Overview
On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-anticipated “Personal Financial Data Rights” rule (and Executive Summary) – more commonly known as the “Open Banking” rule – under Section 1033 of the Dodd-Frank Act. This landmark regulation aims to empower consumers by granting them greater control over their personal financial data, enabling them to access and share this information with third-party providers securely and without charge. According to the CFPB, the rule is designed to foster competition and innovation in the financial services industry by making it easier for consumers to switch financial providers and for new companies to offer innovative products and services.
The final rule requires covered entities – including banks, credit card issuers, digital wallet providers, and other financial institutions – to provide consumers and authorized third parties with access to specified consumer financial data upon request. It also establishes privacy and security protections, limiting third parties use of the data they receive to the purposes expressly authorized by the consumer. While the rule has been lauded for promoting consumer choice and competition, it has also faced criticism and legal challenges from industry stakeholders concerned about data security, compliance burdens, and statutory authority.
What Does the CFPB Open Banking Rule Entail?
The CFPB’s Open Banking rule mandates that covered data providers make available to consumers, or to third parties authorized by consumers, certain data related to covered consumer financial products or services free of charge.
- Covered data – data providers must make available:
- Account Balance and Transaction Information: At least 24 months of transaction history, including amounts, dates, payment types, merchant names, rewards credits, and fees or finance charges.
- Payment Initiation Information: Data necessary to initiate payments from accounts, facilitating services like “pay-by-bank.”
- Terms and Conditions: Details such as fee schedules, interest rates, credit limits, rewards program terms, and whether the consumer has entered into an arbitration agreement.
- Upcoming Bill Information: Information on upcoming payments due, including scheduled payments to third parties.
- Basic Account Verification Information: Names, addresses, email addresses, and phone numbers associated with the accounts.
- Exceptions – data providers do not have to make available:
- Confidential commercial information.
- Information collected for the sole purpose of preventing fraud/money laundering.
- Information required to be kept confidential by law.
- Information the data provider cannot retrieve in the ordinary course of business.
Entities that are “data providers” under the Rule?
The rule applies to a broad range of financial service providers, referred to as “covered data providers.” This includes:
- Regulation E financial institutions: Banks, saving associations, and credit unions holding consumer asset accounts.
- Regulation Z card issuers.
- Payment Facilitators: “Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.” This includes companies that enable transactions from consumer accounts, including digital wallet providers.
Notably, the final rule exempts depository institutions that hold assets of $850 million or less (i.e., equal to or less than the Small Business Administration size standard for such institutions), aiming to alleviate the compliance burden on smaller banks and credit unions.
Consumer and Developer Interfaces
Under the rule, data providers are required to establish and maintain two separate interfaces for accessing covered data: a consumer interface (e.g., online banking portals to allow consumers to access their data directly) and a developer interface for authorized third parties (e.g., APIs, though the rule is technology neutral) to facilitate secure and standardized access to covered data. Data providers must also provide certain information to consumers and authorized third parties, including: (i) its legal name and any assumed names; (ii) a link to its website; (iii) its Legal Entity Identifier (LEI) that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information for consumers or third parties to ask questions about accessing covered data. Data providers may not charge fees to either consumers or authorized third parties for accessing covered data. The developer interface must meet certain minimum performance standards and may not unreasonably restrict the frequency with which it receives or responses to requests from an authorized third party.
Data providers can deny access to their interfaces to third parties under certain limited circumstances, such as if the third party does not provide sufficient evidence that its security practices are adequate. Data providers may deny access to their developer interface if a third party does not present evidence that its information security practices are adequate to protect covered data or if the third party does not provide: (i) Its legal name (and any assumed names); (ii) a link to its website; (iii) its LEI that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information a data provider may use to inquire about the third party’s information security and compliance practices.
Like the proposed rule, the final rule does not explicitly prohibit authorized third parties screen scraping; however, the final rule seeks to curtail screen scraping by prohibiting authorized third parties from accessing a data provider’s developer interface by using any credentials that a consumer uses to access the consumer interface.
What Are the Privacy and Security Protections and Restrictions on Third Parties?
To safeguard consumer data, the rule imposes several privacy and security requirements on third parties:
- Purpose Limitation: When a consumer authorizes a third party to access the consumer’s financial data from a data provider, the third party can only use the data for the specific product or service requested by the consumer. Practices like selling the data or using the data for targeted advertising or cross-selling the third party’s other products/services, are prohibited (unless the consumer expressly consents to these purposes).
- Consent and Authorization: Third parties must obtain express consent from consumers through clear authorization disclosures, outlining the data to be accessed and the purpose.
- Limited Duration of Authorization. The authorization from a consumer is valid for one year, after which the third party must obtain new authorization from the consumer. If an authorization expires, the third party may no longer collect covered data and may no longer use or retain covered data collected under the expired or revoked authorization.
- Revocation Rights: Consumers have the right to revoke a third party’s access at any time, and third parties must (1) make revocation easy, (2) cease data collection and delete data unless retention is necessary to provide the requested service, and (3) notify the data provider if it receives a revocation request from the consumer.
- Data Security Programs: Third parties must implement data security measures in line with the Gramm-Leach-Bliley Act (GLBA), or, if not subject to the GLBA, the FTC Standards for Safeguarding Customer Information (i.e., Safeguards Rule).
- Policies and Procedure: Third parties would need to maintain their own internal written policies on procedures to comply with the rule and the rule’s record retention requirements.
What Are the Compliance Deadlines?
Compliance with the rule will be implemented in phases as follows:
Depository Institution (Total Assets) | Non-Depository Institution (Total Receipts) | Compliance Date |
>$250bn | >$10bn in either calendar year 2023 or 2024 | April 1, 2026 |
$10bn – $250bn | <$10bn in both calendar year 2023 and 2024 | April 1, 2027 |
$3bn – $10bn | April 1, 2028 | |
$1.5bn – $3bn | April 1, 2029 | |
$850m – $1.5bn | April 1, 2030 | |
<$850m | Exempt |
Key Takeaways
This significant regulatory development carries several implications for businesses in the financial sector:
- Prepare for Compliance: Covered entities, both data providers and third parties, should begin assessing their data infrastructure, security protocols, compliance procedures, and obtain required LEI identifiers to meet the new requirements within the specified timelines.
- Review Data Sharing Practices: Companies seeking to access covered data must evaluate their data collection, use, and retention policies to ensure they align with the purpose limitations and consent requirements of the rule.
- Enhance Privacy and Security Measures: Robust data security programs compliant with GLBA and other regulations must be implemented to protect consumer data during access and transfer. This is particularly important for third party recipients who may not be as familiar with these requirements (as noted above, if the third party is not subject to the GLBA already, the third party must follow the FTC Safeguards Rule, which sets out detailed security requirements for protecting consumers’ financial information).
- Monitor Legal Developments: Ongoing legal challenges could impact the implementation and enforcement of the rule. Companies should follow these proceedings and be prepared to adapt accordingly.
- Engage with Industry Standards: Participation in recognized standard-setting bodies may aid in compliance and contribute to the development of interoperable systems that benefit the industry as a whole (the CFPB finalized its rule regarding standard-setting bodies earlier this summer).
For more information about these developments and how they may affect your organization, contact your DLA relationship partner, the authors of this blog post, or any member of DLA’s Data Protection, Privacy, and Security team.