Required Rulemaking on Personal Financial Data Rights

The Consumer Financial Protection Bureau, CFPB, has launched and published in the Federal Register a consultation on an entirely new Statutory Instrument, namely 12 CFR Part 1033, which would implement Section 1033 of the Consumer Financial Protection Act of 2010 primarily to require banks and depository institutions – which are referred to as „data providers“ in the draft – to provide consumers and authorized third parties with specific transaction and account-related data upon request and to define corresponding data secrecy and data access obligations.
Specifically, the CFPB would require financial institutions to provide – upon request – the following information to the consumer itself or to third parties acting on behalf of such:
– account transaction information (must at least include information on the past 24 months);
– account balance information;
– information to initiate payment to or from a „Regulation E“ account which includes deposit, checking, savings, prepaid, and special purpose accounts;
– the terms and conditions to an account (e.g. fee schedules, overdraft arrangements, any yields or interest arrangements, etc.);
– upcoming bill information in view of pre-scheduled account payments; and
– basic account verification information
Furthermore, the CFPB would require institutions to set up data interfaces for consumers and third parties and corresponding policies to receive and respond to such data requests. In this context, it shall be noted that the interfaces must include one for traditional users and one for industry use, the so-called developer interface. The developer interface would have to enable data retrieval in a standardized format, following industry standards or commonly used formats. Furthermore, all interfaces would have to suffice various performance specifications, including a high response rate, without any reasonable access cap restrictions. Moreover, institutions would have to disclose all relevant information to the public, including any data access requirement information and developer interface documentation. Finally, institutions would be required to develop and maintain policies and procedures for data access data accuracy recordkeeping.
Lastly, the new statutory instrument would include provisions as to the obligations of third parties that would access covered data on behalf of a consumer. Thereafter, third parties would be obliged to establish systems and controls to access the data, maintain user authorizations and records on such, and remove authorizations as applicable. Furthermore, they would be required to „retain records of consumer data access requests and actions taken in response to these requests, reasons for not making the data available, and data access denials under the proposed rule“.