On December 21st, 2023, the Future of Privacy Forum filed comments with the Consumer Financial Protection Bureau (CFPB) in response to the notice of proposed rulemaking (NPRM) regarding personal financial data rights. FPF’s comments focus on promoting privacy as a core tenet in the U.S. open banking ecosystem in order to protect individuals’ personal information while enhancing user trust.
This NPRM is the latest milestone in the Bureau’s multi-year effort to create a regulatory framework for open banking in the U.S. using its Section 1033 authority. Section 1033 was passed as part of the Consumer Financial Protection Act (CFPA) of 2010 and it governs access to a person’s data held by a consumer financial services provider. The CFPB’s proposed rule requires data providers, such as banks, card issuers, and digital wallets, to share certain kinds of consumer financial data (e.g., transactions information and account balance) with authorized third parties at the consumer’s request. As the CFPB sets out, “[t]his proposed rule aims to . . . push for greater efficiency and reliability of data access across the industry to reduce industry costs, facilitate greater competition, and support the development of beneficial products and services.”1
In our submission, FPF provides several recommendations to the CFPB, including:
- Encouraging the development of industry standards for third party privacy rules and data provider denials of access requests;
- Supporting an opt-in standard and use of de-identified data, while providing an approach for high-risk uses;
- Clarifying an approach to address ‘dark patterns’ to discourage consumer manipulation;
- Strengthening the phase-out of and directly prohibiting third parties from engaging in screen scraping of data from online consumer accounts; and
- Harmonizing various privacy rules that result in numerous and different notices and choices.
FPF’s comments are the culmination of over a year of meetings with key stakeholders in the open banking ecosystem. Both build upon earlier recommendations that FPF made in response to the Bureau’s “Outline of Proposal and Alternatives Under Considerations for the Personal Financial Data Rights Rulemaking,” which was a prerequisite to the NPRM. Last year, FPF also released an infographic, “Open Banking And The Customer Experience,” visualizing the U.S. open banking ecosystem and the challenges affecting it, which are also addressed in FPF’s latest comment.
1Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74843 (Oct. 31, 2023).