintech platform providers that assist apps with accessing covered data). These operators would then login to the consumer’s accounts and “screen scrape” (i.e., use technology to extract information from the bank’s platform) the necessary data (and sometimes more) to provide the requested financial service.[2] Scraping practices created security risks and gave rise to allegations of improper use of consumer banking credentials and has been the source of a significant amount of litigation and regulatory enforcement. (See, e.g., the Plaid settlement and other litigations).
The open banking rule is a regulatory push away from screen scraping and into a standardized, credential-free secure application program interface (“API”) data access methodology. As a result of this rule, the CFPB expects that APIs will mostly supplant credential-based screen scraping as a data collection practice.[3] When commenting on the proposed rule, many banks expressed dismay that the rule did not expressly prohibit screen scraping. In response, the CFPB in the final rule notice, contended that: “Nothing in the proposal would have precluded data providers from blocking screen scraping, and nothing in the final rule does so. However, data providers may act improperly if they attempt to block screen scraping across the board without making the requested data available through a more secure alternative.”
The rule is not without controversy. Not surprisingly, the rule already subject to at least one legal challenge.
Key Provisions
Given that the final rule is 38 pages (and the notice of final rulemaking is nearly 600 pages), a deep dive into every corner is beyond the scope of this post. However, there are a few noteworthy provisions related to the privacy and scope of use of consumer financial information:
- Establishment of APIs: Financial institutions, card issuers, digital wallets and other covered financial data providers would be required to establish and maintain APIs to make consumer data available in a machine-readable, standardized format.
- Data privacy restrictions: An authorized third party fintech provider must “limit its collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service.” In the CFPB’s view, limiting third parties to using covered data only as “reasonably necessary” for the provision of the product or service “ensures that consumers understand the scope of their authorization and retain control over their data.”
- In particular, the rule states that targeted advertising, cross-selling of other products or services, and the sale of covered data are not “reasonably necessary” to provide any product or service.
- The rule requires third parties to limit “the duration of collection of covered data to a maximum period of one year after the consumer’s most recent authorization.”
- Deidentified data: During the rulemaking process data aggregators and others urged the CFPB to include an exception to the data use restrictions for the use of deidentified financial data for downstream uses (e.g., market research, consumer sentiment analytics, etc.). However, the final rule does not include any such exception. The notice of rulemaking addressed the issue:
“[T]he CFPB is not including a provision that would allow third parties to use de-identified data for purposes that are not reasonably necessary to provide the consumer’s requested product or service. […] The CFPB is concerned…that an exception to the secondary use prohibition for de-identified data would be inconsistent with the kind of meaningful consumer control that the final rule seeks to achieve, and might enable third parties to offer products and services that are primarily designed to accumulate large amounts of de-identified consumer data.”
The CFPB acknowledges the effect of its rulemaking on certain parties in the data ecosystem:
“This limitation may eliminate or lessen the profitability of certain business models. Third parties that generate revenue from sharing covered data with fourth parties—such as firms with no authorization to access data from the consumer—may lose much of that source of revenue.”
The CFPB reminded entities that third parties can still seek separate consumer authorization for deidentified data to be shared with outside parties or used for research if these purposes are properly presented as an authorization for data access for a standalone product or service.
“[T]he CFPB notes that, as with identifiable covered data, the final rule does not prohibit third parties from using de-identified data as reasonably necessary to provide the consumer’s requested product or service, or from seeking a separate authorization to use de-identified data for other purposes that the consumer may choose.”
Final Considerations
The open banking rule creates certain unsettled legal issues. For example:
- Could a violation of the open banking rule lead to state privacy-related or other claims in civil litigation?
- Would the rule affect providers’ various responsibilities in the event of a data breach?
- Would the rule affect the potential liability of the various parties if a consumer suffers losses or other harms due to a fintech app’s fraud or misuse of data?
- What additional security procedures will banks use to prevent misuse or fraud when operating a developer interface? What additional measures must authorized third party fintech apps make to satisfy the rule’s data security requirements?
- How will banks use their risk management policies to administer a developer interface?
Lastly, one might ask: will the rule spur Congress to act on its own comprehensive data privacy bills? To this point, in remarks during the CFPB oversight hearing before the House Financial Services Committee back in November 2023, Chairman Patrick McHenry stated that “Americans should have greater control over their sensitive financial data” and that it was “critical” that Congress pass a data privacy law that goes beyond the CFPB’s regulation.
[1] Section 1033 of the Consumer Financial Protection Act. The CFPB final rule becomes effective 60 days after publishing in the Federal Register and compliance will be staggered over the next few years (depending on the size of the financial institution), with the largest banks having to comply by April 1, 2026.
[2] In the last few years many – but not all – financial institutions and fintech developers have voluntarily transitioned away from scraping and into using application program interfaces (governed under data access agreements).
[3] As the CFPB stated: “The CFPB expects that screen scraping will decline under the rule. This is likely to benefit data providers because screen scraping involves security risks and heavy web traffic.” It further stated that: “The transition away from screen scraping will lead to more consistency in the data fields that are available across all data providers and in data field formatting, and may reduce costs associated with ensuring that consumer data are accurate.”