Demystifying the Proposed CFPB Rules: What Banks Need to Know Now

The Consumer Finance Protection Bureau (CFPB) is gearing up to issue data rights rules that will implement Dodd-Frank Section 1033—and banks had better be ready. These rules, which are intended to ensure consumers can access their own personal information held by banks and other financial service providers, will have a major impact on the way financial institutions operate.

Below we demystify the proposed CFPB rules and summarize what banks need to do to comply so they’re not left scrambling once they pass into law.

What are the impending CFPB rules, and when will they take effect?

The CFPB rules are designed to give consumers more control over their financial information as well as promote competition and innovation in the financial services industry. If the current proposal goes into effect, certain financial services providers will be required to make a customer’s financial data available to them or a third party at the customer’s request.

This will enable banks to meet customer demand for new services that make financial management easier and more convenient. For example, banks could provide customers with the ability to apply for credit directly from a third-party mobile app.

Also being considered are privacy-related rules for personal financial data that is authorized for use by third parties. These rules would prohibit third parties from reselling authorized data for additional uses.

Third parties may also be required to obtain a consumer’s informed, express consent to access their information. In addition, they would have to clearly disclose the types of personal information they collect and how that information is used and shared. Third parties would also need to tell consumers how they can opt out of sharing their information.  

The first version of the CFPB rules was proposed in 2016. They have been revised several times since then, with the latest version released in October 2022. They are expected to be finalized and implemented in 2024.

Who do the CFPB rules impact?

CFPB rules impact the following companies:

• Banks and credit unions;
• Other entities that directly or indirectly hold consumer accounts and issue debit, credit or prepaid cards; and
• Entities that issue an access device and agree with the consumer to provide electronic fund transfer services such as mobile wallets and other electronic payment products.
• Depository and nondepository institutions that provide credit cards or meet the Regulation Z definition of a card issuer and their agents.

The CFPB has stated that the rules may cover more financial products related to auto lenders, nonbank mortgage lenders and installment lenders in the future.

Do the CFPB rules overlap with any other data privacy regulations?

There is some overlap with regulations such as the Gramm-Leach-Bliley Act, General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA).

The proposed CFPB rules, Gramm-Leach-Bliley, GDPR and CCPA all require businesses to disclose data collection and use practices. However, Gramm-Leach-Bliley and the CFPB rules are specific to financial data, while GDPR and CCPA are not.

Similar to the CFPB rules, GDPR and CCPA give consumers the right to access their personal data and control how it’s used and shared.

Banks should familiarize themselves with how all of these regulations intersect to ensure full compliance.

What will banks and third parties need to do to comply with the CFPB rules?

The rules will mandate that banks provide customers with access to their personal financial data in a secure and standardized electronic format. This includes transactions, balances, payment history and other account-related information. Additional requirements include:

• Allowing customers to authorize third-party companies to access their financial data.
• Disclosing data collection, use and sharing practices.
• Implementing stringent data security measures to protect customer information.
• Establishing clear processes for resolving disputes related to customer data access.

Third parties that access and use data on a customers’ behalf will be subject to a similar set of requirements that include:

• Obtaining consumer authorization to access financial data.
• Protecting consumer data from unauthorized access or disclosure with data security measures.
• Providing consumers with clear and conspicuous disclosures about how their data is collected, used, shared and protected.
• Giving consumers access to their data in a format that is easy to understand and use.

For banks, ensuring compliance with these rules necessitates implementing changes to operations and infrastructure that may involve significant technology investments. This potentially includes deploying new data management systems, updating security protocols and bringing on new staff to manage compliance. Open finance platforms such as those offered by Ninth Wave support compliance with the proposed CFPB rules by quickly and cost efficiently enabling banks to seamlessly implement secure, permission-based data sharing.

Trying to make sense of the CFPB rules and how to be fully compliant once they take effect can be daunting. Ninth Wave’s regulatory experts can help you navigate the impending regulations and create a plan that will ensure you have the technology required to achieve compliance once the rules are implemented. Reach out to schedule a consultation today.