A 1033 Implementation Breakdown (Part 2)

Welcome back to our deep dive series on the CFPB’s vision for open banking, aka Section 1033 of the CFPA. Without any further ado, let’s dig into Proposed SubPart A :

• The CFPB attempts to define those that would be required to make data available - Reg E asset accounts (most deposits providers), Reg Z Credit Cards (most banks who issue cards), and the big one - any products/services that facilitate payments from a Reg E account or Reg Z credit card, which could be any number of fintech or BaaS providers. They spell this out later on as being “covered consumer financial product” and any party that oversees these products as a “data provider” (including Digital Wallets and NeoBanks and even “similar nondepository entities”).
• The CFPB spells out the use cases - transaction based underwriting, payments, deposit account switching, comparison shopping for bank/cc account. They also acknowledge interchangability of deposits and CC transactions, along with power of digital wallets.
• They acknowledge pushback that will likely come from the 3rd category aka fintechs/neobanks/wallet providers, and says many of them are already qualifying as Reg E financial institutions and may also be Reg Z issuers (fact check? Is this true?)
• They claim that creating interoperability between all 3 of these provider types would create smoother/easier sharing, more security of data being shared (which is already happening).
• They explicitly state that mortgage, automobile, and student loans are not falling in “covered data.” The point here is that unlike deposit and CC transactions, there is no data-rich insight to be gleaned within each transaction - each transaction would just be a payment against that loan - thus no competition benefits in the CFPB’s eyes.
• They also brought up EBT cards/SNAP benefits, as something that could actually be more insightful from a consumer insight perspective if third parties were able to get access to it under this regulated framework. They note that they are considering it and invite comment on how to solve the existing EBT data availability issues, and whether third parties should have access to this. They acknowledged they don’t want to create new security issues.
• The fintechs aka BaaS providers and other “data providers” as defined previously are exempt from the new requirements/proposal if they don’t have a consumer interface. As the rule is intended to improve “consumer facing digital banking interfaces”, there wouldn’t be anything to improve in this scenario. Congratulations to all the infrastructure-based/back-end fintech companies for getting a break :D However, the CFPB notes that a number of small credit unions have no digital banking businesses and their customers transact exclusively face to face. They also acknowledged that the proposal only applies to Reg E/Reg Z relevant institutions.
• More on exemptions - there were suggestions regarding delays for implementing developer interfaces, creating thresholds for exemption eligibility requirements, and it has led the CFPB to consider if non-depositories (i.e. insurance companies, brokerage firms) that don’t provide interfaces for their customers should be exempt. I’m surprised the CFPB needs help on this :) as plenty of these companies may have white glove service, in which case digital interfaces won’t be used, but on the flip side, just as with mortgage and auto loans, there isn’t much to report for insurance transactions and in this writer’s opinion should be exempt. Brokerage, on the other hand, could really open things up especially given the value of trades and knowing where investments are concentrated/which companies are getting the customer’s investment regardless of the mechanism (cash, credit, stock purchase). I’d argue they might be valuable to include from a data perspective. The CFPB then leaves things dangling by asking if perhaps exempt depositories should still submit covered data non-electronically.
• More exemptions, discussing their original thought around not handing any of them out but acknowledging the compliance burden had they gone that route. They also noted that they haven’t proposed any grace periods for deposit institutions without consumer interfaces, but welcome comment on whether they should do this (these are already coming fast and furious, more on them in a future edition). They reiterate the need to have exemptions for small institutions that aren’t as “technologically sophisticated” and would be significantly negatively impacted by the rule. Then, just when you think they’re done, the CFPB openly wonders whether their customers might miss out on the benefits of open banking, and perhaps they should have either flexible compliance or at least some high level compliance requirements, or graduated applicability based on institution size.
• There’s some discussion around compliance dates especially for third parties (aka non-banks). The idea is that there would be four tiers of compliance, which can be influenced by the provider’s size, sophistication, their own use of third parties, and legacy infrastructure that would require more work to build around. While they are empathetic to depository providers that will need additional time, they don’t extend such sympathy to nondepository data providers. They note some concerns from the industry to focus on the small entities and second the concern on needing more time for data providers. The CFPB decided to use asset size and revenue instead of numbers of accounts in their tiering, noting that accounts could mean different things for different companies.
• The CFPB then dives into the actual compliance dates they have in mind, which appear to be as follows (and seeks comment on these tiers and dates):6 months after publication, focused on institutions with more than $500 billion in total assets/nondepository institutions with at least $10 billion in annual revenue (or projected)One year after publication, focused on institutions with assets between $50 billion and less than $500 billion, and nondepositories with less than $10 billion in annual revenue (or projected)Two and a half years after publication, focused on institutions with assets between $850 million and less than $50 billionFour years after publication, focused on institutions with less than $850 million in assets.Interestingly, the CFPB is getting the most pushback in the comments since the publication of this proposal, on the reduced time for comment (90 days). We’ll have to see if they respond and extend the comment period.
• The CFPB brings up data providers again, noting if they should have staggered dates for them or even any period of time.
• We get a definition of “third party” - as the proposal allows third parties acting on behalf of consumers to access data. For the purposes of the proposal, this means “any person or entity that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.” It also expects third parties to follow authorization procedures to be able to obtain data under the rule (more on this later, presumably).
• We also get a definition of “data aggregator” - which in the context of the aforementioned third party, is an entity that is used by that third party to enable access to the data (which, without the CFPB saying it, brings the one-time phrase of “fourth party” back in my mind). Specifically, the authorization that is mentioned could be facilitated by these data aggregators, but they’d need to have disclosures and certifications of their own. Even further - is “data aggregator” the right term? Would the better term be “data intermediary?”
• The last definition (for now) the CFPB calls out is consumer - “a natural person.” This is important because it means the CFPB considers trusts to be a consumer, and does this to distinguish between the third parties that are authorized to access covered data.
• The last bit of SubPart A focuses on what a “qualified industry standard” is. They define that as a standard which is fair/open/inclusive, which means that it should have 1) openness (to all interested parties, interest groups, third parties, providers, aggregators, etc) 2) balance (decision making power balanced across all interested parties) 3) due process (publicly available policies/procedures, notice of standards, conflict resolution) 4) appeals process 5) consensus 6) transparency 7) recognition by the CFPB within the last three years as an issuer of qualified standards (they save the biggest one for last! so presumbly, if a standard setting body has just come into existence, then it wouldn’t be qualified apparently). They then put it out there that if a provider complies with the rule directly, they are fine, but compliance with a standard doesn’t necessarily indicate compliance with the whole rule (since some of the rule doesn’t involve compliance with standards). Confused yet??
• The CFPB brings up standardized formats:If data is made available in the format of a qualified industry standard, then it satisfies the rule’s requirement to use a standardized formatThe same would apply to interfaces, where if they are in the format of similar data providers and no standard exists for that type of data/interface, then it would also meet the ruleThey raise a concern about standard setting bodies used to monopolize the space, and this leads to the CFPB expecting that bodies should promote a range and varying sizes of actors, and take input from all of them.
• In terms of technical format, the CFPB says that it won’t develop the infrastructure through which data could be processed and prefers to leave this to providers/aggregators to build, noting that their involvement could stifle competition.
• Closing the loop on standards, the CFPB notes that they will have a process to “certify” standard setting bodies, and asks for feedback on how they should go about recognition/certification, including when the recognition should happen in relation to issuance of a standard by the body. It also asks for input on how it should comment on the standards issued by the bodies - I’d be concerned about this, in that the same bodies that are supposedly certified may now get subject to CFPB scrutiny and may in fact lose some of their flexibility.

We’ll pause there for now. Like I said in the last edition, this is going to take quite a few issues to dig through! Stick with us and share your thoughts if you like how this is going!