On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) marked a significant milestone in the shift towards open banking in the United States with the finalization of its rulemaking on Personal Financial Data Rights. As we discussed in our Legal Update on the October 2023 proposed rule, the final rule provides the long-awaited implementation of Section 1033 of the Dodd-Frank Act, enacted in 2010, and establishes a comprehensive regulatory framework to provide consumers—and their authorized third parties—with rights to receive structured, consistent and timely access to consumers’ personal financial data held by financial institutions and other financial services providers.

The 594-page final rule is intended to allow consumers to access and share data held by banks, credit unions, credit card issuers, digital wallets, payment apps and other financial service providers, with the goal of improving customer choice and increasing competition, while strengthening consumer protections by imposing limitations on authorized third parties’ collection, use and retention of consumers’ data. Financial institutions subject to the final rule could face a variety of compliance, operational and technical challenges as they build out the infrastructure necessary to comply with the final rule. For the largest financial institutions, which include depository institutions with total assets in excess of $250 billion and non-depository institutions that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024, compliance is required by April 1, 2026, with compliance by smaller covered institutions required in phases beginning April 1, 2027, through April 1, 2030.Continue Reading CFPB Issues Long-Awaited Open Banking Rule; Lawsuit Immediately Filed

Cyber threats to the financial services industry continue to increase. At the same time, regulatory requirements, litigation risk, contractual requirements and regulator expectations continue to grow. Please join us for a half-day Cybersecurity Awareness Month program that will highlight key recent cyber legal developments and tools that financial services companies can use to mitigate associated

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published updated proposed amendments to its cybersecurity regulation (the “2023 Proposal”) applicable to “covered entities.” These updated amendments come after comments from industry groups and other stakeholders to the NYDFS’s proposed revisions that were published on November 9, 2022. In Mayer Brown’s Legal

On January 20, 2022, the FTC continued its recent experiment in holding open meetings of its commissioners. The FTC did not vote on new initiatives; Chair Lina Khan is likely waiting for a third Democratic commissioner before pushing through her more controversial agenda. Public comments focused on two areas: possible anticompetitive conduct in the franchise

Last week — roughly 8 1/2 years after the CFPB published a letter to financial institutions promising to develop rules “expeditiously” — the CFPB held an information-gathering symposium on Section 1071 of the Dodd-Frank Act. Section 1071 amended the Equal Credit Opportunity Act to require that financial institutions collect and report information concerning credit applications made by women- or minority-owned businesses and by small businesses.

As we previously noted, once Section 1071 is implemented, institutions will be required to collect information regarding the race, sex, and ethnicity of the principal owners of small businesses and women- and minority-owned businesses. Collection of this information is designed to “facilitate enforcement of fair lending laws,” among other things. Applicants can refuse to provide required information, but the financial institution must retain the required demographic information that it collects and submit it to the CFPB. Section 1071 mandates that, where feasible, a financial institution’s underwriters, officers, employees, or affiliates involved in making credit determinations should not have access to this demographic information, and applicants must receive notice if those individuals do receive access to demographic information.

While the CFPB is responsible for drafting rules to implement Section 1071, it had not previously taken significant steps to meet that obligation other than reporting on some preliminary research it conducted in 2017. The CFPB had moved the Section 1071 rulemaking to “long-term” status. However, in its Spring 2019 rulemaking agenda, the CFPB indicated that it expected to resume pre-rulemaking activities related to Section 1071.
Continue Reading CFPB Holds Symposium on Dodd-Frank Section 1071; Outlines Plan in Court Documents

Mayer Brown offers its Global M&A Podcast Series as an easy way to stay up-to-date on the latest M&A trends globally—legal issues and other related, timely topics. Available on iTunes, each episode draws on the perspective that our lawyers have gained from doing deals in various regions around the world.

In a recent episode, partners

The Consumer Financial Protection Bureau issued final policy guidance on December 21, 2018, explaining how it will make available to the public data submitted by financial institutions under the Home Mortgage Disclosure Act (HMDA). The CFPB comprehensively revised HMDA reporting requirements in 2015, and extensive new data collection requirements became effective this year, with a reporting deadline of March 2019. With three months to go before that deadline, the CFPB could not have waited much longer to announce how it will publicly disclose the HMDA data while still protecting sensitive information.

Under the new HMDA requirements, reporting financial institutions must notify the public that the institutions’ data may be obtained on the CFPB’s website. The CFPB is then responsible for protecting applicant and borrower privacy, even as privacy risks evolve. The industry has expressed concern about the breadth of the data the CFPB will be collecting under the new HMDA reporting requirements, and about the increased reidentification risks that could arise upon making the data public (that is, the risk that someone could link an identified individual to his or her HMDA data). Commenters emphasized that if borrowers or applicants could be identified from the HMDA data, predators could target consumers for identity theft, fraudulently pose as the borrower’s lender, or otherwise misuse the data.

However, the CFPB declined to follow the commenters’ requests to exclude from the public all the new data required to be reported under the 2015 HMDA final rule. The CFPB recognized the inherent reidentification risk, but determined that the benefits of certain data disclosure outweigh that risk. The CFPB determined that most of the HMDA data is not sensitive and does not substantially facilitate reidentification or create a risk of harm. The CFPB reportedly employed a balancing test, requiring that HMDA data be excluded from public disclosure or modified when the release of the unmodified data would create risks to applicant and borrower privacy interests that are not justified by the benefits to the public of that release.

Accordingly, at least for 2018 data, the CFPB will modify the HMDA loan-level data to exclude the following fields:
Continue Reading CFPB Issues Final Guidance on Public Disclosure of HMDA Data

The California legislature was active in 2018, enacting several new requirements and provisions applicable to the financial services industry. Those requirements include an important and comprehensive privacy regime (the California Consumer Privacy Act of 2018, or CCPA), which establishes new protections for personal information that covered commercial enterprises collect. The CCPA becomes effective January 1,

The American Financial Services Association (AFSA) gathers for its 2018 Annual Meeting in Marina del Rey, California on October  21 – 24. Mayer Brown partner Jon Jaffe, of the firm’s Financial Services Regulatory Enforcement Group, will present for the AFSA Law Committee on Mortgage Lending – Hot Topics. He also will help

Five Mayer Brown attorneys in the Financial Services Regulatory & Enforcement group presented at the American Bar Association Business Law Section Annual Meeting in Boston last week.

Ori Lev spoke on a panel discussing the CFPB’s enforcement track record.  The panel addressed a study by Professor Chris Peterson of the S.J. Quinney College of Law