CFPB Issues SSO Rules for Open Banking
The Consumer Financial Protection Bureau (CFPB) finalized in part its proposed rule on consumer financial data rights under Section 1033 of the Consumer Financial Protection Act (aka Title X of the Dodd-Frank Act of 2010). This final rule establishes minimum attributes a standard-setting organization (SSO) must possess to receive CFPB recognition and to issue consensus standards when the full rule is finalized. The effective date is July 11, 2024.
According to the CFPB, the Section 1033 rulemaking will “accelerate the financial system’s movement towards truly open banking,” Open banking, sometimes referred to as “open finance” or “decentralized finance,” generally refers to the “network of entities sharing personal financial data with consumer authorization.” Data sharing is accomplished through the use of application programming interfaces (APIs), i.e., programs that let software applications communicate with each other.
“Simply put, open banking is based on the premise that consumers own their financial data, and can determine who receives access to it. It provides a mechanism for the sharing of financial data between entities—typically banks and fintech firms, but also between financial institutions as a means of lowering “switching costs” for customers looking to change banking relationships. The portability of cellphone numbers between carriers is sometimes cited as an analogy.” Open banking: Not if, but how (americascreditunions.org)
In this rulemaking, the CFPB provides a step-by-step guide to help interested “standard setters” apply for recognition, sets a maximum recognition duration of five years after which SSOs will have to apply for re-recognition, and establishes a mechanism for the CFPB to revoke the recognition of an SSO when warranted.
To be recognized by the CFPB, the standard setters must apply to the CFPB and display the following attributes:
- Openness: The CFPB will not recognize any standard-setting organization that is rigged in favor of any set of industry players. The process must be open to all interested parties, including public interest groups, app developers, and a broad range of financial firms with a stake in open banking.
- Transparency: Procedures must be transparent to participants and publicly available.
- Balanced decision-making: The decision-making power to set standards must be balanced across all interested parties, including consumer and other public interest groups. There must also be meaningful representation for large and small commercial entities. No single special interest can dominate the decision-making process.
- Consensus: Standards development must proceed by consensus, though not necessarily unanimity. Comments and objections must be considered using fair and impartial processes.
- Due process and appeals: The standard-setting body must use documented and publicly available policies and procedures, provide adequate notice of meetings, sufficient time to review drafts and prepare views and objections, access to views and objections of other participants, and a fair and impartial process for resolving conflicting views. An appeals process is also available for the impartial handling of procedural appeals.
A standard setting body recognized by the CFPB will be referred to as a “recognized standard setter.”
As noted above, this final rule is only a piece of the rulemaking puzzle. The remainder of the rule is still pending. As you’ll recall, the CFPB issued a notice of proposed rulemaking (NPRM) in October 2023, requesting public comments on a proposed framework for mandatory consumer financial data sharing. In short, the proposed rule would require depository and non-depository entities to make available to consumers and authorized third-parties certain data relating to consumers’ transactions and accounts. Data providers subject to the rule would have to make personal financial data available, at no charge to consumers or their agents, through dedicated secure digital interfaces. The rule would also establish obligations for third parties accessing a consumer’s data, including privacy requirements, and provide standards for data access.
America’s Credit Unions’ Legacy Organizations raised a number of concerns with the Bureau’s proposal, noting that, while credit unions strongly support consumers’ rights to access and control their personal financial data, as proposed, this rulemaking could have the unintended consequence of making credit union services less available and more expensive to those who need them the most. Click here to read the 45-page letter. The CFPB expects to finalize the remainder of the personal data rights rule “in the coming months,” so please stay tuned to americascreditunions.org for additional developments.
See also:
CFPB Launches Process to Recognize Open Banking Standards (consumerfinance.gov)
Required Rulemaking on Personal Financial Data Rights (consumerfinance.gov)