CFPB Proposes New Rule on Personal Financial Data Rights

6 months ago AndyC

Listen to this post

On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new

CFPB Proposes New Rule on Personal Financial Data Rights
Listen to this post

On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new rule that would provide consumers with more control over their financial information and impose certain requirements on the following types of entities:

  •  “Data providers,” which (subject to certain exclusions) is defined as (1) a “financial institution,” as defined under Regulation E; (2) a “card issuer,” as defined under Regulation Z; or (3) any other person that controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person. 
  • “Authorized third parties,” which is defined as any third party that has complied with the authorization procedures specified in the proposed rule.

The proposed rule would apply to any “covered financial product or service,” meaning any “account” as defined under Regulation E, any “credit card” as defined under Regulation Z and any product or service that facilitates payments from a Regulation E account or Regulation Z credit card.

In general, the proposed rule aims to implement consumers’ right to access their financial data in a data provider’s possession, custody or control, and transfer that data to authorized third parties. In particular, data providers would be required to provide a consumer’s “covered data” (e.g., transaction information, account balance, upcoming billing information) to the consumer, the consumer’s authorized third parties (e.g., fintech companies) or data aggregators acting for the authorized third parties. Data providers also would be required to create a dedicated, secure and reliable “developer interface” to receive and respond to requests for covered data. 

In addition, authorized third parties and data aggregators would be required to limit collection, use and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service. To that end, such third parties would be explicitly prohibited from using covered data for certain purposes, including targeted advertising, cross-selling of other products or services or sales of covered data. These third parties also would be prohibited from collecting, using or retaining a consumer’s covered data beyond a one-year period, absent the consumer’s reauthorization (unless continued use and retention remains necessary to provide the consumer’s requested product or service).

The CFPB has invited comments on the proposed rule, including on other consumer financial products and services that could be covered via subsequent rulemaking. Comments may be submitted to the CFPB until December 29, 2023.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , ,

More Stories

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

CIPL Publishes Report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations

3 days ago AndyC
CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

CIPL Publishes White Paper on Leveraging Data Responsibly and a Holistic Data Strategy

4 days ago AndyC
New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

New Bipartisan Federal Privacy Proposal Unveiled: American Privacy Rights Act

5 days ago AndyC
EDPB Issues Opinion on Pay-Or-Consent Models

EDPB Issues Opinion on Pay-Or-Consent Models

7 days ago AndyC
UK ICO Launches Latest Installment in the AI Consultation Series

UK ICO Launches Latest Installment in the AI Consultation Series

2 weeks ago AndyC
Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities

Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities

3 weeks ago AndyC

You may have missed

<div>Equifax & Norton team up to bolster Australian Cyber Safety</div>

Equifax & Norton team up to bolster Australian Cyber Safety

2 hours ago AndyC
Portnox teams up with Bugcrowd for private bug bounty programme

Portnox teams up with Bugcrowd for private bug bounty programme

2 hours ago AndyC
Top 10 barriers to strategic IT success

Top 10 barriers to strategic IT success

2 hours ago AndyC
Dump the RFP to reap better outsourcing results

Dump the RFP to reap better outsourcing results

2 hours ago AndyC
The new CIO mandate: Selling AI to employees

The new CIO mandate: Selling AI to employees

2 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.