On January 8, the Consumer Financial Protection Bureau (CFPB) officially recognized Financial Data Exchange, Inc. (FDX) as the first standard-setting body under the Personal Financial Data Rights promulgated rule under Section 1033 of the Dodd-Frank Act. This rule, released in October 2024, requires depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ accounts, establish obligations for third parties accessing a consumer’s data, and provide basic standards for data access.
Background of Standard-Setting Efforts
As discussed here, in March 2024, current CFPB Director Rohit Chopra emphasized the importance of standard-setting organizations in ensuring an open and interoperable banking system. He highlighted the need for these organizations to avoid anti-competitive practices that could benefit dominant firms. Director Chopra outlined the CFPB’s intention to set industry standards, including data sharing protocols, under the proposed Personal Financial Digital Rights rule.
In June 2024, the CFPB finalized a rule which detailed the qualifications for becoming a recognized industry standard setter body, including openness, transparency, balanced decision-making, consensus, due process and appeals. By September 2024, as discussed here, the CFPB had initiated a public comment process for the first application from an organization seeking recognition as an open banking standard-setter, submitted by FDX.
FDX’s Approval
The CFPB’s approval order was based on the CFPB’s assessment of FDX’s application, FDX’s practices and procedures, and additional FDX documentation, including the organization’s certificate of incorporation and bylaws as well as comments received from interested parties following publication of FDX’s application. FDX’s approval is subject to several conditions aimed at ensuring transparency, fairness, and the prevention of conflicts of interest:
- Ban on “Pay-to-Play” Practices: FDX must develop standards without financial incentives that could advantage certain market players. FDX is required to ensure that the organization and its staff do not have any side arrangements that skew its financial incentives toward particular entities.
- Mandatory Reporting: FDX is required to report to the CFPB on market use of its standards and/or maintain a publicly available resource for companies to disclose their use of standards for the benefit of open banking participants, regulators, and the public.
- Transparency and Availability: FDX must make its consensus standards freely available to the public, subject to reasonable safeguards, and ensure non-members have the same access as members. FDX must also make its standards development and issuance processes publicly available.
Some other notable provisions of the CFPB’s approval order include:
- FDX is not permitted to represent that the CFPB has endorsed FDX or use the CFPB’s logo in any marketing of its role as a standard-setter.
- No pre-existing standards may be used by FDX as a consensus standard under the rule. Instead, the CFPB states that only standards adopted during the recognition period can be considered a consensus standard under the rule, although standards originally adopted by FDX prior to CFPB recognition may be approved using a board approval process.
FDX’s recognition is valid for five years through January 8, 2030. The CFPB states that it is currently evaluating other applications for recognition, although the only other application which appears on the CFPB website is from the Digital Governance Standards Institute.