Skip to main content
November 21, 2023

CFPB Takes Action Aimed At Promoting Open Banking and Enhancing Oversight of Consumer Finance Markets


The Bureau of Consumer Financial Protection (CFPB) in the last month made three significant announcements aimed at shifting the financial services industry towards a more “open” system for consumers and strengthening the CFPB’s oversight of certain consumer finance markets:

  • On October 11, the CFPB issued first-of-its-kind guidance on section 1034(c) of the Dodd-Frank Act advising that financial institutions with over US$10 billion in assets cannot charge hidden fees to consumers for reasonable data requests.
  • On October 19, the CFPB announced a notice of proposed rulemaking (NPRM) under section 1033 of the Dodd-Frank Act that would require financial institutions to provide consumers with the ability to transfer their personal financial data.
  • On November 7, the CFPB released an NPRM that would establish supervisory oversight of digital payment providers under section 1024 of the Dodd-Frank Act.

This Advisory provides an overview of the proposed rulemakings and new CFPB guidance and outlines several key takeaways for financial institutions. Together, these actions show a CFPB moving to level the playing field between traditional large financial institutions, community banks, and “Big Tech” companies. Along with reports that the agency is staffing up its Enforcement Division, these actions suggest that the CFPB will continue its aggressive approach to protecting consumers across the financial services industry through a mix of administrative actions.

Takeaways for Financial Institutions

The CFPB’s recent actions come as part of the Biden-Harris administration’s initiative to lower costs and increase transparency for consumers in the financial services industry. In 2022, as part of President Biden’s agenda to increase competition following his Executive Order on Promoting Competition, President Biden called on federal agencies to crack down on surprise, hidden fees and the challenges consumers face in switching away from their service providers.

Following the creation of the CFPB’s Office of Competition and Innovation in 2022, which is tasked with promoting competition and identifying stumbling blocks for new market entrants, these recent moves show that the CFPB is focused on protecting consumers’ ability to toggle freely and safely between traditional and non-traditional financial products and services:

  • The CFPB’s Advisory Opinion regarding section 1034(c) highlights the agency’s interest in controlling the competitive advantages that it perceives incumbent financial institutions have over newer firms. According to the CFPB, when consumers are “stuck” with their service providers, those providers are not incentivized to provide better service. The CFPB’s so-called “junk fee” initiative can be seen as an effort to constrain the ability of financial institutions to impose any number and amount of charges on consumers when there are little to no competitive consequences for doing so.
  • Likewise, the CFPB’s proposed rulemaking under section 1033 was accompanied by prepared remarks by Director Rohit Chopra in which he expressed that he believes “a handful of very large banks and financial firms control much of the market,” and that the proposed rule will “lead to a more open and decentralized banking and finance system where consumers can more easily switch, escape junk fees, and obtain better service, rather than feeling stuck and taken for granted.” Director Chopra noted that the proposed rule would help smaller financial institutions and startups attract consumers away from larger institutions.
  • Finally, the CFPB’s proposed rulemaking under section 1024 is a decisive move toward bringing “Big Tech” companies under its authority to protect consumers. The CFPB has recognized that non-traditional financial products and services have blurred the traditional lines separating banking and payments from commercial activities. The agency has asserted that this dynamic may expose consumers to risk, especially when traditional banking safeguards like deposit insurance may not apply. To the extent that digital payment apps compete with bank products, the proposed rule is intended to foster a level playing field and protect consumers who may not appreciate the differences between these products.

The CFPB has signaled that there is still more to come. With respect to “junk fees,” the CFPB has demonstrated that it is taking a wide focus on fees and charges utilized by financial institutions and will incrementally expand the list of fees and charges that it considers to be unlawful. Regarding consumers’ rights to their personal financial data, the CFPB has indicated that it intends to cover additional product types — beyond financial firms offering transaction accounts like checking accounts, prepaid cards, credit cards, and digital wallets — in future rulemakings. And, given the broad grant of supervisory authority under section 1024 to the CFPB over large participants operating in markets for consumer financial products and services that play a substantial role in consumers’ everyday lives, we anticipate that the CFPB will continue to issue new rulemakings expanding its supervisory reach in this space.

Proposed Rulemaking Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications

The CFPB’s proposed rule would extend the agency’s supervisory authority over 17 “Big Tech” companies, including Apple, PayPal, Venmo, and Google, which each offer consumer financial products and services commonly described as “digital wallets,” “payment apps,” “funds transfer apps,” and “person-to-person payment apps.” Under the proposed rule, the CFPB would conduct regular examinations of these digital payment providers for compliance with applicable federal consumer financial protection laws, including protections against unfair, deceptive, and abusive acts and practices, rights of consumers transferring money, and privacy rights. These 17 digital payments providers collectively facilitated 12.8 billion individual transactions in 2021, totaling US$1.7 billion in value.

Despite requesting information from Amazon and Chinese giants Alipay and WeChat Pay in 2022 in anticipation of this proposed rule, the CFPB has expressly excluded such digital marketplaces from its proposed supervision. However, the CFPB explicitly included digital currency payments, including tokens and other crypto assets, which is potentially a sea change for digital payment providers who will now have a federal agency examining their policies and operations from the inside out. Perhaps more significantly, the CFPB’s supervisory authority would also extend to service providers of the “Big Tech” larger participants under the proposed rulemaking. This could mean that there is a significantly larger pool of market participants who will now be under federal scrutiny.

The proposed rule would be the sixth in a series of rulemakings that have extended CFPB supervisory authority by defining larger participants of markets for consumer financial products and services for purposes of section 1024(a)(1)(B). The CFPB has already issued rules allowing for examination of larger participants in the markets of consumer reporting, consumer debt collection, international money transfers, and automobile financing.

If finalized, the proposed rulemaking would subject to CFPB supervision larger nonbank companies that participate in the market for “general-use digital consumer payment applications.” The proposed rule would define a market for general-use digital consumer payment applications to cover consumer financial products and services that provide “funds transfer functionality” or “wallet functionality” through a digital application for consumers’ general use in making “consumer payment transactions,” as defined in the proposed rule. The proposed rule defines a “consumer payment transaction” as “the transfer of funds by or on behalf of a consumer physically located in a State to another person primarily for personal, family, or household purposes.” This term would exclude four types of transfers:

  1. International money transfers defined under 12 C.F.R. § 109.107(a)
  2. A transfer of funds by a consumer that is either linked to the consumer’s receipt of a different form of funds, such as a transaction for foreign exchange or excluded from the definition of “electronic fund transfer” under Regulation E
  3. A payment transaction conducted by a merchant for the sale or lease of goods or services, which a consumer selected from a store or marketplace operated prominently in the merchant’s name or its affiliated company
  4. An extension of consumer credit made by using a digital application provided by the person extending the credit or that person’s affiliated company

The first two exclusions deal with remittances, for which there is already a larger participant rule, and foreign currency exchanges. The CFPB “expects that participants in the proposed market will generally be aware of indicators regarding the consumer’s location at the time of the transaction” for the purposes of determining whether the payments are initiated by a consumer physically located in a foreign country, and thus excluded from the definition of “consumer payment transaction.” This will put significant responsibility on digital payment providers to collect and maintain information about the consumers using their platforms in a way that may be designed to complement recent agency actions targeting crypto exchanges for money laundering and sanctions abuses. Regardless, the proposed rule creates incentives for companies to provide enhanced visibility into the sources and destinations of their digital currency transactions that clearly benefit the government’s interest in oversight and law enforcement.

Under the proposed rule, a “funds transfer functionality” would include either receiving funds for the purpose of transmitting them, or accepting and transmitting payment instructions. A “wallet functionality” would include a product or service that stores account or payment credentials, including in an encrypted or tokenized form, and transmits, routes, or otherwise processes stored account or payment credentials in connection with a consumer payment transaction.

The proposed rule defines “digital application” as a software program that is “accessible to a consumer through a personal computing device,” such as a mobile phone, and either downloaded to such a device or accessed via the internet or biometric identifier. Moreover, the use of a payment functionality is “general” if it includes “the absence of significant limitations on the purpose of consumer payment transactions,” such as sending funds to friends and family. The proposed rule offers four examples of payment functionalities that are not for “general-use”:

  1. A payment functionality used solely to purchase or lease specific services, goods, or property, such as transportation, food, or a dwelling
  2. A payment functionality from certain tax-advantaged health medical spending accounts, dependent care accounts, transit or parking reimbursement arrangements, closed-loop accounts for spending at certain military facilities, and several types of gift certificates and gift cards
  3. A payment functionality to pay a debt or repayment of an extension of consumer credit, such as through a consumer mortgage lender’s mobile application or website
  4. A payment functionality that solely helps consumers divide up charges and payments for specific goods or services, such as a payment application that aids consumers in splitting a restaurant bill

The proposed rule sets forth a two-part test to determine whether a nonbank covered person is a larger participant of the general-use digital consumer payment applications market. A nonbank covered person would be a larger participant if it (1) together with its affiliated companies, provides general-use digital consumer payment applications with an annual volume of at least five million consumer payment transactions; and (2) does not constitute a “small business concern” based on the Small Business Administration’s size standard list under 13 C.F.R. Part 121. Any nonbank covered person that qualifies as a larger participant would remain a larger participant until two years from the first day of the tax year in which the person last met the larger-participant test.

Comments on the proposed rulemaking are due on or before January 8, 2024, or 30 days after publication of the proposed rule in the Federal Register, whichever is later.

Proposed Rulemaking on Personal Financial Data Rights (Data Portability Rule)

According to Director Chopra, the proposed data portability rule is designed to “accelerate much-needed competition and decentralization in banking” by giving customers “the power to walk away from bad service” and more easily switch providers. The proposed rule would require covered financial institutions to provide consumers and authorized third parties, upon request, access to personal financial information in electronic form and a standardized format. The proposed rule would, for the first time, implement section 1033 of the Dodd-Frank Act, preventing covered financial institutions from imposing any fees on consumers or authorized third parties in connection with a data request.

If finalized, the proposed rule would impose several new obligations on “data providers” and “authorized third parties.” A “data provider” includes “financial institutions” as defined under Regulation E, “card issuers” as defined under Regulation Z, and other payment facilitation providers that control or possess information related to a covered consumer financial product or service. The proposed rule excludes depository institutions that do not have a “consumer interface,” an interface by which a data provider receives requests for covered data and makes available such data in electronic form. Under the proposed rule, an “authorized third party” includes entities that seek access to “covered data” on behalf of a consumer and have complied with authorization procedures set forth in the proposed rule.

Subject to exceptions, data providers would be required to provide authenticated customers, authorized third parties, or data aggregators acting on behalf of authorized third parties with “covered data” related to a “covered consumer financial product or service” through a digital interface. The proposed rule defines “covered data” as the following:

  • Transaction information
  • Account balances
  • Information to initiate payment to or from a Regulation E account
  • Terms and conditions
  • Upcoming bill information
  • Basic account verification information

“Covered data” would not include confidential commercial information; information collected for the sole purpose of preventing fraud or money laundering; information collected for the detection or making of any report regarding other unlawful or potentially unlawful conduct; information required to be kept confidential by any other provision of law; and information that the data provider could not retrieve in the ordinary course of its business with respect to that information. The proposed rule also defines a “covered consumer financial product or service” as an account defined under Regulation E, a credit card defined under Regulation Z, or the facilitation of payments from a Regulation E account or Regulation Z account.

The proposed rule would require data providers to establish and maintain a “consumer interface” and a “developer interface,” by which the data provider would receive requests for covered data related to a covered consumer financial product or service. Consumer and developer interfaces would need to provide covered data, upon request, in a machine-readable file that could be retained by a consumer or authorized third party and transferred into a separate information system. The proposed rule would also require additional standardized format, performance, and security requirements of a data provider’s developer interface, as well as written policies and procedures to ensure retention of records.

The proposed rule would limit a third party’s collection, use, and retention of any covered data to what is “reasonably necessary” and prohibit the sale of covered data. Third parties would also be subject to authorization and certification procedures, as well as requirements related to security, written policies and procedures, and document retention.

Following publication of the final rule in the Federal Register, the proposed rule would impose four tiered compliance dates. The first compliance date would occur six months after publication and apply to depository institutions with at least US$500 billion in total assets. The second compliance date would occur one year after publication and apply to depository institutions with at least US$50 billion in total assets. The third compliance date would occur two and one-half years after publication and apply to depository institutions with at least US$850 million in total assets. The final compliance date would occur four years after publication and apply to depository institutions with less than US$850 million in total assets.

Comments on the proposed rulemaking may be submitted on or before December 29.

Advisory Opinion on Consumer Information Requests to Banks and Credit Unions

As discussed in our prior Advisory, Section 1034(c) of the Dodd-Frank Act generally requires that covered depository institutions — banks and credit unions with more than US$10 billion in assets — and their affiliates comply with consumer requests about financial products and services related to their accounts in a “timely manner,” subject to limited exceptions and with supporting written documentation. In addition to detailing how the CFPB will administer legal requirements under section 1034(c), the Advisory Opinion notes that fees for consumer inquiries into (1) deposit accounts; (2) loan balances; (3) supporting documentation, such as check images or an original account agreement; and (4) time spent seeking such information or documentation likely constitute an “unreasonable impediment” in violation of section 1034(c).

Institutions interested in how the CFPB’s Advisory Opinion and proposed rulemakings may impact their businesses or wishing to submit comments to the CFPB may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services team would be pleased to assist with any questions about the Advisory Opinion and NPRMs, submitting a comment to the agency, or financial regulation or consumer protection more broadly.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.