U.S. Consumer Financial Data Rights are Almost Here

At MX, we believe in the power of financial data to unlock new insights and drive better money experiences that benefit companies and consumers alike. An open finance ecosystem — where everyone can access and act on financial data — enables smarter, faster, and more reliable money experiences. 

However, until now, consumer financial data access and control has primarily been left up to the financial institutions, fintechs, and other third parties involved. MX has been working with our customers, partners and the wider ecosystem to accelerate Open Banking and secure data sharing for the past 5 years. The Consumer Financial Protection Bureau (CFPB) recently published its long-awaited notice of proposed rulemaking (NPRM) for personal financial data rights under Dodd-Frank Act Section 1033. 

This is an important milestone in making sure consumers have the right to access and control their financial information. We believe that it will lay the groundwork for the United States to move into the next chapter of fintech innovation. A clear, cross-agency regulatory framework will accelerate adoption of Open Finance, improve the money experience, and help drive better financial outcomes for millions of Americans.

As the CFPB works towards this final rulemaking, here are three things financial institutions, fintechs, and other data providers and recipients can do today: 

1. Read the proposed rule to make you understand what this means for your organization, including types of data covered and how it will impact your processes, technology, and systems. (See below for our summary on what this NPRM includes)
2. Help inform the final rulemaking by providing commentary to the CFPB ahead of its comments deadline on December 29. 
3. Understand where your organization will fall on the timeline to be compliant — and start planning budgets and resources needed to meet these deadlines. Larger organizations (based on total assets or revenue) will have a heavier lift in the short term to meet requirements in the first six months, while others will have at least 1 year or more. 

What is Section 1033? 

In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). Section 1033 authorizes the CFPB to prescribe rules requiring “a covered person [to] make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.”

What Does the Notice of Proposed Rulemaking Include? 

It’s important to note that the CFPB isn’t attempting to cover the entire financial ecosystem with its initial proposed rulemaking. The NPRM calls out Regulation E accounts and Regulation Z credit card accounts to start. This includes checking accounts, savings accounts, credit cards, prepaid cards, digital wallets, and other electronic payments. 

Any data provider, financial institution, card issuer, or other entity that controls or possesses information concerning one of these covered products or services will be subject to this ruling. We expect more financial products, such as investments, loans, mortgages, etc., to be added over time. 

What’s Next

The CFPB is currently seeking comments on or before December 29, 2023, on any aspect of this proposal, with plans to finalize and issue the final ruling by Fall 2024. MX will actively participate in the comment period. We look forward to collaborating with our clients and partners to ensure a wide spectrum of voices are represented, including industry partners such as the Financial Data Exchange — particularly around creating industry standards that drive collaboration and innovation to deliver the outcomes consumers need and deserve. 

Director Chopra said in his prepared remarks that the CFPB will also “be issuing additional information on how industry standard-setting organizations can obtain recognition from the CFPB. Market players will be able to look to these standards, which will evolve with time as technology progresses, to be part of the new open banking ecosystem in the United States. We also intend to cover additional product types in future rulemaking, to continue to foster more competition and consumer choice throughout the market.” 

Once the final rule is published, the CFPB NPRM currently outlines 4 compliance dates for data providers based on asset size or revenue: 

Why Consumer Financial Data Rights Matter

Today’s money experience is inherently messy both for consumers and financial providers seeking to meet increasingly complex consumer needs. Consumers must look across a multitude of financial accounts to try to manage their financial life — with most maintaining relationships with an average of 5 to 10 different financial services organizations, from their primary bank to PayPal and Venmo to various credit cards, investment accounts, and loans. And, today’s closed financial ecosystem makes it difficult for consumers to switch to a new financial provider or take their financial data with them.  

We’ve all heard the expression that knowledge is power. Engaging with their finances on multiple platforms means they don’t have a consolidated view of their financial data or who may be accessing it. And, if they ever choose to leave their current providers, it’s not easy to transfer and take their financial data with them. 

Consumers should own, have access to, and have the ability to control all their financial data. Full stop. And, consumers overwhelmingly agree (82%) that they own their financial data and should be able to control who has access to it. 

This empowers consumers to better understand their finances and make financial decisions that will improve their overall health (e.g., seek improved interest rates, increase savings rates, etc.) — as well as spur innovation and competition in the marketplace. 

Why Standardized APIs are Important

Most financial data sharing still relies on less reliable and less secure methods that require consumers to share credentials with a third party. This screen scraping or credential sharing is less reliable and places a heavy technical burden on bank infrastructure, which creates an unstable customer experience. Connections frequently break as passwords, systems, and processes change. 

This leads to frustration and could potentially cost businesses customers in the long run. Screen scraping also puts consumers and businesses at increased risk since it requires consumers to provide usernames and passwords to a third party. And, consumers may be left wondering who has access to their data while businesses have little visibility into where data is shared.

An open banking or open finance application programming interface (API) allows consumers to access their transaction data without the need to share usernames and passwords, and eliminates the technical burden of screen scraping. Direct connections replace credentials with tokens, delivering higher levels of security, faster speeds, and higher connection success rates. 

How MX Can Help

MX is making it easier than ever for financial institutions of all sizes to accelerate open finance adoption and enhance the money experience for consumers through Data Access. The platform enables institutions to deliver a safe and secure connectivity experience for their customers. With consumer authorized and permissioned data sharing, customers gain visibility and control over which apps and institutions access their data — enabling them to grant, manage, and revoke access at any time. 

Data Access is an open API platform built on FDX standards that improves time-to-market and reduces costs to deliver secure data sharing, as well as provide the groundwork for greater insights about customer behaviors, trends, and needs. It provides financial institutions with the ability to monitor and manage where consumers are sharing their financial data and the tools to implement a more secure data-sharing experience with token-based connectivity.