A complete guide to the CFPB's open banking rule

Department Of Transportation And Consumer Financial Protection Bureau Hold Joint Hearing On Rewards Programs
Rohit Chopra, director of the Consumer Financial Protection Bureau.
Tierney L. Cross/Bloomberg

On Tuesday, the Consumer Financial Protection Bureau finalized a long-awaited rule that promises to enable consumers to better control their financial data, marking a major step in a regulatory process that started in 2010.

The new regulation is 38 pages long, but it was accompanied by more than 500 pages of commentary by the CFPB explaining the comments the bureau received on the controversial rule and its response to those comments. The regulation has already spawned a lawsuit brought by the Bank Policy Institute, the Kentucky Bankers Association and a community bank in Lexington, Kentucky; statements of support from consumer advocates; and promises of more rules to come.

The new rule has the potential to create new competition in the financial services industry, driving down prices and interest rates, according to the CFPB. It also has the potential to spur on fraud and scams that are already plaguing consumers and banks, according to critics.

Here's how the rule developed, which institutions must comply, how it affects banks and when the changes will precipitate.

How the open banking rule developed

Following the 2008 financial crisis, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act. Title X of that act is titled the Consumer Financial Protection Act of 2010, or CFPA, and Section 1033 of the CFPA calls on financial services companies to make personal financial data available to their customers.

The act deferred to a newly established CFPB to sort out the details with a rulemaking process. The agency started that process in 2016, and on Tuesday, the bureau issued its final rule implementing Section 1033. The bureau named this open banking regulation the Personal Financial Data Rights Rule.

Medium and large banks and credit unions must comply

The primary types of entity that will have to comply with the CFPB's new open banking rule will be larger community banks, medium and large banks and credit unions, but the rule concerns all so-called "data providers."

Any depository institution that falls under the Small Business Administration's definition of a small bank or credit union does not need to comply. That means, currently, any bank or credit union with less than $850 million in assets is exempt. (As of June 2024, 11% of credit unions and 26% of banks had more than $850 million in assets, according to call reports from the National Credit Union Association and Federal Financial Institutions Examination Council.)

A data provider, per the new regulation, includes three types of entities. First, it includes financial institutions, according to the definition in Regulation E. These are banks and credit unions.

Second, card issuers are data providers. The definition of a card issuer comes from Regulation Z; it is any lender that issues credit cards. While this covers many banks and credit unions that are already included, it also includes entities such as American Express, which is both a card network and a card issuer. The CFPB has also ruled that buy now/pay later providers such as Klarna are card issuers and therefore must comply with the new open banking regulation.

The third category of data providers is any entity that "controls or possesses information concerning a covered financial product or service that the consumer obtained" from that entity, according to the regulation. The regulation explicitly says a "digital wallet provider" is one example.

The CFPB has not previously said what precisely constitutes a digital wallet, though it started a rulemaking process last year that, among other impacts, would create a regulatory definition for the term. Common definitions of "digital wallet" often encompass Venmo, Apple Cash, PayPal and other services that provide fully digital means of maintaining a balance and making payments.

The CFPB indicated in its comments on the new regulation that it would continue to refine its definition of the term "data provider" through future rulemaking processes, but its current priority is to regulate financial institutions and card issuers.

"The CFPB intends to implement CFPA section 1033 with respect to other covered persons and consumer financial products or services through future rulemaking," the agency stated in its supplement to the final regulation. "Prioritizing Regulation E accounts, Regulation Z credit cards, and payment facilitation products and services advances competition goals across a broader range of markets while addressing pressing consumer use cases and risks."

Authorized third parties will gain access to consumer data

The CFPB's open banking rule defines a "third party" as any entity other than the consumer whose data is in question or the data provider that possesses that consumer's data. In practical terms, these are fintechs and data aggregators that offer services to consumers using their banking data. These services can include budgeting apps, loans underwritten by the customer's cash flow rather than their credit score and numerous others.

A third party becomes an authorized third party when a consumer, according to the new open banking rule, gives their "informed consent" for the third party to access their financial information. During this authorization process, the third party must disclose to the consumer what data the third party will obtain and how it will use it.

This consent can only last for up to a year at a time. The third party must obtain reauthorization from the consumer to get another year of access to their data, and they must inform the consumer about how to revoke access at any time.

Banks must share transactions, bills and more information

The data that data providers will need to make available to authorized third parties under the new rule must include at least 24 months of transaction information, account balances, information needed to initiate payments from certain accounts, terms and conditions (including fee schedules and interest rates), upcoming bill information, and basic information needed to verify the authenticity of the account.

If a customer wants to share any of this data with an authorized third party, the bank must make it available in a machine-readable format, though the specific format is pending finalization.

The CFPB explicitly exempted confidential information like algorithms for credit scoring, meaning banks do not need to disclose such information. However, inputs and outputs of these algorithms, such as APRs and pricing terms, are still covered. The rule also exempts information the bank has gathered solely to prevent money laundering, fraud or other financial crimes.

The required format of the data is not yet final

Dodd-Frank specified that the information shared with consumers under Section 1033 "shall be made available in an electronic form usable by consumers." It specified that the CFPB must prescribe standards for the format of this data.

To address this requirement, the CFPB requested applications in June from industry standards-setting bodies so the bureau could pick one to be the official "open banking standard setter."

The bureau has published one such application; it came in September from the Financial Data Exchange, or FDX, a nonprofit governed by several large banks, fintechs and data aggregators. FDX is a subsidiary of the Financial Services Information Sharing and Analysis Center, which is an industry group for sharing cybersecurity intel across the financial services sector.

Compliance dates range from 2026 to 2030

The size of the data provider determines when it must comply with the new regulations.

  • By April 1, 2026, depository institutions with at least $250 billion in assets and nondepository institutions with at least $10 billion in revenue must comply.
  • By April 1, 2027, depository institutions with between $10 billion and $250 billion in assets must comply, as must the rest of the nondepository institutions.
  • By April 1, 2028, depository institutions with between $3 billion and $10 billion in assets must comply.
  • By April 1, 2029, depository institutions with between $1.5 billion and $3 billion in assets must comply.
  • By April 1, 2030, the rest of the covered depository institutions must comply.

Screen scraping, an insecure data retrieval practice, is implicitly banned

In the context of open banking, screen scraping is the practice of a third party saving a bank customer's username and password (with the user's authorization), potentially alongside answers to their security questions, and using those credentials to log into their bank account to access their data.

The practice is insecure and the subject of nearly universal criticism, even among practitioners. Among other risks, when a bank customer shares their login information with a third party, it raises the specter of a bad actor targeting the third party to steal banking credentials en masse.

These risks are heightened by the relaxed security standards to which nonbank companies are held, in comparison to the standards banks must implement. While prudential regulators examine financial institutions to ensure they are meeting security standards, third parties that store banking credentials do not face the same level of scrutiny. Instead, enforcement tends to be based on complaints and investigations.

The Bank Policy Institute, which is an association of large banks, has criticized CFPB Director Rohit Chopra for comments he has made suggesting that the bureau's open banking rule helps with "accelerating the shift away" from screen scraping and that the practice will eventually be "sunset." Chopra made the comments Tuesday, following the release of the final open banking rules.

"Many data aggregators will continue to rely on unsafe practices such as screen scraping to obtain account and transaction data, often collecting and retaining more information than is needed to offer a desired product or service," reads a statement from the Bank Policy Institute in response to Chopra's comments.

Indeed, the regulation does not ban screen scraping outright. However, guidance that the CFPB issued alongside the rule suggests the bureau will act against third parties that engage in screen scraping when a more secure alternative exists.

The secure alternative of choice in the regulation is a so-called "developer interface," which is only accessible via access tokens rather than consumer credentials. Tokens are more secure than consumer credentials for a variety of reasons, including that tokens expire while credentials do not.

"If a third party attempts to screen scrape consumer data when a more secure, structured alternative means of access is available, such as the developer interface or a substantially similar interface, then the third party would be needlessly exposing consumers to harm," reads the CFPB's commentary on the new rule.

"Depending on the facts and circumstances, such activity might well constitute an unfair, deceptive, or abusive act or practice," the bureau concludes, making reference to the type of acts and practices that the CFPB exists to prosecute.

Proponents say the rule gives consumers control, promotes competition

Section 1033 of Dodd-Frank tasked the CFPB with establishing rules that would require financial services providers to "make available to a consumer, upon request, information in the control or possession" of the provider.

This information includes data related to the "consumer financial product or service that the consumer obtained from" the provider, including "information relating to any transaction, series of transactions, or to the account including costs, charges and usage data."

On Tuesday, the CFPB promoted its open banking rule as a means of spurring "more competition in consumer financial services" by making it easier for consumers to "shop around for better products at lower rates and switch to banks, payment products, or other providers that better meet their needs," according to a press release.

The rule "should serve as a model for all data privacy regimes in the United States" because it far exceeds the protections of weaker privacy laws that preceded it, according to Chi Chi Wu, a senior attorney at the National Consumer Law Center, or NCLC, a consumer advocacy group.

The NCLC also said the rule would facilitate competition with the three credit bureaus by promoting new methods of assessing creditworthiness, such as cash flow underwriting, which relies on looking at the transaction history of a consumer's bank account.

Other proponents of the new rule include Consumer Reports, the consumer-oriented research and advocacy organization, which touted the rule's requirement that authorized third parties disclose to consumers how they use their data.

"This rule marks a significant milestone in giving consumers greater control over their financial lives," said Delicia Hand, senior director of the digital marketplace.

The North American chapter of the Financial Data and Technology Association, or FDATA North America, a trade association representing fintechs and open finance companies, also supported the rule, with minor caveats. Members of FDATA are some of the "third parties" mentioned in the new open banking regulation — the companies that consumers can authorize to access their financial information.

Though "highly supportive" of the new open banking rule, according to a press release, FDATA members "expressed disappointment" that Electronic Benefit Transfer data was excluded from the data the rule covers.

"We applaud the final rule, which puts consumers in control of their financial data, allowing them to select the financial provider that best meets their needs," said Steve Boms, executive director of FDATA North America.

Critics say the rule jeopardizes consumers' data security

On Wednesday, the day after the CFPB issued its open banking rule, Forcht Bank, a $1.5 billion asset bank based in Lexington, Kentucky, filed a lawsuit seeking to block the rule. The Kentucky Bankers Association and the Bank Policy Institute, a national association of large banks, joined the lawsuit.

"The CFPB's 1033 rulemaking jeopardizes the safety and soundness of our banking system and fails to protect consumer data," said Ballard W. Cassady Jr., CEO and president of the Kentucky Bankers Association. "We are challenging the CFPB to ensure that banks can continue to protect their consumers and the integrity of the financial system in a safe and sound manner."

One of the primary complaints levied both in the lawsuit and previously by critics is that the rule does not institute sufficient oversight of the third parties that consumers authorize to access their financial data, raising concerns that banks might be held liable for data breaches at third parties.

"The entire responsibility of protecting customers is left to banks under the final rule, while the CFPB takes no accountability for the oversight or supervision of data recipients," reads a Wednesday press release from the Bank Policy Institute. "Mandating data sharing without requiring third parties to sufficiently protect that data will undermine existing consumer protection laws."

Regulators have indeed signaled in other contexts that banks are responsible for managing third-party risks, particularly cybersecurity risks. However, this scrutiny has focused on vendors that provide IT services to banks, rather than third parties that consumers individually authorize to access their banking data.

The CFPB says the rule's benefits outweigh the security risks

The CFPB has responded to these criticisms by saying the rule includes mitigations, such as requiring tokenized account access for third parties as opposed to storing and using consumers' bank login credentials. It also said that these fraud risks already exist under the current system.

"Practically, the CFPB expects that in order to connect a bank account to a new third party service, a bad actor would need access to the consumer's credentials for their covered account and potentially access to additional information or devices required for authorization, such as codes issued as part of two-factor authentication," reads the CFPB's response to comments that were submitted on a proposed version of the rule.

These risks, the CFPB response continues, "exist under the baseline," and the bureau expects any increased risks "are outweighed by the data security and privacy benefits" of the new rule.

For reprint and licensing requests for this article, click here.
Regulation and compliance CFPB News & Analysis Politics and policy
MORE FROM AMERICAN BANKER