On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new rule that would provide consumers with more control over their financial information and impose certain requirements on the following types of entities:
- “Data providers,” which (subject to certain exclusions) is defined as (1) a “financial institution,” as defined under Regulation E; (2) a “card issuer,” as defined under Regulation Z; or (3) any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.
- “Authorized third parties,” which is defined as any third party that has complied with the authorization procedures specified in the proposed rule.
The proposed rule would apply to any “covered financial product or service,” meaning any “account” as defined under Regulation E, any “credit card” as defined under Regulation Z and any product or service that facilitates payments from a Regulation E account or Regulation Z credit card.
In general, the proposed rule aims to implement consumers’ right to access their financial data in a data provider’s possession, custody or control, and transfer that data to authorized third parties. In particular, data providers would be required to provide a consumer’s “covered data” (e.g., transaction information, account balance, upcoming billing information) to the consumer, the consumer’s authorized third parties (e.g., fintech companies) or data aggregators acting for the authorized third parties. Data providers also would be required to create a dedicated, secure and reliable “developer interface” to receive and respond to requests for covered data.
In addition, authorized third parties and data aggregators would be required to limit collection, use and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service. To that end, such third parties would be explicitly prohibited from using covered data for certain purposes, including targeted advertising, cross-selling of other products or services or sales of covered data. These third parties also would be prohibited from collecting, using or retaining a consumer’s covered data beyond a one-year period, absent the consumer’s reauthorization (unless continued use and retention remains necessary to provide the consumer’s requested product or service).
The CFPB has invited comments on the proposed rule, including on other consumer financial products and services that could be covered via subsequent rulemaking. Comments may be submitted to the CFPB until December 29, 2023.