What Happened?
Last week the CFPB issued an Order recognizing the Financial Data Exchange, Inc. (“FDX”) as the first standard setting body (“SSO”) under the CFPB’s Personal Financial Data Rights Rule (the “Rule”). The Rule requires financial institutions, credit card issuers, and other financial providers (“Subject Entities”) to make available consumers’ financial data and transfer it to third parties, at the consumer’s request, for no charge. The final version of the Rule was released in October, and it is the subject of a lawsuit filed by the Bank Policy Institute and the Kentucky Bankers Association.
Why does it Matter?
Background:
FDX is a standard-setting organization with more than 200 member organizations in the United States and Canada, including depository and non-depository commercial entities; data providers and data recipients; and others. FDX’s stated primary purpose is to develop, improve and maintain a common, interoperable standard for secure consumer and business access to financial records.
SSOs:
The Role of SSOs is to issue consensus standards to help entities comply with the Rule, including protocols for secure data sharing. In June 2024, the CFPB finalized a rule outlining the qualifications to become a recognized industry standard setting body. The CFPB identified five key qualifications that standard setting bodies must demonstrate in order to be recognized by the CFPB, including openness, transparency, balanced decision-making, consensus, and due process and appeals.
The CFPB’s recognition of FDX as an SSO is subject to a number of conditions, including:
- Ban on “pay-to-play” and other conflicts of interest: FDX is to develop standards to promote open banking without regard to sponsorships or other financial incentives to give certain market participants an unfair advantage. FDX must ensure that the organization and its staff do not have any side arrangements that would skew its financial incentives toward particular entities.
- Mandatory reporting on market adoption: FDX is required to report to the CFPB on market use of its consensus standards and/or maintain a publicly available resource where companies can disclose their use of standards as well as any certifications of adherence to standards, for the benefit of open banking participants, regulators, and the public.
- Transparency and availability of standards: FDX must make available to the public any consensus standards that it adopts and maintains, subject to reasonable safeguards, and to ensure that non-members have the same access as members do. FDX must also make publicly available information about its standards development and issuance processes.
What’s Next?
Although FDX was recognized as the first SSO, the CFPB continues to evaluate other applications for SSO recognition. As these organizations will have significant impact on the way Subject Entities comply with the Rule, those entities should monitor the issuance of consensus standards as they develop.