The CFPB’s Vision for ‘Open Banking’ is Here: 1033 Personal Financial Data Rights Proposed Rule
- Source: consumerfinance.gov
Takeaway:
On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) released the highly anticipated Personal Financial Data Rights proposed rule, implementing section 1033 of the Consumer Financial Protection Action of 2010 (CFPA).
Treliant can provide the operational, risk, compliance, and data management solutions and talent to support banks and non-banks in assessing their readiness for compliance with this rule, designing the necessary processes and requirements and working with technology providers and partners to implement and ensure compliance.
Whether you need to comply within the next year or you have 2-4 years to work on this, your compliance date will be here quickly, and the scope and complexity of the work shouldn’t be underestimated. We are ready to help you prepare and comply.
Highlights:
With this rule the CFPB intends to:
- Give consumers greater control over the use, protection and sharing of their personal data.
- Hold a more expansive scope of financial institutions to a higher standard regarding protection of consumer data, safeguarding against its misuse, and providing consumers greater transparency to their financial data and how it is used.
- Enable consumers to have greater flexibility and choice regarding their banking relationships.
- Accelerate and promote the decentralization and fair competition across the financial services industry.
Key Elements of the Proposed Rule Include:
- Applicability: ‘Data Providers’ that includes consumer-facing banks and non-banks that possess or transact with covered data related to covered financial products and services. This includes Regulation E covered accounts and Regulation Z covered accounts and activities, and any products and services that facilitate transactions across these accounts.
- Covered Data: Data providers will be required to make the covered data available to the consumer and/or an authorized third party, in an electronic form that can be easily transferred to other providers and retained securely, and in a timely manner. Covered data that can be requested and must be provided includes accurate and historical data related to the consumer’s accounts and transactions, including transactional history, account balances and availability, payment information, bills, terms and conditions, pricing and pricing changes, etc.
- Comment and Compliance Dates:
Comment Period ends on December 29, 2023
Compliance dates range from 6 months (depository institutions with greater than $500 billion in total assets and non-depository institutions with $10 billion or greater in revenue), 12 months (depository institutions with $50 to $500 billion in total assets and non-depository institutions with less than $10 billion in revenue), 30 months (depository institutions with $850 to $50 billion in total assets), and 4 years (depository institutions with less than $850 million in total assets).
The scope of work required to comply with this new rule is expansive and crosses an institution’s strategic, risk, compliance and operational areas, including:
- Data assessment – aggregation and accuracy.
- Data access and request interface – design and implementation.
- Data request and provision processes and controls.
- Data integrity processes and enhanced data security standards.
- Third party access and request standards and processes.
- Customer communications and anticipated customer dispute/complaint impacts.
- Anticipated fraud risk management impacts.
- Proactive data analytics, issue and opportunity identification, and strategic and financial impact assessment.
- Compliance and governance standards – including control effectiveness and data accuracy monitoring and testing, policy and procedure, training, issue management and escalation, reporting, and oversight.
Additional Resources:
CFPB Announcement:
Prepared Remarks of CFPB Director: