CFPB Includes Payment Apps and Data Brokers in Final Rule 1033
The Consumer Financial Protection Bureau (CFPB) swung for the fences this morning (October 22) as it issued the final version of its long-awaited Rule 1033 on personal financial data rights. As expected, the rule will mark a significant step toward open banking in the United States. But the rule also took a cut at regulating payments apps and left a lot of latitude for credit unions and community banks to compete with larger financial institutions.
The rule, which implements Section 1033 of the Dodd-Frank Act, aims to give consumers greater control over their financial data and the ability to share it securely with third-party service providers. Under the new rule, banks, credit unions and other financial institutions will be required to make consumers’ financial data available upon request to both consumers and authorized third parties. This data includes information about transactions, costs, charges and usage related to consumer deposit accounts, credit cards and payment services.
The CFPB is much wider in scope than expected, covering data in payment apps and digital wallets as well as bank accounts. “Digital wallet providers hold similar valuable data that can provide a complete understanding of a consumer’s finances,” reads a section of the rule. “Today, a digital wallet can initiate payments from multiple credit cards, prepaid accounts and checking accounts. A digital wallet can facilitate payments from accounts that the digital wallet provider offers through depository institution partners, or from linked accounts issued by other institutions (sometimes referred to as pass-through payments).” This indicates that the rule covers digital wallets and payment apps that facilitate payments from covered accounts. The document also notes that digital wallet providers are generally considered data providers under the rule, even if they only facilitate pass-through payments from other accounts.
The rule also establishes strict guidelines for third parties seeking to access consumer data. These entities must obtain explicit consumer consent, limit their data collection and use to what is necessary for providing requested services, and implement data security measures. The rule also prohibits the use of consumer data for targeted advertising or sale to other parties. It will require banks to develop standardized APIs or other secure methods for data sharing, moving away from less secure practices like screen scraping. The rule also bans institutions from charging fees for data access.
The CFPB has taken a phased approach to implementation, focusing initially on deposit accounts, credit cards and payment services. Larger financial institutions will need to comply first, with compliance dates staggered from 2026 to 2030 based on asset size. Notably, depository institutions with assets of $850 million or less are exempt from the rule’s requirements.
The early morning release of the Rule’s final draft has made reaction scarce at press time. Bank Policy Institute President and CEO Greg Baer released the following statement: “On initial review, it appears the CFPB’s final rule retains many of the deficiencies and omissions that plagued the proposed rule. Banks have worked for years to establish secure ways to share customer data whenever the customer asks. The CFPB’s rule disrupts this established process, requiring banks to share financial data with any third party without adequate safeguards to ensure the data is protected from fraud, misuse and abuse.”
The post CFPB Includes Payment Apps and Data Brokers in Final Rule 1033 appeared first on PYMNTS.com.