Prepare Now for Open Banking Rule Compliance

The Consumer Financial Protection Bureau (CFPB) finalized its rule to implement Section 1033 of the Dodd-Frank Act on October 22, 2024. Proposed in 2023, this “open banking rule” was designed to accelerate the shift to open banking and establish stronger financial data rights.

While a lawsuit has been filed, we recommend that all companies affected start preparing to comply now instead of waiting for the outcome of that suit and/or to see if any changes are made once the new administration is in place.

An overview of the final rule

The final rule requires covered financial institutions to provide consumers and authorized third parties with access to consumers’ personal financial data. This is expected to make it easier for consumers to switch to alternatives—jumpstarting competition and decentralization in banking and consumer finance.

In the rule, the CFPB has established that the term “data providers” applies to entities providing asset accounts subject to the Electronic Fund Transfer Act (EFTA) and Regulation E; credit cards subject to the Truth in Lending Act (TILA) and Regulation Z; and related payment facilitation products and services such as digital wallets.

It mandates that “data providers” safely share financial data from:

• Regulation E accounts, including checking accounts, savings accounts, and digital wallets
• Regulation Z accounts, including credit cards and “buy now, pay later” products (which were reaffirmed in the final rule to fall within this category, subjecting them to the requirements)¹
• Payment facilitation products including digital wallets and payment applications such as Apple Pay, Google Pay, PayPal, Zelle, and Venmo

What data is covered

The final rule requires that data providers make “covered data” available upon request by consumers and authorized third parties. Covered data includes:

• Transaction information
• Account balances
• Information to initiate payment to or from a Regulation E account (including tokenized account numbers)
• Terms and conditions
• Upcoming billing information
• Basic account verification information

Data transmission guidelines

Data providers will be required to maintain a consumer interface as well as establish and maintain a developer interface. Doing so will ensure that consumers and authorized third parties can make requests and receive timely, reliable access to covered data in a usable electronic form. These interfaces will also promote the development and use of standardized formats for providing data.

The final rule does not explicitly prohibit screen scraping, though, posing risks to consumer data security and privacy. It does include strong restrictions against secondary use of consumer data and describes a credentialing or registry system to assess the risk of third parties and to reasonably deny data requests due to risk management concerns. Data providers are barred from charging any fees to consumers or authorized third parties for developer interfaces, consumer interfaces, covered data requests, or request responses.

Third-party compliance requirements

To become an authorized third party according to the final rule’s requirements, an entity must:

• Provide the consumer with an authorization disclosure
• Include a statement in the authorization disclosure certifying that the third party agrees to certain obligations
• Obtain consumers’ express informed consent through a signed authorization disclosure to access covered data on their behalf²
• Implement safeguards surrounding consumer data collection, use, and retention

A staggered compliance deadline process

The final rule staggers compliance deadlines into five tiers based on total assets for depository institutions and total receipts for non-depository institutions. This is designed to mitigate some of the challenges that smaller institutions may face when building a data interface, including relative lack of technological sophistication, inferior legacy systems, and reliance on third-party service providers.³

Note: Depository institutions holding under $850 million of total assets are exempt.

Industry response

The Bank Policy Institute, Forcht Bank, and the Kentucky Bankers Association have filed a lawsuit against the CFPB asserting that the final rule will jeopardize consumer privacy, financial data, and account security. The lawsuit raises several key concerns that have echoed across the industry, including that the requirements:

• Contain no oversight of third parties using bank customer data
• Fail to hold third parties accountable
• Increase the likelihood of fraud and scams by failing to address the lack of strong safeguards
• Could enable screen scraping and other unsafe practices
• Allow third parties to profit, at no cost, from systems built and maintained by banks
• Impose an unreasonable implementation timeline⁴

News stories have explored additional industry concerns, including the lack of bank liability protection from fraud and data breaches by third-party fintechs.⁵ The Consumer Bankers Association has also criticized the final rule for not accurately reflecting market, technological, and practical realities or adequately incorporating industry feedback provided during the comment period.⁶

It may be tempting for some financial institutions to adopt a “wait and see” approach knowing that the final rule could be amended, delayed, or repealed next year under a new administration; however, preparing now for these required changes is a smarter bet to ensure that they do not lose any forward momentum or shorten their runway to comply.

Key compliance considerations 

Covered financial institutions’ efforts to comply with Section 1033’s requirements should begin with an assessment of operational and technological readiness across the following areas:

Proper data capabilities. For those who have not yet developed proper application programming interfaces (APIs) for data access, they will need to get them ready within the CFPB’s compliance timeline. They will also need to account for interoperability and integration with existing systems; monitor APIs to ensure they meet the required standards for performance and speed; and implement security measures to protect consumer data from unauthorized access.

Data storage and retention capabilities. Covered financial institutions should ensure that they’re able to properly share requested data with consumers, third parties, and data aggregators in the formatting required by Section 1033. They’ll also need to have adequate data storing capabilities to retain historical consumer transaction data for at least 24 months as required.

Authorization disclosures. To use third parties, covered financial institutions must set up authorization disclosure mechanisms for obtaining consumers’ express informed consent to access covered data and for ensuring that third parties agree to certain obligations.

Increased third-party oversight. Covered financial institutions will need to monitor third-party access to consumer data to ensure that it’s only used for the specific purposes consumers have consented to. They should also institute strong fraud monitoring procedures and make sure that strict privacy and security standards are adhered to when handling consumer information.

An opportunity to increase customer retention

Section 1033’s data-sharing rules put ownership of customer data in consumers’ hands—taking some control over this data away from financial institutions. For those companies who choose to focus on enhancing the customer experience, though, it can be seen as a unique opportunity to foster greater customer retention. They can generate more tailored offers through a full-picture view of a customer’s financial profile—and by ensuring that the data access they provide is user-friendly and secure, they can boost customer trust to keep them from switching to other institutions.