CFPB's 1033 open banking final rule expands scope to payment apps

Rohit Chopra
Consumer Financial Protection Bureau director Rohit Chopra
Bloomberg News

The Consumer Financial Protection Bureau added payment apps and other financial products to its final open banking rule and in keeping with its focus on innovation, provided for some secondary uses of data.

The CFPB is expected to release the final rule Tuesday, but materials describing the final rule were made available to American Banker prior to its release.

The final rule hews closely to the CFPB's proposal from a year ago but appears to include some substantive changes to the rule's scope, secondary uses and the compliance period, which has been extended by 10 months for the largest banks. The open banking rule is referred to by the industry as "1033" for the section in the Dodd-Frank Act of 2010 that gave the CFPB authority to implement how consumers control their own financial data. 

The CFPB's rule requires that banks safely share financial data on checking accounts, prepaid cards, credit cards, mobile wallets, payment apps and other financial products. Payment apps and other financial products were added in the final rule, sweeping Apple Pay, Google Pay, PayPal, Zelle and Venmo and other apps into the scope of the rule. The change is further proof that third-party apps are dominant forces in banking and payments.

Banks are concerned the rule will expose them to greater liability and also require costly oversight of third-party fintech companies, a tall task in an ecosystem awash with data and a surfeit of fintech upstarts. As the main data providers, banks do have some ability to deny third parties access to consumer data if a company presents risks to the financial system.

CFPB Director Rohit Chopra signaled in prepared remarks that the bureau is in constant communication with other financial regulators to advance open banking.

"The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer's data — those companies are acting on behalf of the consumer," Chopra said in his prepared remarks. The remarks mean banks may not be able to rely on third party risk management considerations to deny access to third parties.

The CFPB did not issue a larger participant rule for data aggregators, as some had hoped. Rather, all companies involved in data access — not just banks — must comply with the data security requirements of the Gramm-Leach-Bliley Act.

In another change from the proposal unveiled last October, the final rule would allow for some secondary uses of consumer-authorized data by third parties to improve the product or service that the consumer requested without obtaining a separate authorization. Fintech providers and some consumer advocates asked the CFPB to provide for secondary uses of the data to train underwriting models and for anti-fraud tools as well as research and product development. 

"The rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief," Chopra said in prepared remarks for a speech to be delivered at a Fintech Week conference hosted by the Federal Reserve Bank of Philadelphia.

The final rule also makes some adjustments to the performance requirements that banks and other data providers must meet for data access. Under last year's proposal, institutions would have been required to satisfy 99.5% of data requests within just 3.5 seconds — targets that some experts told the CFPB were too hard to meet. What those adjustments are precisely was not specified.

The final rule also clarifies that tokenized account numbers — randomly generated numbers to replace a customer's actual account number to reduce the risk of financial fraud — are permitted so long as they are not deployed in an anti-competitive manner.

Chopra said the rule aims to address market concentration that limits consumer choice and allow consumers to access their own bank account transaction information — or authorize a third party to access it without charging fees.

"Personal financial data is sensitive, and there are basic protections and rights that should go along with accessing this kind of information," he said in prepared remarks.

The rule is specifically designed to ensure that data is collected and is "used minimally, stored securely, transferred accurately, and deleted when it's no longer needed or when the consumer revokes access," Chopra said.

Chopra has said the proposal would increase competition by helping consumers more easily switch banks. The rule creates strong data security and privacy standards and Chopra reiterated that consumer financial data can only be used for a specific purpose.

National Economic Advisor Lael Brainard echoed those sentiments in a prepared statement, saying that the rule "will make it easier for consumers to switch banks and use financial services that better fit their needs, provide greater opportunity for innovative new businesses to compete, and lower costs for consumers."

The rule establishes strong privacy protections, requiring that personal financial data can only

be used for the purposes authorized by the consumer. The final rule bans data harvesting — prohibiting third parties from collecting, using, or retaining consumers' data for targeted advertising, cross-selling products or any unrelated business reason. The rule does not prohibit any particular uses of data, but rather requires that all use be driven by what is necessary to deliver the product sought by the consumer.

The CFPB said it will be developing additional rules to address other products, services, and use cases that many think will involve mortgage and auto loans.

The CFPB gave the largest banks until April 1, 2026, to comply, while the smallest banks have until April 1, 2030. Only banks and credit unions with more than $850 million in assets and nondepository entities of any size will be required to provide data under the rule. Certain small banks and credit unions are not subject to this rule.

Consumers have been sharing their bank transaction data for years using the common but risky practice of "screen scraping" — giving usernames and passwords to third parties. The CFPB said that screen scraping brings with it inherent risks, such as overcollection of data, inaccurate data sharing, and the spread of login credentials. 

The rule would encourage further the adoption of secure application programming interfaces, or APIs, by enabling the exchange of data in a standardized format. The CFPB has already received an application from the Financial Data Exchange to be recognized as an industry standard-setting body of data formatting standards.

Under the final rule, consumers have the legal right to know what data is being collected, where the data is stored, with whom the data is shared — and to revoke access at any time. When a person revokes access, the rule requires that data access end immediately, with the data deleted. Data access can be maintained for one year unless the consumer agrees to further extended access.

Some experts think the 1033 rule will empower community banks and fintechs to better compete against large banks and reshape how consumers use their personal financial data. Open banking also is expected to speed the replacement of paper bank statements — and potentially eliminate the need for checks. The delivery of a digital stream of data holds out  the potential to vastly reduce fraud, say experts who have been working on the rule for years.

The prohibition on banks charging fees is in keeping with other countries. No other country with an open banking regime — a list that includes the UK, the European Union, Australia, India and Singapore — allows banks to charge fees.

For reprint and licensing requests for this article, click here.
Data sharing Regulation and compliance CFPB News & Analysis
MORE FROM AMERICAN BANKER