Almost exactly a year after issuing a Notice of Proposed Rulemaking (NPRM) on Personal Financial Data rights, on October 22, 2024, the Consumer Financial Protection Bureau (CFPB) issued its final Rule under Section 1033 of the Consumer Financial Protection Act. The Rule, also referred to as the “open banking rule,” has been a key priority of CFPB Director Rohit Chopra’s rulemaking agenda, and according to the CFPB and Director Chopra, aims to give consumers greater rights over their personal financial data and promote competition and consumer choice in financial products and services.
However, the final Rule has already been the target of pointed criticisms, as well as statements of support. Litigation challenging the Rule by the banking industry has already been filed in federal district court.
Overview of the Rule
The CFPB issued this “open banking” Rule pursuant to Section 1033 of the Dodd-Frank Act, which requires banks and other financial service firms—data providers—to “make available to a consumer, upon request, information in the control or possession of the [data provider] concerning the consumer financial product or service that the consumer obtained” from the data provider. 12 U.S.C. § 5533(a). The Rule establishes a framework intended to implement this mandate by giving consumers, directly or through authorized third parties, the ability to access and share the consumer’s personal financial information.
Such information includes transaction information, account balance information, information needed to initiate payments, upcoming bill information, and basic account verification information. The Rule further establishes how personal financial information may be accessed, what safety and security and other grounds may disallow access to personal financial data, which costs will be borne by data providers, and how regulatory compliance standards will be determined by private standards developers rather than the CFPB.
In response to the CFPB’s 2023 NPRM, more than 10,000 comments were filed. The final Rule, however, hews closely to the proposed version, with some key revisions. Most notably, the final Rule includes an exemption for banks and credit unions with less than $850 million in total assets. Compliance dates were also adjusted in the final Rule, requiring that the largest firms comply by April 2026, with compliance by the smallest firms by April 2030.
Key Open Issues
The Rule imposes significant requirements but leaves many unanswered questions about how it will be implemented. Below are several key issues presented by the final Rule:
- The scope of covered data providers may extend beyond banks and financial service providers. The full scope of firms that fall under the definition of a “data provider” is very expansive. In addition to reaching “financial institutions” as defined by Regulation E and “card issuers” as defined by Regulation Z, it also includes “[a]ny other person that controls or possesses information concerning a covered consumer financial product or service [including Regulation E ‘accounts,’ Regulation Z ‘credit cards,’ and the facilitation of third-party payments from an account or credit card] that the consumer obtained from that person.” The Rule may, therefore, extend not only to traditional depository and non-depository financial institutions with at least $850 million in total assets, but also to other “financial institutions,” such as payment processors or other firms that control or possess covered consumer financial information and meet the asset threshold. In particular, the interaction between the definition of “financial institution” under Regulation E and the complex limitations on the CFPB’s regulation, enforcement, and examination authority under Title 10 of the Dodd-Frank Act leaves substantial questions regarding the Rule’s coverage.
- The Rule provides detailed access interface requirements for data providers that will be costly to implement, especially for smaller firms. The Rule imposes significant and burdensome requirements for consumer and developer interfaces that data providers must establish and maintain. The requirements include the ability to deliver covered data in a standardized, machine-readable format, achieve a 99.5% or higher response rate, and meet prescribed security standards.
- Further, the Rule prohibits data providers from charging consumers or authorized third parties a fee to recoup expenses. This may lead data providers to consider, to the extent possible, increasing their prices to defray implementation costs, which in turn may ultimately lead to higher costs to consumers.
- The inability of data providers to pass along costs to third parties is also a point of contention for the banking industry, which has voiced concerns that recipient third parties may benefit at the substantial cost to banks and other financial institutions.
- The Rule requires access to consumer information in a “consistent and non-discriminatory” manner but fails to explain what this means. The Rule contemplates that there may be conditions set to ensure that interface access is granted and/or denied based on consistent and non-discriminatory standards. However, it does not define these terms and leaves open, for instance, whether a data provider can establish different terms for access where requesters are differently situated, or the extent to which data providers and requesters will have the freedom to negotiate terms relating to such factors as price, quality, or consumer benefits and harms, that can arise on a case-by-case basis depending on specific circumstances.
- Relatedly, by compelling access to all requesters on “consistent and nondiscriminatory” terms, the Rule potentially creates conflict with established antitrust principles. Generally, a competitor has no duty to deal with a competitor. Yet, the Rule will allow not only a consumer, but also third-party requesters, including data brokers and data aggregators, that have been authorized by a consumer, to gain access to the consumer’s personal information for undefined uses, which may be in direct competition with the data provider.
- The banking trade associations have challenged whether these aspects of the Rule are within the CFPB’s authority under Section 1033 of the Dodd-Frank Act.
- The Rule does not itself require oversight of third parties receiving customer data. The Rule requires data providers to give authorized third parties access to covered data—but does not supersede existing regulatory obligations regarding data security. While the Rule itself does not specify what safeguards financial institutions must apply to protect consumers’ sensitive information, financial institutions and data recipients alike should be cognizant that other federal laws still apply.
- For example, the Rule does require that a third party receiving covered data apply to its systems for the collection, use, and retention of covered data an information security program that satisfies the safeguards for customer data set forth by Section 501 of the Gramm-Leach-Bliley Act (GLBA). For those third parties not subject to the GLBA, the Rule instead requires compliance with the Federal Trade Commission’s Standards for Safeguarding Customer Information. And all data providers and third-party recipients remain subject to principles of unfair, deceptive, and abusive acts and practices (UDAAP) law and third-party risk management (TPRM) standards that could impose additional obligations.
- The Rule calls for industry participation in standards development, which may be prohibitively costly for many interested parties and could prevent timely compliance with the Rule. The new Rule leaves open the question of what specific standards data providers must meet in order to satisfy their obligations under the Rule. Under the portion of the Rule finalized in June 2024, procedures were established as to how standards development organizations can be authorized by the CFPB as recognized standard setters, and thereby be able to develop qualified industry standards. To date, one organization has applied to qualify as a recognized standard setter, but none have yet been approved. As a result, work on industry standards contemplated by the Rule has not yet even started.
- The standard setter rule establishes that standards must be developed consistent with principles of openness, balance, due process, and consensus. Accordingly, the opportunity must be afforded all interested stakeholders to have their views considered, which requires procedures that allow for full deliberation of all views, through potential appeals, over what can be extended periods of time. Such procedures must also ensure that views of all interested stakeholders are considered, which may further require steps to ensure participation by smaller firms that may be hard-pressed to bear the costs of standards development.
- The Rule does not, however, account for factors that may create hurdles for all interested stakeholders to participate in the development of standards that will define requirements for complying with the Rule, or the time it will take to develop such standards.
- Also left unsaid by the Rule is how compliance will be impacted as standards evolve. Standards are iterative and constantly evolving as new data, techniques, and methodologies are developed through consensus processes. Evolving standards, which the Rule directs will establish regulatory obligations, may therefore require continual investment and updating of infrastructure.
Key Takeaways and Ways to Prepare
- Businesses should evaluate whether they may meet the Rule’s very broad definition of a “data provider,” keeping in mind the exemption for institutions having less than $850 million in total assets.
- If businesses qualify as a “data provider” under the Rule, they should determine the applicable compliance date. The earliest compliance date is April 2026 for the largest institutions, with
- Companies should also assess how they currently allow for the provision of consumer’s personal financial data to third parties. It is recommended they identify any gaps to be addressed to satisfy the Rule’s current requirements and keep abreast of which industry standards are in development and forthcoming from recognized standard setters. Legal departments should engage with finance departments and IT to ensure that adequate allocations are put into place in preparation of potential capital, IT, and consulting-related expenditures.
This post comes to us from Morgan, Lewis & Bockius LLP. It is based on the firm’s memorandum, “CFPB Issues Final Rule on Personal Financial Data Rights,” dated October 28, 2024, and available here.