For the second time this year, a federal court granted a stay request from the Consumer Financial Protection Bureau regarding its Personal Financial Data Rights rule. The latest stay will delay compliance dates associated with the rule implementing Sec. 1033 of the Dodd-Frank Act for one year following the end of litigation.
The U.S. District Court for the Eastern District of Kentucky previously stayed ongoing litigation concerning the rule’s legality in July. This stay was granted with the condition that the bureau would work on a revised version of the rule and provide the court with periodic updates documenting its progress.
In September, the Financial Technology Association (FTA) filed a brief urging the court to reject a bid by the Bank Policy Institute, the Kentucky Bankers Association and Forcht Bank to lift the stay and delay implementation indefinitely.
The rule’s compliance dates represent just one of many points of contention among the trade groups during the ongoing legal dispute.
“[T]he plaintiffs contend that the rule’s fixed compliance deadlines are arbitrary and capricious because many of its ‘vague requirements’ depend on future ‘consensus standards’ to be developed by private standard-setting organizations,” the court wrote. “Because those standards are not yet available, the plaintiffs argue that the CFPB acted unreasonably by establishing compliance dates that are not contingent on their issuance. They further note that many commenters specifically urged the CFPB to tie compliance deadlines to the release of these standards and state that they failed to address these requests.”
The banking trades further claimed the omission “flouts the bureau’s obligation to reasonably explain its deadlines,” as well as its obligation to “respond to comments that ‘challenge[d] [the] fundamental premise’ of beginning the compliance clock when consensus standards for compliance with substantive requirements do not exist.”
The FTA countered the trades’ arguments, asserting the CFPB based the reasoning behind the chosen compliance dates on the size and revenue of covered data providers, rather than the development of consensus standards.
“The FTA argues that the CFPB acknowledged that an industry standard may ‘become available after the relevant compliance date,’ but that the CFPB explained that ‘a data provider will have certainty that its developer interface format complies with the requirement to be standardized, so long as the format is widely used,’” the court wrote. “The FTA further contends that the standards serve only as ‘indicia of compliance’ and that the CFPB ‘reasonably set deadlines based on size instead.’”
The banking trade groups have also argued the rule’s data-sharing framework is arbitrary and capricious “because the CFPB failed to assess the cumulative impact of its provisions on consumer data security.”
“They identify four features that heighten these risks,” the court wrote. “First, the rule requires bank to share highly sensitive information, including payment initiation data. Second, the CFPB shifts responsibility for ensuring third-party compliance to banks. Third, banks may deny access based on data security concerns only in narrow circumstances. And fourth, the CFPB declined to prohibit screen scraping, a risky access method.”
Additionally, the banking trades have questioned whether the bureau had the authority to prohibit companies from charging interface access fees through its rulemaking and that it had violated the Administrative Procedures Act’s requirement for reasoned decision-making by failing to consider the cumulative effects of its data privacy rule.
The CFPB agreed with the plaintiffs when the agency motioned for summary judgment in May, alongside the banking trades.
The FTA framed the move for summary judgment as “premature judicial intervention that would undermine the notice-and-comment process, short-circuit stakeholder input, and interfere with the CFPB’s ability to arrive at a reasoned decision consistent with the statute.”
After weighing arguments presented by both sides about the potential harm to affected parties and other factors, the court sided with the CFPB and the banking trades, agreeing to delay compliance dates associated with the rule’s implementation for one year following the conclusion of litigation over its provisions. FTA had argued this request was “overbroad” in a previous court filing.
The original compliance dates for “data providers,” defined by the rule as financial institutions and other entities that control or possess consumer financial data, are:
- April 1, 2026 – for institutions holding at least $250 billion in assets (or, for non-depositories, at least $10 billion in total receipts).
- April 1, 2027 – for institutions holding at least $10 billion but less than $250 billion in assets.
- April 1, 2028 – for institutions holding at least $3 billion but less than $10 billion in assets.
- April 1, 2029 – for institutions holding at least $1.5 billion but less than $3 billion in assets.
- April 1, 2030 – for institutions holding less than $1.5 billion but more than $850 million in assets.
The court acknowledged the bureau’s work toward revising the rule, including the issuance of an advance notice of proposed rulemaking in August in which it requested stakeholder feedback on significant provisional changes to the rule, in its decision to grant the stay on compliance dates.
For more Dodd Frank Update coverage of matters related to data privacy and the CFPB’s efforts to implement Sec. 1033 of the Dodd-Frank Act, visit the “Data Privacy Vault” – a resource library holding all of our coverage of every volley in the ping-pong match between the finance industry and regulators over how to be protect consumers’ sensitive data in the rapidly evolving virtual financial marketplace.