As we discussed in the fall over a series of articles (Part 1, Part 2, Part 3, and Part 4) and reported on further in January, the Consumer Financial Protection Bureau ("CFPB") is on a mission to allow consumers to more easily change financial services providers so that they may experience so-called "open banking", allowing more "opportunities for smaller financial institutions and startups" to get into the consumer financial services market. The CFPB's proposed Personal Financial Data Rights Rule ("PFDR Rule") conceives to achieve this by requiring regulated banks and licensed financial institutions to allow largely unlicensed big data and tech companies to access and transfer almost all consumer account information from those licensed and regulated institutions with as little of their involvement and oversight as possible. This is all because the CFPB believes that "dominant firms" maintain their market position in part by holding customer information hostage, and that a rule requiring customer information to be accessed every second of every single day by unlicensed and unregulated entities will increase competition from the smaller financial institutions and (untested) startups, resulting in a better market for consumers.
On June 5th, the CFPB announced that it was publishing a portion of its proposed PFDR Rule as a final rule. In particular, the finalized portion of the PFDR Rule establishes definitions for so-called "standard-setting bodies" and details how such entities may receive recognition from the CFPB. The role "standard-setting bodies" play within the context of the PFDR Rule is to establish and dictate to the industry technical standards by which consumer account information may be accessed and transmitted (every second of every day) by the (unlicensed and unregulated) data companies from the "dominant firms" to the smaller financial institutions and (untested) startups. In the proposed PFDR rule, the CFPB commented that it was concerned that firms which presently have the consumer data would "inappropriately" designate standards reflecting singular interests. So, instead of allowing these dominant firms to indicate what data standards they may be able to establish without completely overhauling their entire systems, the CFPB, in the interest of ensuring "competitive data access," "preliminarily determined" that standard-setting bodies they would approve would promote such data access by reflecting in their standards "a full range of relevant interests—consumers and firms, incumbents and challengers, and large and small actors."
Accordingly, the first portion of the finalized PFDR Rule states that the first attribute of a successful standard-setting body will be "openness" such that parties that have limited familiarity with how information is stored, organized and made accessible within a financial institution will be allowed to be involved in setting standards that will dictate how financial institutions manage that information going forward, notwithstanding the immense costs and burdens to those financial institutions to re-organize their data, much less how such "maps" to how data should be stored, organized and made accessible will allow every cybercriminal in the world to easily identify and hack such data, most likely as the data is being accessed and transmitted (every second of every day) by the (unlicensed and unregulated) data companies. Second, the standard-setting bodies must "balance" decision-making on the standards "across all interested parties, including consumer and other public interest groups" with "meaningful representation for large and small commercial entities" and taking into consideration the "ownership of participants" in achieving said balance. Third, the standard-setting body must have a "due process and appeals" methodology that allows "sufficient time" for the resolution of conflicting views among participants. Fourth, the standard-setting body must proceed primarily by consensus, but, need not "necessarily" proceed through unanimity. Finally, standard-setting bodies must be transparent and make everything, including detailed specifications of how data is stored, accessed and transmitted fully available to not just participants, but also to the public.
We have mentioned several times how the CFPB's proposed compliance timeline for the largest of financial institutions (i.e., six months from the publication of the full final PFDR Rule) is impossible, and so perhaps this awkward partial "final" rule is a nod towards those concerns. In other words, by encouraging standard-setting bodies to begin setting to work and getting approved by the CFPB, perhaps discussions of standards can take place and make a certain amount of progress, thereby ostensibly giving "dominant firms" more time to attempt to achieve timely compliance with the full final PFDR Rule, when it comes. Even still, requiring financial institutions to all fall in line with standardized ways of maintaining data has the appearance of being a venture akin to tilting at windmills, with astronomical costs to boot.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.