In the Fall of 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new rule related to Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protect Act (“Dodd-Frank Act”). As the comment period on the proposal concluded at the turn of the new year, we felt it was the right time to re-visit this proposal and how it impacts consumers, businesses and the Fintech industry overall.
The proposal, also known as the Personal Financial Data Rights Rule, is expected to change the regulations surrounding consumer data protection and would put the power back in the hands of the consumers when it comes to their financial data. They aren’t called the Consumer Financial Protection Bureau for nothing. Consumers will benefit from this new rule in many ways, including the following:
- The removal of fees associated with obtaining data
- Taking control of the right to share their data with other third-party providers
- The growing ability to shift data between service providers, increasing competition and allowing customers to select financial institutions, including neobanks, that suit their needs
On the other hand, the rule also impacts both financial institutions and other authorized third parties. Some of the key takeaways include:
- Financial institutions no longer being able to charge data access fees
- Limited ability to control requests for data
- Adhering to a standard data transfer process, including increased controls surrounding data security and privacy
One specific practice highlighted in the proposed rule is the process of “screen scraping” or the sharing of usernames and passwords with third parties as a means to access consumer data. The affected financial institutions would be required to comply with the new proposed rule under a staggered deadline based on total assets and revenue threshold benchmarks. For example, as currently proposed, compliance will be required within 6 months for institutions with over $500 billion in assets and generating over $10 billion in revenues in the prior calendar year or projected to exceed $10 billion in revenues in the current calendar year. Smaller institutions have either 1 year, 2.5 years, or 4 years to ensure compliance based on their asset and revenue figures. It’s worth noting that there are exemption provisions for community banks and credit unions that do not have a digital interface with consumers.
How Does This Impact the Fintech Industry?
As a third-party service provider, there are proposed limits surrounding consumer data, including collecting, using, and retaining key information. For many Fintech companies, this will limit their ability to utilize the stored data for commercial purposes such as advertising campaigns and other marketing efforts. The goal is for the data to only be utilized by the third-party platform to the “extent reasonably necessary” to provide the requested product or service to the consumer. This will be controlled via a disclosure form that clearly authorizes the third-party platform to utilize the data, requiring an opt-in from consumers. The respective authorization is subject to a single-year limit from the date the consumer signed the opt-in and requires annual signed re-authorization from consumers, which is not guaranteed as the authorization may be revoked at any time at the consumer’s discretion. Key information that needs to be clear on the disclosure form includes the names of the respective parties for which access is requested, service description including types of data that will be made available, a certification from the third party regarding specific obligations they must adhere to (as described below), and clarity surrounding the customer authorization revocation process.
The specific obligations that third parties, including service providers in the Fintech space, need to keep in mind when providing the certification to consumers include:
- Data collection, use, and retention restrictions: There are limitations on how Fintech companies can collect, use, and retain data as it has to be within the bounds of the respective service they are providing, i.e., use of the data for cross-selling or advertising would not fall under their service agreement.
- Accuracy surrounding data: Fintech service providers must maintain appropriate policies and procedures surrounding data retention and processing to ensure that any data received and processed and sent on to other third-party providers is accurate.
- Security requirements: The data must be safeguarded in line with information security rules such as the Federal Trade Commission’s Safeguards Rule or Gramm–Leach–Bliley Act’s safeguards framework.
- Communications: The consumer must be kept informed of their authorization status for a third party to access the data they have shared. The third party is also required to keep authorization disclosures and contact information for consumers readily available.
- Data access revocation: Service providers need to make the revocation process for consumers easy to follow and readily available. The data provider needs to be informed in a timely manner, and the data can no longer be collected, utilized, or retained under the prior consumer authorization.
Keep in mind that if the data is obtained through a third-party data aggregator who is collecting the data from numerous sources and reformatting into useable information, i.e., Akoya, Finicity, etc., it must also be disclosed in the authorization disclosure, and the respective aggregator is subject to compliance with the above rules.
Key Takeaways
While the proposed CFPB rule has minimal impact on accounting and financial reporting, we recommend that companies in the Fintech space work closely with their legal counsel to prepare for the implementation of the proposed rule. Taking stock of current policies and procedures in place, identifying current relationships with other third-party providers and data aggregators and evaluating data usage for non-essential purposes, i.e., advertising, will be helpful to prepare for the imminent roll-out of the new regulations.
Author: Anne Louise Brand, CPA | [email protected]
Contact Us
For more information on this topic, please contact a member of Withum’s Fintech Services Team.
