Proposed CFPB banking rules have privacy and security implications.

On October 19th, 2023, the US Consumer Financial Protection Bureau (CFPB, an independent agency responsible to the Federal Reserve) proposed a rule that would affect how financial institutions handle their customers' data. The Personal Financial Data Rights rule would give consumers more control over the data they share with institutions, and it would impose certain restrictions on how those institutions handle those data. It would in particular prevent firms from "misusing or wrongfully monetizing the sensitive personal financial data." The authority for the proposed rule is Section 1033 of Dodd-Frank.

Consumers would receive more control over their data.

The proposed rule would, in giving consumers more control over the personal information they share with banks and other financial institutions, enable consumers to move to better-value providers. The CRPB explains these benefits under four heads. Consumers would:

• "Get their data free of junk fees: Banks and other providers subject to the rule would have to make personal financial data available, at no charge to consumers or their agents, through dedicated digital interfaces that are safe, secure, and reliable.
• "Have a legal right to share their data: People would have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts. This type of data can help firms provide a wide range of products and services, including cash flow-based underwriting that stands to improve pricing and access across credit markets. When these firms offer a desired product or service, people would be able to switch providers more easily. They would also be able to more conveniently manage accounts from multiple providers.
• "[Be able to] walk away from bad service: Not only would the proposed rule increase competitive forces among financial institutions, it would also enable people to walk away from bad services and products. People can become trapped by providers that hold their data, but this proposal would allow them to more easily shift their data to a competitor offering better or lower priced products and services."

Thus the rule is intended to foster competition, to the consumer's benefit.

CFPB thinks both firms and their customers will see benefits.

The CFPB doesn't see the proposed Personal Financial Data Rights rule as punitive or one-sided. The agency's statement outlines four ways in which better practices would benefit financial institutions as well as their customers:

• "Robust protections to prevent unchecked surveillance and misuse of data: Companies that people authorize to access data on their behalf would have to agree to certain important conditions. Third parties could not collect, use, or retain data to advance their own commercial interests through actions like targeted or behavioral advertising. Instead, third parties would be obligated to limit themselves to what is reasonably necessary to provide the individual’s requested product.
• "Meaningful consumer control: The proposal would also give people the right to revoke access to their data. When a person revokes access, the proposal would require that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent the individual consumer’s reauthorization.
• "A move away from risky data collection practices: Many companies currently access consumer data through screen scraping, which often requires people to share their usernames and passwords with third parties. This proposal seeks to move the market away from these risky data collection practices.
• "Fair industry standard-setting: Instead of providing detailed technical standards, the rule contains several requirements to ensure industry standards are fair, open, and inclusive. The CFPB intends to assess future standards developed by the private sector under the terms described in the rule."

Cybersecurity industry reaction to the rule.

Ameya Talwalkar, CEO of Cequence Security, applauds the rule as an advance in safety, security, and reliability. “In a pivotal development, the Consumer Financial Protection Bureau (CFPB) unveiled a significant rule under Dodd-Frank Section 1033, accelerating a shift toward open banking. The rule is poised to be a cornerstone in the adoption of Open Banking and Open Finance practices in the United States.," Talwlkar wrote in emailed comments.

The rule's effect on data exchange and collection strikes Talwalkar as likely to be significant. "The new CFPB rule marks a critical step toward Open Finance in the U.S., calling for a data exchange over dedicated digital interfaces that are safe, secure, and reliable, like APIs. The rule asks to move away from risky data collection practices: Many companies currently access consumer data through screen scraping, which is a significant issue today at financial institutions. They need to manage this risky API behavior between both good and bad bots. APIs, which have become the lifeblood of financial service providers, are not only a powerful tool but also a significant security concern. Recent reports reveal that a staggering 70% of application requests are API-based, making them a prime target for cyberattacks. With financial institutions already 300 times more likely to be targeted and cybercrime costing them 42% more than other industries, it's clear that safeguarding APIs is paramount.

Talwalkare sees sound, well-engineered APIs as crucial to compliance. "Financial services can enhance their API architecture and security by adopting a comprehensive API protection solution. This entails embracing a multi-faceted security approach, which combines time-tested cybersecurity practices with cutting-edge strategies. Safeguarding API integrity, conducting routine security assessments, establishing stringent access controls, and remaining vigilant regarding emerging threats are all critical measures to revamp a business’ API architecture.”

Assessing and implementing the Personal Financial Data Rights rule.

The Personal Financial Data Rights rule will be implemented in phases, with larger institutions being the first to fall under it. Comments are invited, and should be submitted by December 29th of this year.