The US Consumer Financial Protection Bureau (CFPB) has recently proposed a rule that would have a significant impact on how financial institutions handle customer data. The rule, known as the Personal Financial Data Rights rule, aims to give consumers more control over the data they share with these institutions and to impose certain restrictions on how the data is handled. The CFPB believes that this rule will promote competition and provide benefits to both consumers and financial institutions.
Under this proposed rule, consumers would have more control over the personal information they share with banks and other financial institutions. This increased control would allow consumers to switch to better-value providers if they choose to do so. The CFPB outlines four main benefits for consumers under this rule. First, consumers would have the right to receive their data free of any additional fees. Financial institutions would be required to make personal financial data available, free of charge, through safe and secure digital interfaces. Second, consumers would have a legal right to share their data with third parties, such as for cash flow-based underwriting or account management from multiple providers. This would make it easier for consumers to switch providers and access a wider range of products and services. Third, the rule would allow consumers to walk away from bad services and products, increasing competition among financial institutions. Lastly, the rule aims to foster competition and benefit consumers overall.
The CFPB believes that financial institutions will also see benefits from this rule. The rule includes robust protections to prevent unchecked surveillance and misuse of data. Third parties authorized to access consumer data would have to agree to certain conditions that limit their use and retention of the data. This would prevent them from using the data for targeted or behavioral advertising, and instead, they would be required to limit themselves to what is necessary to provide the requested product or service. The rule also gives consumers the right to revoke access to their data, ensuring meaningful consumer control. In addition, the rule aims to move the market away from risky data collection practices, such as screen scraping, which often requires consumers to share their usernames and passwords with third parties. By doing so, the rule promotes fair industry standard-setting, encouraging the development of standards that are fair, open, and inclusive.
The cybersecurity industry has reacted positively to this proposed rule. Ameya Talwalkar, CEO of Cequence Security, sees the rule as a significant step towards open banking and open finance practices in the United States. Talwalkar believes that this rule will promote safety, security, and reliability in data exchange and collection. He emphasizes the importance of well-engineered APIs in compliance with this rule, as APIs have become a prime target for cyberattacks. Financial institutions can enhance their API architecture and security by adopting a comprehensive API protection solution and implementing measures to safeguard API integrity and remain vigilant against emerging threats.
The Personal Financial Data Rights rule will be implemented in phases, with larger institutions being the first to fall under its requirements. The CFPB is currently inviting comments on the proposed rule, and stakeholders have until December 29th to submit their feedback. The rule, if implemented, has the potential to transform how financial institutions handle customer data and empower consumers with more control over their personal information.