In a move to help accelerate a shift to open banking in the U.S.,
the Consumer Financial Protection Bureau (CFPB) finalized a rule outlining the
qualifications an organization must demonstrate to be recognized as an industry
standard-setting body to develop technical standards for protecting consumer data
rights.
Such organizations will be tasked with issuing standards companies
can refer to when crafting policies and systems to comply with the CFPB’s
upcoming Personal Financial Data Rights Rule, implementing Sec. 1033 of the
Dodd-Frank Act.
The rule provides a step-by-step application process, as
well as criteria the CFPB plans to use in evaluating applications.
“Industry standards can be weaponized by dominant firms in
order to maintain their market position, undermining competition for all,” CFPB
Director Rohit Chopra said in a statement. “Today’s rule will prevent these
firms from rigging standards in their favor by identifying attributes the CFPB
will use to recognize standard setters.”
The rule aligns with the Dodd-Frank mandate requiring the
bureau to work to guarantee consumers’ data privacy rights, noting that doing
so could open up more opportunities for smaller financial institutions and
startups offering products and services.
“Consumer electronic access to personal financial data,
including and especially open banking, holds the potential to intensify
consumer-friendly competition and innovation,” the final rule states. “Fair,
open, and inclusive industry standard-setting plays a critical role in ensuring
the open banking system reaches its full potential to benefit consumers and
competition.”
Open banking, also referred to as “open finance,” is a
financial services framework that allows consumers to control third-party access
to their financial data through application programming interfaces (APIs).
In October 2023, the CFPB proposed a rule to provide
consumers the following rights, which it plans to finalize it in the coming
months:
·
Consumers must be able to obtain their data free
of “junk fees,” meaning covered data providers must make personal
financial data available at no charge to consumers or their agents, through
dedicated digital interfaces that are safe, secure, and reliable.
·
Consumers have a legal right to grant third
parties access to data about their credit card, checking, prepaid, and digital
wallet accounts to help improve products and services.
·
Consumers may more easily walk away from
providers that hold their data and shift to a competitor offering better or
lower priced products and services.
Addressing commenter concerns
In response to several comments the bureau received about
the proposal, the agency saw the need to clarify multiple definitions and
criterion. For example, commenters asserted a need for clarification on the
criteria for determining when a standard becomes a “consensus standard” and
when it loses that status. The finalized rule states that a “consensus standard”
must be adopted and maintained by a CFPB-recognized standard-setter. The final
rule also replaces the term “qualified industry standard” with “consensus
standard” and defines “recognized standard setter” to enhance clarity and
ensure standards are fair and inclusive.
Commenters also raised concerns about market uncertainty if
a standard loses consensus status, which would require financial institutions
to adjust to new standards. The CFPB wrote that revocations would be rare and
the bureau would provide guidance during such transitions.
The CFPB decided to extend the recognition period for
standard-setting bodies from three to five years in the final rule, addressing
concerns that frequent re-recognition might be burdensome to the industry. The
bureau believes the extension will help provide stability and encourage more
standard-setting bodies to seek recognition, ensuring that standards remain
current. The five-year period also helps small data providers comply with the
forthcoming Personal Financial Data Rights rule by offering a more extended
period of certainty regarding standards. The rule also requires periodic
reviews to avoid outdated standards and to keep governance practices aligned
with established attributes.
Evaluation criteria
To be recognized by the CFPB, the standard setters must
apply to the CFPB and display the following attributes:
·
Openness: Recognized standard-setting organizations
must be committed to keeping the process open to all interested parties and creating
standards that are not rigged in favor of any set of industry players. Interested
parties may include public interest groups, app developers, and a broad range
of financial firms with a stake in open banking.
·
Transparency: Procedures must be
transparent to participants and publicly available.
·
Balanced decision-making: The
decision-making power to set standards must be balanced across all interested
parties, including public interest groups, large and small commercial entities
and without allowing a single special interest to dominate the decision-making
process.
·
Consensus: Standards development must
proceed by consensus, but does not necessarily need to be unanimous. Comments
and objections must be considered using fair and impartial processes.
·
Due process and appeals: The
standard-setting body must use documented and publicly available policies and
procedures, provide adequate notice of meetings, sufficient time to review
drafts and prepare views and objections, access to views and objections of
other participants, and a fair and impartial process for resolving conflicting
views. The rule also would create an appeals process for the impartial handling
of procedural appeals.
The CFPB set the rule’s effective date for 30 days after its
publication in the Federal Register, consistent with section 553(d) of
the Administrative Procedure Act.