CFPB-OPEN-BANKING-2

CFPB’s Final Open Banking Rule: What Financial Institutions Need to Know

Disclaimer: The information provided does not constitute legal advice and is intended for information only. Information provided is contextual to the time it was issued and can change.

Our comprehensive analysis is typically exclusive to ETA members, but we’re making it available to all readers for a limited time. Read the complete analysis here.

The Consumer Financial Protection Bureau (CFPB) has recently finalized its long-anticipated open banking rule, creating a policy framework in how consumers can authorize banks, data aggregators, and fintechs will share financial data in the United States. This comprehensive regulation, initially proposed in October 2023, aims to give consumers greater control over their financial data while promoting competition and innovation in financial services.

KEY COMPONENTS OF THE RULE

Who Must Comply?
The rule primarily affects three types of entities:

  • Data Providers
    • Banks and depository institutions
    • Digital wallet providers
    • Payment facilitation services
    • Card issuers under Regulation Z
    • Other entities possessing covered financial information
  • Authorized Third Parties
    • Fintech companies and other third parties authorized by consumers to access their financial data
    • Must follow specific requirements for data handling and consumer protection
  • Data Aggregators
    • Third parties that can perform consumer-authorized actions on behalf of fintechs and authorized third parties

Notable Exemptions

    • Small banks and credit unions with assets under $850 million
    • Services that facilitate first-party payments (e.g., merchant or mortgage loan servicer payments to themselves)

What Data Can Be Shared?
The final rule allows the sharing of:

  • Account balances
  • Basic account verification data (name, address, email, phone)
  • 24-month historical transaction activity
  • Payment initiation data
  • Scheduled payments and upcoming bills
  • Terms and conditions, including:
  • Fees
  • Interest rates
  • Reward program terms
  • Overdraft coverage
  • Arbitration agreement details

Exclusions
Data providers are not required to share:

  • Confidential commercial information
  • Data collected solely for fraud prevention
  • Information protected by other laws
  • Data not retrievable in the ordinary course of business

Key Requirements and Obligations
For Data Providers:

  • Must provide data in standardized, machine-readable format
  • Cannot charge fees for data access
  • Must maintain reasonable response rates
  • Cannot unreasonably restrict data access frequency
  • Must publicly disclose certain information

For Authorized Third Parties:

  • Must obtain express informed consent from consumers
  • Required to provide clear authorization disclosures
  • Must limit data collection and use to necessary purposes
  • Cannot use data for targeted advertising or cross-selling
  • Must implement GLBA-compliant security programs
  • Required to renew authorizations annually
  • Must maintain written policies and procedures
  • Required to provide data access information to consumers upon request

Implementation Timeline
The CFPB has established a staggered compliance schedule:

  • April 1, 2026
    • Large depository institutions (≥$250 billion in assets)
    • Non-depository institutions with ≥$10 billion in total receipts (2023-24)
    • Smaller institutions have extended deadlines through 2029

Legal Challenges
The rule has already faced legal opposition. The Bank Policy Institute, along with other banking associations, has filed a lawsuit challenging the rule on several grounds:

  • Questions about CFPB’s statutory authority
  • Concerns about implementation costs without fee recovery options
  • Data security and liability concerns
  • Issues with payment initiation requirements
  • Concerns about private standard-setting delegation
  • Timeline feasibility

Industry Implications
The final rule represents a significant shift in how financial data will be shared and managed in the U.S. financial system. While some institutions have already been preparing for these changes through existing open banking initiatives, others may face technical and operational challenges in achieving compliance.

The regulation’s impact on screen scraping practices, while not explicitly banned, suggests a move toward more secure and standardized API-based data sharing methods. This transition, combined with comprehensive security requirements for non-bank entities, aims to create a more secure and efficient financial data ecosystem.

As the industry prepares for implementation, financial institutions must carefully evaluate their current data sharing practices and begin planning for the necessary technological and operational changes to meet these new requirements.

Political Impact
The implementation of this rule may be influenced by the election results. President-elect Trump will install a new Director at the CFPB who could significantly effect how or even if this rule moves forward.

Our comprehensive analysis is typically exclusive to ETA members, but we’re making it available to all readers for a limited time. Read the complete analysis here.

For more information about the CFPB’s Open Banking Rule and its implications for your business, please contact Scott Talbott, EVP, ETA.

Categories
TRENDS

WEEKLY NEWSLETTER

Check out ETA’s weekly recap on innovations and policies shaping payments. Written by industry experts, get insights on payments like nowhere else. View weekly newsletter archives here.

Tags

Back to Top