On Tuesday, the Consumer Financial Protection Bureau (CFPB) finalized a long-awaited rule that promises to enable consumers to better control their financial data, marking a major step in a regulatory process that started in 2010.
The new regulation is 38 pages long, but it was accompanied by more than 500 pages of commentary by the CFPB explaining the comments the bureau received on the controversial rule and its response to those comments. The regulation has already spawned a
The new rule has the potential to create new competition in the financial services industry, driving down prices and interest rates, according to the CFPB. It also has the potential to spur on fraud and scams that are already plaguing consumers and banks, according to critics.
Here's how the rule developed, which institutions must comply, how it affects banks, and when the changes will precipitate.
How the open banking rule developed
Following the 2008 financial crisis, Congress passed the
The act deferred to a newly established CFPB to sort out the details with a rulemaking process. The agency
Medium and large banks and credit unions must comply
The primary types of entity that will have to comply with the CFPB's new open banking rule will be larger community banks, medium and large banks and credit unions, but the rule concerns all so-called "data providers."
Any depository institution that falls under the Small Business Administration's definition of a small bank or credit union does not need to comply. That means,
A data provider, per the new regulation, includes three types of entities. First, it includes financial institutions, according to the definition in
Second, card issuers are data providers. The definition of a card issuer comes from
The third category of data providers is any entity that "controls or possesses information concerning a covered financial product or service that the consumer obtained" from that entity, according to the regulation. The regulation explicitly says a "digital wallet provider" is one example.
The CFPB has not previously said what precisely constitutes a digital wallet, though it started a
The CFPB indicated
"The CFPB intends to implement CFPA section 1033 with respect to other covered persons and consumer financial products or services through future rulemaking," the agency stated in its supplement to the final regulation. "Prioritizing Regulation E accounts, Regulation Z credit cards, and payment facilitation products and services advances competition goals across a broader range of markets while addressing pressing consumer use cases and risks."
Authorized third parties will gain access to consumer data
The CFPB's open banking rule defines a "third party" as any entity other than the consumer whose data is in question or the data provider that possesses that consumer's data. In practical terms, these are fintechs and
A third party becomes an authorized third party when a consumer, according to the new open banking rule, gives their "informed consent" for the third party to access their financial information. During this authorization process, the third party must disclose to the consumer what data the third party will obtain and how it will use it.
This consent can only last for up to a year at a time. The third party must obtain reauthorization from the consumer to get another year of access to their data, and they must inform the consumer about how to revoke access at any time.
Banks must share transactions, bills, and more information
The data that data providers will need to make available to authorized third parties under the new rule must include at least 24 months of transaction information, account balances, information needed to initiate payments from certain accounts, terms and conditions (including fee schedules and interest rates), upcoming bill information, and basic information needed to verify the authenticity of the account.
If a customer wants to share any of this data with an authorized third party, the bank must make it available in a machine-readable format, though the specific format is pending finalization.
The CFPB explicitly exempted confidential information like algorithms for credit scoring, meaning banks do not need to disclose such information. However, inputs and outputs of these algorithms, such as APRs and pricing terms, are still covered. The rule also exempts information the bank has gathered solely to prevent money laundering, fraud or other financial crimes.
The required format of the data is not yet final
Dodd-Frank specified that the information shared with consumers under Section 1033 "shall be made available in an electronic form usable by consumers." It specified that the CFPB must prescribe standards for the format of this data.
To address this requirement, the CFPB
The bureau has
Compliance dates range from 2026 to 2030
The size of the data provider determines when it must comply with the new regulations.
- By April 1, 2026, depository institutions with at least $250 billion in assets and nondepository institutions with at least $10 billion in revenue must comply.
- By April 1, 2027, depository institutions with between $10 billion and $250 billion in assets must comply, as must the rest of the nondepository institutions.
- By April 1, 2028, depository institutions with between $3 billion and $10 billion in assets must comply.
- By April 1, 2029, depository institutions with between $1.5 billion and $3 billion in assets must comply.
- By April 1, 2030, the rest of the covered depository institutions must comply.
Screen scraping, an insecure data retrieval practice, is implicitly banned
In the context of open banking,
The practice is insecure and the subject of nearly universal criticism,
These risks are heightened by the
The Bank Policy Institute, which is an association of large banks, has criticized CFPB director Rohit Chopra for
"Many data aggregators will continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting and retaining more information than is needed to offer a desired product or service," reads
Indeed, the regulation does not ban screen scraping outright. However, guidance that the CFPB issued alongside the rule suggests the bureau will act against third parties that engage in screen scraping when a more secure alternative exists.
The secure alternative of choice in the regulation is a so-called "developer interface," which is only accessible via access tokens rather than consumer credentials. Tokens are more secure than consumer credentials for a variety of reasons, including that tokens expire while credentials do not.
"If a third party attempts to screen scrape consumer data when a more secure, structured alternative means of access is available, such as the developer interface or a substantially similar interface, then the third party would be needlessly exposing consumers to harm," reads the CFPB's commentary on the new rule.
"Depending on the facts and circumstances, such activity might well constitute an unfair, deceptive, or abusive act or practice," the bureau concludes, making reference to the type of acts and practices that the CFPB exists to prosecute.
Proponents say the rule gives consumers control, promotes competition
Section 1033 of Dodd-Frank tasked the CFPB with establishing rules that would require financial services providers to "make available to a consumer, upon request, information in the control or possession" of the provider.
This information includes data related to the "consumer financial product or service that the consumer obtained from" the provider, including "information relating to any transaction, series of transactions, or to the account including costs, charges and usage data."
On Tuesday, the CFPB promoted its open banking rule as a means of spurring "more competition in consumer financial services" by making it easier for consumers to "shop around for better products at lower rates and switch to banks, payment products, or other providers that better meet their needs," according to a press release.
The rule "should serve as a model for all data privacy regimes in the United States" because it far exceeds the protections of weaker privacy laws that preceded it,
The NCLC also said the rule would facilitate competition with the three credit bureaus by promoting new methods of assessing creditworthiness, such as cash flow underwriting, which relies on looking at the transaction history of a consumer's bank account.
Other proponents of the new rule include Consumer Reports, the consumer-oriented research and advocacy organization, which touted the rule's requirement that authorized third parties disclose to consumers how they use their data.
"This rule marks a significant milestone in giving consumers greater control over their financial lives,"
The North American chapter of the Financial Data and Technology Association (FDATA North America), a trade association representing fintechs and open finance companies, also supported the rule, with minor caveats. Members of FDATA are some of the "third parties" mentioned in the new open banking regulation — the companies that consumers can authorize to access their financial information.
Though "highly supportive" of the new open banking rule, according to
"We applaud the final rule, which puts consumers in control of their financial data, allowing them to select the financial provider that best meets their needs," said Steve Boms, executive director of FDATA North America.
Critics say the rule jeopardizes consumers' data security
On Wednesday, the day after the CFPB issued its open banking rule, Forcht Bank, a $1.5 billion asset bank based in Lexington, Kentucky,
"The CFPB's 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data," said Ballard W. Cassady, Jr. CEO and president of the Kentucky Bankers Association. "We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner."
One of the primary complaints levied both in the lawsuit and previously by critics is that the rule does not institute sufficient oversight of the third parties that consumers authorize to access their financial data, raising concerns that banks might be held liable for data breaches at third parties.
"The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability for the oversight or supervision of data recipients," reads a Wednesday press release from the Bank Policy Institute. "Mandating data sharing without requiring third parties to sufficiently protect that data will undermine existing consumer protection laws."
The CFPB says the rule's benefits outweigh the security risks
The CFPB has responded to these criticisms by saying the rule includes mitigations, such as requiring tokenized account access for third parties as opposed to storing and using consumers' bank login credentials. It also said that these fraud risks already exist under the current system.
"Practically, the CFPB expects that in order to connect a bank account to a new third party service, a bad actor would need access to the consumer's credentials for their covered account and potentially access to additional information or devices required for authorization, such as codes issued as part of two-factor authentication," reads the CFPB's response to comments that were submitted on a proposed version of the rule.
These risks, the CFPB response continues, "exist under the baseline," and the bureau expects any increased risks "are outweighed by the data security and privacy benefits" of the new rule.