Pub. 3 2023 Issue 6

Your Customers Are Too. CONTACT US TODAY! 801.676.9722 sales@thenewslinkgroup.com Advertising Space Available. QR Code the third parties and aggregators and the scope of that authorization. Access may be denied based on “reasonable” “risk management concerns,” and the bank is required to document the specific reason for those risk management concerns. Banks will be required to properly process a consumer’s termination or extension of thirdparty access.6 The rule also includes requirements for the third parties and data aggregators and limits on how they can use the data acquired. Public Disclosures The rule requires banks to post on their websites (in prescribed formats) certain information about the bank and its developer interface and a monthly rule-prescribed “quantitative minimum performance specification,” which is a response rate for the bank’s developer interface. Policies and Procedures/Record Retention The rule includes significant requirements for written policies and procedures to address compliance with the rule and specific record retention requirements. Potential Rule Revisions The rule is not final at this point, and comments are due on the proposed version by Dec. 29, 2023.7 The rule cannot become final until those comments are processed and a final rule is issued and published. Such final rule could change based on comments received on the proposed rule. Effective Dates The required compliance dates for banks in the proposed rule are: • $500B+ total assets — six months after final rule publication • $50B to $500B total assets — one year after final rule publication • $850M to $50B total assets — two-and-a-half years after final rule publication • Less than $850M total assets — four years after final rule publication Key Legal and Risk Considerations Cyber Risk Issues Despite the rule’s focus on cyber risk, it will likely open up new opportunities for hackers and fraudsters to steal consumer financial data and funds. Over the last several years, cyber fraud incidents have been skyrocketing, and community banks can expect an additional layer of cyber risk and related costs due to the rule’s mandate of “developer interfaces.” The rule does not include any type of regulatory “hold harmless” provision to protect banks that are forced by the rule to allow third parties to access consumer account data and to incur related risks from hacking, fraud, identity theft, data breaches, etc. Shifting Risk by Contract Banks should consider implementing contractual provisions (e.g., liability limits and indemnification) to shift risk to consumers who authorize other parties to access their accounts and to those third parties. The rule appears to be silent on this issue. Some risks may not be transferable. Potential Litigation Risk The primary enforcement vehicle for the rule against banks will be the CFPB (or other applicable regulatory authority) using exam findings or enforcement actions. However, the obligations under the rule will likely be used to facilitate or bolster private rights of action under state common law, contract law and consumer protection law. ■ REFERENCES 1. 88 Fed. Reg. 74796 (Oct. 31, 2023). 2. John Heltman, Chopra: Open banking helps small banks ‘steal the lunch’ of big banks, American Banker (Oct. 20, 2023). 3. “Screen scraping” usually involves a customer providing account access credentials to a third party to access the customer’s online financial account and extract data from it to be used to offer the customer a service (such as comparisons of pricing and terms among providers or budget/financial analysis) by entering the data into another application. 4. Note that banks with $10B+ in total assets are already subject to a related CFPB restriction on fees for customer information access under a recent CFPB Advisory Opinion published at 88 Fed. Reg. 71279. 5. The rule also applies to credit unions and certain nondepository institutions. Specifically, it applies to any financial services provider that is a “financial institution” under Regulation E (12 CFR 1005) or a “card issuer” under Regulation Z (12 CFR 1026) or that controls or possesses information and certain account data regarding the types of accounts covered by the rule. The rule refers to all of these entities as “data providers.” 6. Each access authorization is terminable by the consumer at any time and limited to a one-year term under the rule. 7. The Missouri Independent Bankers Association joined with the Independent Community Bankers of America and a host of other community bank trade associations to request that the CFPB extend this comment deadline to the end of March 2024. ICBA Comment Letter, Docket No. CFPB-2023-0052 — Request for Extension of Comment Period for Notice of Proposed Rulemaking on Personal Financial Data Rights (Nov. 7, 2023). The Show-Me Banker Magazine | 33

RkJQdWJsaXNoZXIy MTg3NDExNQ==