CFPB Summary: EFTs Through Personal Accounts Using Emerging Payment Mechanisms

NASCUS Summary on the CFPB Proposed Interpretive Rule/Request for Comment on EFTs Through Accounts Established for Personal, Family or Household Purposes Using Emerging Payment Mechanisms

January 2025 | 12 CFR Part 1005

The Consumer Financial Protection Bureau (CFPB) is proposing this interpretive rule to assist companies, investors, and other market participants evaluating existing statutory and regulatory requirements governing electronic fund transfers (EFTs).

Comments must be received by March 31, 2025.  The proposed interpretive rule can be found here.

Summary

The Electronic Fund Transfer Act (EFTA) provides rights to consumers to dispute errors and limit their liability for unauthorized electronic fund transfers. The EFTA and Regulation E apply to an electronic fund transfer (EFT) that authorizes a “financial institution” to debit or credit a consumer’s account.

The term “electronic fund transfer” generally means any transfer of “funds” that is initiated through an electronic terminal, telephone, computer or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer’s account.

The CFPB interprets the term “funds” to include assets that act or are used like money and could include stablecoins, as well as any other similarly situated fungible assets that either operate as a medium of exchange or as a means of paying for goods or services.  The Bureau notes that the adoption of new technologies raises questions about the rights/liabilities of consumers who use the EFT services and the responsibilities of financial institutions that offer them.

The proposed interpretive rule notes that market participants that are offering new types of payment mechanisms to facilitate electronic fund transfers should determine whether their accounts are subject to the EFTA and Regulation E.  If so, participants are required to provide certain consumer protections such as:

  • Error resolution
  • Limiting a consumer’s liability for unauthorized EFTs
  • Provision of initial and ongoing disclosures
  • Provision of periodic statements and change in term notices

Comment Request

The CFPB is soliciting comments on the proposal generally and may make revisions when issuing the final interpretative rule based on the feedback received.

Final Rule Summary
NCUA: Minority Depository Institution Preservation Program 

NASCUS Legislative and Regulatory Affairs Department
February 29, 2024

The NCUA Board issued final revisions to Interpretive Ruling and Policy Statement (IRPS) 13-1, regarding the Minority Depository Institution (MDI) Preservation Program. IRPS 13-1 was initially proposed in 2013 and finalized in 2015 establishing the MDI Preservation Program to encourage the preservation of existing MDIs and establish new MDIs.

In June 2023, the Board invited comment on proposed revisions to IRPS 13-1. The proposed revisions included:

  • Transferring the administration of MDIs to CURE to reflect the agency’s current structure;
  • Clarifying the meaning of “community it services,” means a credit union’s field of membership;
  • Adding a reference to agency guidance to examiners regarding supervision of MDIs
  • Clarifying the process for reviewing an MDI’s designation status; and
  • Adding new subsection headings and expanding the discussion of agency actions and policies in MDI engagement, technical assistance for MDIs, examinations of MDIs, grants and loans, and training.

The revisions were adopted as proposed and are effective March 27, 2024.

Summary

The final IRPS 13-1 consists of four categories with subcategories reflecting the proposed revisions. The categories consist of:

  1. Goals and Objectives of the Minority Depository Institution Preservation Program.
    • Preserve the number of MDIs;
    • Preserve the minority character of MDIs involved in mergers and acquisitions;
    • Provide technical assistance to prevent insolvency of MDIs that are not now insolvent;
    • Promote and encourage the creation of new MDIs; and
    • Provide training, technical assistance, and educational programs for MDIs.
  2. Description of the Minority Depository Institution Preservation Program
    • The MDI Program is administered by NCUA’s CURE office. NCUA will meet periodically with state regulators, other federal regulators, and stakeholders to discuss outreach efforts and identify areas to work together to assist MDIs.
    • NCUA initiatives to assist MDIs;
      • Consulting and support programs
      • Training and education;
      • Grants and loans through the NCUA’s Community Development Revolving Loan Fund (CDRLF)
      • Technical assistance
  3. Minority Depository Institution Designation Eligibility
    • A majority of the credit union’s current members are from any of the eligible minority groups;
    • A majority of the members of the credit union’s board of directors are from any of the eligible minority groups; and
    • A majority of the community the credit union serves, as designated in its field of membership, are from any eligible minority groups.
  4. Monitoring and Reporting on Minority Depository Institutions
    NCUA will monitor MDIs and report to Congress annually:

    • The number and overall financial condition of MDIs;
    • Any actions taken by the agency to preserve and strengthen MDIs and encourage the chartering of new MDIs;
    • A summary of the NCUA’s efforts to obtain feedback from MDIs on the effectiveness of the agency’s MDI support and preservation activities; and
    • A list of MDIs on its website.

NCUA Research Note on Overdraft, NSF Fees at Credit Unions
NASCUS Legislative & Regulatory Affairs Committee

(January 16, 2025) The National Credit Union Administration (NCUA), Office of the Chief Economist (OCE), released a Research Note that provides statistics on overdrafts and NSF fees and observations on their relationship with other revenues.

In Q1 2024, the NCUA began collecting information on year-to-date overdraft (OD) and non-sufficient funds (NSF) fee revenue. This data collection was recently discussed in LTCU 24-CU-03, Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices.

The Research Note analyzes statistics for OD and NSF fee revenues as a fraction of total revenues. The analysis utilized data from the first three quarters of 2024, dividing credit unions into categories based on the share of their revenue derived from these two sources.

The Research Note provides two observations on the relationship between OD and NSF fees versus that of other revenue sources:

  • Credit unions with higher combined OD and NSF fees per member do not seem to have lower fees per member for other services.
    • Analysis provided in the Research Note indicates there was little evidence of an inverse relationship between these fees and fees for other services.
  • Credit unions with higher combined OD and NSF fee revenues do not seem to be using those fees to “subsidize” better interest rates.
    • Analysis comparing OD and NSF fees to net interest margins for FCUs and FISCUs indicates that higher combined OD and NSF fees are associated with higher net interest margins.

The Research Note provides several graphs detailing the analysis and concludes by stating that the OCE plans to continue its analysis of evolving trends in this space as more data becomes available with notable observations made available in future Research Notes.

NASCUS Summary of CFPB Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data

January 15, 2025

Docket No. CFPB-2025-0005

The Consumer Financial Protection Bureau (CFPB) is seeking comments from the public to better understand how companies that offer or provide consumer financial products or services collect, use , share, and protect consumers’ personal financial data.

Comments in response to the Request for Information (RFI) must be received by April 11, 2025 The RFI can be found here.

Summary

  • The CFPB has studied how consumer financial data is being used and has observed that business practices have deviated significantly from consumer expectations regarding use of their personal data. The Bureau does not believe that consumers appreciate all of the ways that financial companies are collecting their data or how it can be sold.
  • The CFPB issued this Request for Information (RFI) seeking comments from the public on how companies that offer or provide consumer financial products or services collect, use, process, transmit, share, store, aggregate, sell or otherwise generate insights from or act upon consumer data.
  • The Bureau is particularly interested in hearing from individuals, social services organizations, consumer rights/advocacy organizations, legal aid attorneys, academics and researchers, small businesses, financial institutions, and State/local government officials.
  • The Bureau welcomes stakeholders to submit data and information about the ways companies that offer or provide consumer financial products or services collect, use, and share consumer data including those companies subject to the GLBA and Regulation P.
  • The RFI includes 15 questions that stakeholders may answer. However, the Bureau is  interested in any comments received related to consumer data that financial companies collect.

NCUA Letter to Credit Unions 25-CU-02
Cyber Incident Notification Requirements Update to letter 23-CU-07

NASCUS Legislative and Regulatory Affairs
January 13, 2025

The NCUA issued its second letter to credit unions of 2025, LTCU 25-CU-02. The letter provides an update to LTCU 23-CU-07 Cyber Incident Notification Requirements.  NASCUS’ summary of the Cyber Incident Notification final rule can be found here and a summary of LTCU 23-CU-07 here.

LTCU 25-CU-02 includes two previous methods for reporting a cyber incident to the NCUA as well as a new secure web form for reporting:

The letter also reminds credit unions of the agency’s cybersecurity information and resources and provides an updated Cyber Incident Reporting Quick Reference Guide.

Letter to Credit Unions 25-CU-01: NCUA’s 2025 Supervisory Priorities

NASCUS Legislative and Regulatory Affairs
January 8, 2025

On January 7, 2025, the NCUA issued Letter to Credit Unions 25-CU-01 outlining the agency’s supervisory priorities and other updates to its examination program 2025. The priorities focus on the areas the NCUA believes pose the highest risk to credit union members, the industry, and the NCUSIF.

Supervisory Priorities for 2025

Credit Risk

Credit risk remains a top priority for 2025. NCUA notes loan growth slowed in 2024 while overall delinquencies and charge-offs increased. Credit cards and used auto loan portfolios are seeing the highest levels of delinquency and charge-off since the 2008 financial crisis. To address this the letter indicates examiners will continue to review credit union lending and risk-management practices. Specific focus will be on:

  • Credit union’s underwriting standards.
  • Collection programs.
  • Allowance for Credit Loss reserves.
  • Charge-off practices.
  • Management and board reporting.
  • Management of risk concentrations; and
  • Third-party risk management practices

The NCUA encourages credit unions to work with borrowers facing financial difficulties and provides a list of resources and guidance to assist in managing credit risk.

Balance Sheet Management and Risk to Earnings and Net Worth

Due to the rise in interest rates over the last few years, credit union costs of funds increased faster than the returns on loans and investments, impacting net interest margins. NCUA will evaluate credit unions’ earnings and net worth risk-management framework by weighing the current and prospective sources of earnings and the composition of net worth relative to a credit union’s approved plans and thresholds. Examiners will also continue to consider liquidity sources. The letter also lists liquidity resources and guidance, earnings resources and guidance, and resources on net worth and capital adequacy.

 

Cybersecurity

Unsurprisingly, Cybersecurity remains a top priority, as cybercriminals and their attacks become more sophisticated. The NCUA indicates they will continue to use the information security examination procedures to assess credit union programs and will continue to support the voluntary use of the ACET tool.  The letter also encourages credit unions to visit the NCUA’s Cybersecurity Resources webpage.  Lastly, credit unions are reminded of their obligations under the Cyber Incident Notification requirements.

Consumer Financial Protection

NCUA has indicated they will continue to place significant emphasis on credit union compliance with consumer financial protection laws and regulations during examinations. It is noted that examiners will particularly focus on:

  • Overdraft programs
  • Fair Lending.
  • Home Mortgage Disclosure Act (HMDA) and Regulation C.
  • Military Lending Act; and
  • Electronic Funds Transfer Act (EFTA) and Regulation E.

It is not surprising to see overdraft programs on the top of this list given NCUA’s recently issued LTCU 24-CU-03 in which the agency highlights risks associated with certain overdraft and NSF practices.

Other Updates

While not specifically addressed as supervisory priorities the letter addresses an update to its exam flexibility initiative in 2025, providing an extended exam cycle for credit unions with over $1 billion in assets. Credit unions in this asset range rated a CAMELS composite 1 or 2 with no change in the CEO since the last examination will now be eligible for a 12–16-month exam cycle. Additionally, the extended exam cycle for eligible federal credit unions will be shortened from 14-20 months to 14-18 months.

The NCUA indicates it will continue conducting the defined Small Credit Union Exam Program for most credit unions with assets of $50 million or less, and risk-focused examination procedures for all others. The letter also notes credit unions will need to remain aware of the Bank Secrecy Act/Anti-Money Laundering/Countering of Financing of Terrorism regulations and requirements.

Minority Depository Institution (MDI) Preservation Program

Finally, the letter states the agency recognizes the importance of MDIs and is committed to supporting the ongoing success of MDIs, including the need to support some MDIs more or differently. It further states that examinations will consider the “unique strategies and member needs of MDI credit unions.”

NASCUS Summary re: CFPB Circular 2024-07: Design, marketing and administration of credit card rewards programs

December 18, 2024

The Bureau issued CFPB Circular 2024-07 to answer the following question – Can credit card issuers violate the law if they or their awards partners devalue earned rewards or otherwise inhibit consumers from obtaining or redeeming promised rewards?

Response:

Yes.  Covered persons that offer, provide or operate credit card rewards programs (and their service providers) may violate the prohibition against unfair, deceptive or abusive acts or practices under a variety of circumstances.  The circular provides examples.

Analysis:

The Consumer Financial Protection Act (CFPA) prohibits any “covered person” or “service provider” from “committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with the offering of a consumer financial product or service.”  An act or practice is unfair when (i) it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and (ii) such injury is not outweighed by countervailing benefits to consumers or to competition.  Substantial injury includes monetary harm, and may be based on likely rather than actual injury.  Under the CFPA, a representation, omission, or practice is deceptive if it is likely to mislead a reasonable consumer and is material.

The CFPB is issuing this circular to underscore that the CFPA’s prohibition on unfair or deceptive acts or practices applies to the design, marketing, and administration of credit card rewards programs.  Rewards program operators may violate this prohibition in a variety of circumstances regardless of whether they are taking actions consistent with rewards programs terms.  In particular, rewards program operators risk committing unfair or deceptive acts or practices when (i) rewards that consumers have already earned are devalued; (ii) consumers’ receipt of rewards is revoked, cancelled, or prevented based on buried or vague conditions; and (iii) rewards points are deducted without consumers receiving the corresponding benefit of the rewards.

NASCUS Summary re: CFPB Executive Summary on Residential PACE Financing Final Rule
December 2024

The Consumer Financial Protection Bureau (CFPB) issued a final rule on Residential Property Assessed Clean Energy (PACE) financing.  The final rule clarifies that PACE transactions are considered “credit” under TILA and Regulation Z and that the requirements under TILA/Regulation Z will generally apply to covered PACE transactions.  The final rule becomes effective on March 1, 2026.

Summary:

  • The rule defines PACE transactions as financing to cover the costs of home improvements that result in a tax assessment on the real property of the consumer. Covered PACE transactions are voluntary transactions repaid through the property tax system alongside the consumer’s other property tax payment obligations.
  • The rule provides two exemptions.
  • The rule exempts PACE transactions from Higher-Priced Mortgage Loans (HPML) escrow rule
  • The rule exempts PACE transactions from periodic statement requirements in the Mortgage Servicing Rule.

Ability to Repay Requirements

  • The rule requires creditors and PACE companies substantially involved in the making credit decisions to apply the existing ability to repay requirements to PACE transactions. Specifically, the rule requires creditors and PACE companies to:
  • Make a reasonable and good faith determination of a consumer’s ability to repay at or before consummation of a covered mortgage loan;
  • Consider the eight required factors in making the repayment ability determination; and
  • Verify the information relied on in determining a consumer’s repayment ability using reasonably reliable third-party records.

TILA/RESPA Integrated Disclosure Requirements

  • The rule adds a model Loan Estimate and Closing Disclosure for use with PACE transactions
  • The rule also includes certain modifications, clarifications and exemptions related to disclosures in the Loan Estimate and Closing Disclosure requirements to account for the uniqueness of PACE transactions.

NASCUS Summary re: CFPB Executive Summary on Overdraft Lending Fees
December 2024

The Consumer Financial Protection Bureau issued a final rule that amends Regulation Z and E to ensure that extensions of overdraft credit offered by very large financial institutions adhere to consumer protections required of similarly situated products unless an exception applies.  The final rule will take effect on October 1, 2025.

Summary

Under the Final Rule, Regulation Z will generally apply to all consumer overdraft credit provided by very large institutions unless it is provided at or below the institution’s costs and losses related to the overdraft credit.  The overdraft fee rule applies to banks/credit unions with more than $10 billion in assets.

The rule defines “overdraft credit” as credit that includes consumer credit extended by a financial institution to pay a transaction from a checking or other transaction account (other than a prepaid account) held at the financial institution when a consumer has insufficient or unavailable funds in the account.

In addition, the final rule updates two regulatory exceptions from the definition of finance charge.

  1. The rule updates an exception that provides that a charge for overdraft is not a finance charge if the financial institution has not previously agreed in writing to pay items that overdraw an account. The rule updates this exception by limiting it to only overdraft credit that is provided at or below costs and losses.
  2. The final rule updates a related exception that provides that a charge imposed in connection with an overdraft credit feature is not a finance charge, if the charge does not exceed the charge for a similar transaction account without a credit feature. The rule updates this provision by clarifying what is and is not a comparable charge.

The rule applies additional requirements to covered overdraft credit offered by a very large financial institution.  The final rule also:

  • Prohibits compulsory use of preauthorized transfers
  • Requires covered overdraft credit to be structured as a separate credit account
  • Applies CARD Act provisions to hybrid debit-credit cards
  • The new rule will provide institutions the following options with regard to overdraft fees:
    • Cap the overdraft fee at $5: This is amount is considered to be sufficient enough to cover the estimated costs associated with administrating a courtesy pay program.
    • Cap the fee at an amount that covers costs and losses: Allows institutions to see the costs based on the actual costs/losses related to the service.
    • Treat overdraft like other loans; require terms disclosure: Allows institutions to gain a profit from providing the service. This would require institutions to: (i) provide consumers the option of opening an overdraft line of credit; (ii) provide consumers with account opening disclosures; (iii) provide consumers with periodic statements and (iv) provide consumers with the option to pay automatically or manually.
  • The Bureau issued an Executive Summary of the final rule that can be found here, https://files.consumerfinance.gov/f/documents/cfpb_executive-summary-overdraft-lending-final-rule_2024-12.pdf. NASCUS summary is in progress.

The rule will take effect on October 1, 2025.

Agencies Issue Guidance on Elder Financial Exploitation
December 18, 2024

On December 4, 2024, the six federal banking agencies and the state financial regulators issued a statement titled “Interagency Statement on Elder Financial Exploitation” to provide supervised institutions examples of risk management and other practices that can be effective in identifying, preventing, and responding to elder financial exploitation (EFE).

FinCEN previously issued a financial trend analysis specific to EFE. NASCUS summarized the analysis here. Additionally, the US Department of Treasury’s 2024 National Money Laundering Risk Assessment described EFE as a growing money laundering threat.

The Agencies’ statement and accompanying Appendices provide a list of resources issued by federal and state agencies on the topic of EFE. This does not replace previous guidance on this topic but is meant to raise awareness and provide strategies to supervised institutions for combating EFE.

Included in the statement are nine examples of risk management and other practices that supervised institutions can consider adopting as they work to combat EFE.  These examples are not new and are addressed in previous guidance.

  1. Governance and Oversight
    • Policies and procedures to better protect account holders and the institution;
    • Enhance or create risk-based policies, internal controls, employee codes of conduct, ongoing transaction monitoring, and complaint management processes.
  2. Employee Training
    • Identifying red flags for different types of exploitation;
    • Proactive approaches for detecting and preventing EFE; and
    • Detailing actions for employees to take when they have concerns
  3. Using Transaction Holds and Disbursement Delays
    • Implementing policies and procedures in conjunction with state law and regulations when there is a suspected case of EFE
  4. Using Trusted Contacts
    • Establish policies and procedures that enable account holders to designate one or more trusted contacts that employees can contact when EFE is suspected
    • Develop clear and effective processes for when and how to disclose account holder information while also maintaining confidentiality
  5. Filing SARs Involving Suspected EFE
    • Consider filing SARs voluntarily for suspected EFE cases that do not meet the mandatory SAR filing requirements
    • Consider how to detect and identify possible red flag indicators of EFE
  1. Reporting to Law Enforcement, Adult Protective Services (APS), and/or Other Entities, as appropriate
    • Implement a policy for reporting to appropriate authorities if the state is a mandatory reporting state;
    • For institutions not in a mandatory reporting state, the institutions could develop processes for voluntarily reporting to relevant state or local authorities; and
    • Consider establishing procedures for referring potential victims of EFE to the Department of Justice’s National Elder Fraud Hotline (833.372.8311), FTC, the FBI’s IC3, USPIS, Social Security Administration, and other agencies.
  2. Providing Financial Records to Appropriate Authorities
    • Develop a process for expediting supporting information and documentation to law enforcement agencies.
  3. Engaging with Elder Fraud Prevention and Response Networks
    • Consider partnerships with various networks, community education, etc.
  4. Consumer Outreach and Awareness
    • Consider various means of consumer outreach, information on trending scams and ways to avoid them, and potential training for consumers on what to look for in various scams.

Appendix A: Elder Financial Exploitation Resources from Government Agencies

  • Appendix A includes an extensive list of reports, research, and recommendations from the agencies as well as a list of federal resources for supervised institutions that may be shared with consumers.

NCUA Letter to Credit Unions 24-CU-03
Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices

NASCUS Legislative and Regulatory Affairs Department
December 10, 2024

The NCUA Board has issued its third letter to credit unions of 2024, LTCU 24-CU-03 Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices.

The NCUA has shown an increased focus on consumer protection in recent years. The Agency notes it is issuing this letter to highlight the risks associated with certain overdraft and NSF fee practices while providing resources to assist credit unions in managing and mitigating these risks. The letter also describes how the Agency will approach such fees from a supervisory perspective and further outlines its expectations of credit unions in responding to the associated risks.

Background

In 2022 the NCUA requested information about federal credit union overdraft programs, policies, and procedures, and in 2023 and 2024 examiners expanded the review of federal credit union overdraft programs and evaluated adjustments credit unions made to their programs to address risk and potential harm to members. Additionally, examinations of federal credit unions in 2023 and 2024 identified the presence of certain overdraft and NSF fee practices that “may create heightened risk exposure.”

Unanticipated Overdraft Fees

Unanticipated overdraft fees occur when a credit union assesses overdraft fees on transactions that a member would not expect would give rise to such fees. The letter further addresses several types of overdraft and NSF fees and cautions against such policies that permit these fees as they would likely violate the Federal Trade Commission Act (FTC Act) and the Consumer Financial Protection Act of 2010 (CFPA) as unfair or deceptive practices.

  • Authorize Positive, Settle Negative Overdraft Fees
  • Multiple NSF Representment Fees

Returned Deposited Item Fees

A Returned Deposited Item (RDI) is a check deposited into a member’s account that is returned to the member because the check could not be processed against the originator’s account.

Other Overdraft or NSF Practices

Some additional practices highlighted by the Agency that may present heightened risk include:

  • High or no daily limits on the number of fees assessed;
  • Insufficient or inaccurate fee disclosures; and
  • Ordering transactions to maximize fees

Risk Management Principles

If a credit union provides overdraft programs or charges NSF fees the NCUA states, the credit union should:

  • Closely analyze all aspects of the credit union’s overdraft and NSF fee practices, including opt-in disclosures, website advertising, and other information provided to members specific to overdraft and NSF;
  • Review recent regulatory developments regarding unanticipated overdraft and NSF fees;
  • Consider member impact;
  • Track and analyze related member-complaint activity;
  • Monitor and take action to mitigate reputation, consumer compliance, third-party, and legal risk; and
  • Consult legal counsel regarding consumer compliance responsibilities and associated risks.

It is important to highlight that the NCUA specifically states in the letter, “Mitigation strategies should include discontinuing policies related to charging overdraft, NSF, and other related fees that members cannot reasonably anticipate and avoid.”

NCUA’s Supervisory Approach

While the NCUA states they do not expect credit unions to stop offering overdraft programs to assist members, it will continue to review credit union overdraft programs. If examiners identify violations of laws or regulations due to unanticipated fee practices, the agency will evaluate appropriate supervisory or enforcement actions, including restitution to harmed consumers.

The letter also states that the NCUA will recognize efforts to self-identify and correct violations noting that examiners will generally not cite or pursue action if a credit union has self-identified and fully corrected issues before the start of an examination.

LTCU 24-CU-03 applies to federally-insured credit unions, including federally-insured state-chartered credit unions (FISCUs). It is important for FISCUs to also work with their appropriate state supervisory authority when evaluating overdraft and NSF practices.

NASCUS Summary re: CFPB Executive Summary on Personal Financial Data Rights Final Rule

Nov 2024

The Bureau issued a proposed rule and request for comments in October 2023 regarding implementation of Section 1033, pertaining to consumers’ personal financial data rights, under the Consumer Financial Protection Act (CFPA).  The Bureau issued a finalized rule in October 2024.

The Bureau’s Executive Summary can be found here.

Summary

The final rule requires data providers to make covered data regarding covered financial products and services available to consumers and authorized third parties in an electronic form, subject to a number of requirements. The rule also sets forth criteria a third party must satisfy in order to be an authorized third party, including certifying it will satisfy certain obligations regarding the collection, use and retention of covered data.

Covered Entities: Data Providers

The rule defines data providers as those that control and possess covered data concerning a covered consumer financial product or service obtained from the data provider.  That would include financial institutions, card issuers or any other person that controls or possesses information concerning a covered consumer financial product or service.  Depository Institutions that hold total assets at or below the Small Business Administration (SBA) size standard is not required to comply with the final rule.

Covered Consumer Financial Products/Services

Under the final rule, a “covered consumer financial product or service” can be one or more of the following:

  • Regulation E accounts
  • Regulation Z credit card accounts
  • Facilitation of payments from a Regulation E account or Regulation Z credit card excluding products/services that merely facilitate first party payments.

Making Covered Data Available

The final rule requires a data provider make available to a consumer or authorized third party, upon request, covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.  Data providers are prohibited from taking steps to evade the requirements, including actions that are likely to make covered data it provides unusable or are likely to prevent, interfere with, or materially discourage a consumer or third party from accessing covered data.

Covered Data is defined as:

  • Transaction information
  • Account balance information
  • Information to initiate payment to or from a Regulation E account
  • Terms and conditions
  • Upcoming bill payment information
  • Basic account verification information

The following information does not fall into the category of “covered data” and data providers are not required to provide this information:

  • Confidential commercial information
  • Information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct
  • Information required to be kept confidential by any other provision of law
  • Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.

Data Access Requirements

The final rule requires a data provider to receive requests for covered data in electronic form from consumers and third parties and to make covered data available in electronic form in response to the requests. The rule does not require a data provider use any particular technology to satisfy these requirements.  However, the rule does impose the following requirements regarding how a data provider must be able to receive such requests and make covered data available in response to them:

  • Standardized format – covered data must be made available in a standardized and machine-readable format.
  • Commercially reasonable performance – data provider’s interface for receiving requests from and making covered data available to authorized third parties must perform at a commercially reasonable level.
  • Access caps – data provider must not unreasonably restrict the frequency with which it receives or responds to requests for covered data through its data interface. Any frequency restrictions must be applied in a manner that is non-discriminatory and consistent with the reasonable written policies and procedures that the data provider establishes and maintains pursuant to the final rule.
  • Access credentials – data provider must not allow a third party to access covered data using credentials that a consumer uses to access data electronically.
  • Security program – a data provider must apply an information security program that satisfies the applicable rules under the Gramm-Leach Bliley Act. If the data provider is not subject to Gramm-Leach Bliley, the program must satisfy the Federal Trade Commission’s Standards for Safeguarding Customer Information.

The rule also prohibits data providers from imposing any fees or charges on a consumer or third party in connection with receiving an electronic request for access to covered data.

Denial of Data Access

A data provider does not violate the general obligation to make covered data available by denying a consumer or third-party access to its data interface if the following two conditions are met:

  • Granting access would be inconsistent with policies/procedures reasonably designed to comply with (i) safety and soundness standards of the data provider’s prudential regulator or (ii) other applicable laws and regulations regarding risk management.
  • The denial is reasonable, meaning it must be directly related to a specific risk of which the data provider is aware and must be applied in a consistent and non-discriminatory manner.

A data provider can deny access to a third party if:

  • The third party does not present any evidence that its data security practices are adequate to safeguard the covered data; or
  • The third party does not make the following information available to the data provider and readily identifiable to members of the public: it’s legal name; any assumed name it is using while doing business with the consumer; a link to its website; its Legal Entity Identifier (LEI) and contact information a data provider can use to inquire about the third party’s data security and compliance practices.

Responding to Requests

  • The rule requires a data provider to make covered data available through its interface to a consumer when it receives information sufficient to authenticate the identity of the consumer and identify the scope of the data requested.
  • The final rule requires a data provider to make covered data available through its interface to a third party when it receives information sufficient to authenticate the identity of the consumer who authorized the third party to access covered data; authenticates the third party’s identity; documents that the third party has followed the authorization procedures and identified the scope of the data requested.
  • A data provider is not required to make covered data available in response to a request when:
  • The data are withheld because an exception applies
  • The data are not in the data provider’s control or possession
  • The data provider receives the request when its data interface is not available
  • The request is from a third party and the consumer’s authorization is no longer valid
  • The data provider has not received information sufficient to trigger the obligation to make covered data available in response to the request.
  • A data provider must provide a reasonable method for a consumer to revoke a third party’s authorization to access the consumer’s covered data, provided the method does not violate the prohibition against evasion.

Making Information About the Data Provider Readily Identifiable

The rule requires data providers to make certain information readily identifiable to members of the public and available in both human-readable and machine-readable formats.  This includes the data provider’s legal name, any assumed name it is using while doing business with the consumer, a link to its website, its LEI, contact information that enables a consumer or third party to receive answers to questions about accessing covered data pursuant to the final rule, and documentation sufficient for a third party to electronically access covered data pursuant to the final rule.

In addition, each month, the data provider must disclose to the public certain information about its data interface’s response rate to authorized third party requests for covered data in the previous calendar month.

Policies, Procedures and Recordkeeping for Data Providers

The final rule requires a data provider to have written policies/procedures that are reasonably designed to ensure the data provider:

  • Creates a record for covered data in its control or possession, what covered data are not made available to authorized third parties through the data provider’s interface pursuant to an exception and the reasons the exception applies.
  • Creates certain records when it denies an authorized third party’s request for access to the data provider’s interface or a request for information and provides certain information regarding the denial.
  • Accurately makes covered data available to an authorized third party through its data interface.
  • Retains records to reflect compliance with the final rule

A data provider must periodically review these policies and procedures and update them as appropriate.  Policies and procedures must be appropriate to the size, nature, and complexity of the data provider’s activities.

Authorized Third Parties, Authorization Procedures, and Authorization Disclosures

  • The final rule requires a data provider to make covered data available to the consumer about whom the data pertains or to an authorized third party.
  • To become an authorized third party, a third party must seek access to covered data from a data provider (on behalf of a consumer) and must follow the authorization procedures set out in the final rule. Specifically, the third party must:
  • Provide the consumer with an authorization disclosure
  • Provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to certain obligations
  • Obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • The authorization disclosure must include the following:
  • The name of the third party
  • The name of the data provider that controls or possesses the covered data that the third party seeks to access
  • A brief description of the product/service the consumer has requested and a statement that the third party will collect, use and retain the consumer’s data only as reasonably necessary to provide that product/service to the consumer
  • The categories of data that will be accessed
  • A statement certifying that the third party agrees to certain obligations set forth in the final rule
  • A brief description of the expected duration of data collection and a statement that collection will not last longer than one year after the consumer’s most recent reauthorization
  • A description of the method that the consumer may use to revoke authorization

Third Party Obligations

 

Third parties are required to provide a statement to a consumer certifying that the third party will satisfy the following obligations:

  • The third party will limit its collection, use and retention of covered data to what is reasonably necessary to provide the consumer’s requested product/service.
  • The third party will limit the duration of collection of covered data (per authorization) to a max period of one year. To continue collection, a new consumer authorization must be obtained.
  • The third party will have written policies/procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.
  • The third party will apply an information security program to its systems for the collection, use and retention of covered data. This would be Gramm-Leach Bliley in most cases.  However, if the third party is not subject to the Gramm-Leach-Bliley Act, the program would be required to comply with the Federal Trade Commission’s Standards for Safeguarding Customer Information.
  • The third party will ensure that consumers are informed about the third party’s access to covered data.
  • The third party will provide the consumer with a method to revoke the third party’s authorization.
  • Third party must have written policies/procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the final rule for a reasonable period of time.

Use of Data Aggregators

The final rule allow data aggregators to perform customer authorization procedures on behalf of third parties seeking access to customer data.  However, the third party seeking the authorization remains responsible for compliance with the authorization procedures.

Data processors engaged in this process on behalf of a third party are required to certify to the consumer that it will satisfy the third party obligations required under the final rule.

Effective and Compliance Dates

The final rule will become effective 60 days after publication in the Federal Register.  However, compliance with the rule is not required at that time.  A data provider must determine which compliance date is applicable based on its status as a depository or non-depository institution and its size (measured either by total assets for depository institutions or by total receipts for non-depository institutions).

The five possible compliance dates and applicable thresholds are provided below:

  • April 1, 2026
    • Applicable to depository institutions with at least $250 billion in total assets (based on an average of Q3 2023 through Q2 2023 call report submissions)
    • Applies to non-depository institutions that generated at least $10 billion in total receipts (based on calendar year 2023 or 2024)
  • April 1, 2027
    • Applicable to depository institutions with at least $10 billion in total assets but less than $250 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
    • Applicable to non-depository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and 2024.
  • April 1, 2028
    • Applicable depository institutions with at least $3 billion in total assets but less than $10 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
    • Not applicable to non-depository institutions
  • April 1, 2029
    • Applicable to depository institutions with at least $1.5 billion in total assets but less than $3 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions.)
    • Not applicable to non-depository institutions
  • April 1, 2030
    • Applicable depository institutions with less than $1.5 billion in total assets but more than $850 million in total assets (based on an average of Q3 2023 through Q 2 2024 call report submissions).
    • Not applicable to non-depository institutions