The CFPB is drafting new rules for how consumers can access and share their financial data, such as account balances and other personal information. This rulemaking effort is required under Section 1033 of the Dodd-Frank Act, which gives consumers the right to obtain their financial records from financial institutions.
In the years since Dodd-Frank’s passage while regulators have been working to finalize these rules, marketplace innovation has enabled consumers to share their data with fintechs and other financial institutions more easily than ever, allowing consumers to access new financial products, such as budgeting tools, payment apps and other useful products and services. Critically, the private sector has led this innovation while also developing more sophisticated data protection capabilities, enabling consumers to safely share their data. This work has primarily occurred through the Financial Data Exchange, a nonprofit organization established in 2018 and operating in the United States and Canada.[1] FDX has broad stakeholder representation – it is currently composed of 231 entities of various sizes, including financial institutions, fintechs, data aggregators, consumer groups and financial industry groups. Through FDX, stakeholders have adopted standards that empower consumers to exercise control over their data. This includes deciding what data is shared, with whom and for what purpose. Importantly, the FDX standards ensure that data is shared safely and securely, prioritizing consumer protection and privacy.
As the CFPB moves toward a final rule, it’s crucial that the agency avoids excessively prescriptive rules, which could impede progress and potentially undermine the significant innovation and consumer protections that have been established through industry-led initiatives.
The CFPB issued an outline of what a potential rule may look like in October of last year, which raised concerns that the agency may take an overly prescriptive approach to the rulemaking. Fortunately, more recently, CFPB Director Rohit Chopra clarified that the CFPB agrees that strict requirements would stunt innovation, writing that “[o]verly prescriptive rulemaking would slow progress” and that “the optimal rule . . . should provide a high-level structure within which market participants can create granular standards and requirements . . .” Director Chopra also highlighted that “many of the details in open banking will be handled through standard-setting outside of the agency [,which] . . . . can allow open banking to evolve as new technologies emerge, new products develop and new data security challenges arise.”
Indeed, consumers’ ability to access and share data has advanced significantly over just a few years through the industry-driven approach led by FDX, without government mandates or regulation. This approach has empowered consumers by granting them greater control over their data and protecting their sensitive information by facilitating secure data sharing. This progress serves as a testament to the effectiveness of a standard-setting organization in promoting innovation in data sharing while enhancing the safety and security of the overall ecosystem.
An approach sanctioned by the CFPB whereby a standard-setting organization with representation from across the ecosystem would continue to establish standards, develop guidelines and perform other oversight and governance functions would enable the private sector to continue to innovate. This would offer consumers increased choice and control, while continuing to advance more sophisticated data protection measures and benefiting all.
[1] FDX is a subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which is advantageous because FS-ISAC’s diverse membership reinforces broad stakeholder involvement in FDX. FS-ISAC is a global community committed to sharing cyber intelligence, with a membership that encompasses banks, broker-dealers, insurance companies, credit unions, payment processors and fintechs. Its members collectively possess assets valued at $100 trillion and spanning 70 countries.
