WASHINGTON — The Consumer Financial Protection Bureau has finalized
"Industry standards can be weaponized by dominant firms in order to maintain their market position, undermining competition for all," said CFPB Director Rohit Chopra in a statement. "Today's rule will prevent these firms from rigging standards in their favor by identifying attributes the CFPB will use to recognize standard setters."
The rule was briefly published late Tuesday evening before the bureau took it down. The CFPB released the rule, alongside a press release, Wednesday morning.
In order to be recognized by the CFPB, the bureau said that standard setters can't be "rigged in favor of any set of industry players."
"Achieving balance requires recognition that, even when a participant may play multiple roles, such as data provider and authorized third party, the weight of that participant's commercial concerns may align primarily with one set of interests," the bureau said. "The ownership of participants is considered in achieving balance."
Section 1033 of the Dodd-Frank Act requires that consumer financial data collected by companies be made available to consumers, who in turn may share it with other service providers, effectively allowing consumers to share their banking data directly with fintechs and other third parties. Under last October's proposed rule, the precise mechanisms and parameters of that data sharing will be managed by independent standard-setting organizations recognized by the CFPB.
Those bodies must be open to public interest groups, app developers and a broad range of financial firms of all sizes, the bureau said, and that no one interest can dominate the decision-making process. The procedures must be transparent to participants and publicly available, and the standards that the body puts out have to be reached through consensus "though not necessarily unanimity."
The rule finalized by the bureau also includes a mechanism for the CFPB to revoke the recognition of a standard-setting body.
The full open banking rule will be finalized in the "coming months," the bureau said. In that rule, the CFPB "expects to allow companies to use technical standards developed by standard-setting organizations recognized by the CFPB."
The rest of the rule is expected to outline how consumers should be made aware of where their data is held and how it is used, and address a debate about whether consumers should be given the option to "opt in" to or "opt out" of having their data used for secondary purposes.
Banks,
"Banks should be permitted to charge a reasonable fee for providing access to consumer information to third parties," said Mickey Marshall, Independent Community Bankers of America's assistant vice president and regulatory counsel. "This would permit banks to recoup some of the costs of creating a developer interface without leading to any cost to the consumer."
The Consumer Bankers Association had similar complaints: "The Bureau particularly misjudges the costs that data providers will face in building out the new data access ecosystem,"' said Brian Fritzsche, the CBA's vice president and associate general counsel. "There is also a major question as to whether Congress intended to impart such a dramatic mandate, including potential impacts to safe and sound banking practices, to the Bureau through this straightforward, and relatively brief, language regarding consumer access to information."
While the rule has taken heat from fintechs and banks, at least one lawmaker, House Financial Services Committee Chairman Patrick McHenry, R-N.C., who is typically among Chopra's chief critics, praised the CFPB's plan to give consumers the right to revoke access to their data at any time and to limit use by authorized companies to just one year, unless the consumer agrees to further access.
"A guiding principle behind section 1033 is that consumers will benefit from increased control and portability of their data," McHenry said in a comment letter. "Consumers should be empowered to know what data is being collected, where the data is stored, with whom the data is shared, and what rights those authorized third parties have with respect to consumers' data."