With Uncertainty Regarding the Future, CFPB Finalizes Open Banking Rule

In October 2024, the Consumer Financial Protection Bureau (“CFPB”) issued a Final Rule giving consumers greater rights, privacy, and security over their financial data (“Final Rule” or "Open Banking Rule"). The Open Banking Rule was implemented under Section 1033 of the Dodd-Frank Act. It was immediately challenged by the Banking Policy Institute and Kentucky Bankers Association with a lawsuit filed the same day the CFPB issued the Final Rule. Despite such legal action, the CFPB published the Final Rule in the Federal Register on November 18, 2024.

Subject to the outcome of the pending litigation, the Open Banking Rule will become effective on January 17, 2025. Compliance dates for covered data providers will be implemented in phases, with larger providers subject to the Final Rule sooner than smaller ones. The largest covered institutions will have to comply beginning April 1, 2026, while the smallest covered institutions will have until April 1, 2030.

A discussion of who is covered under the Final Rule, key aspects of the Final Rule, and the legal challenges to the Final Rule is set forth below.

Covered Data Providers

The primary entities that are covered by the Open Banking Rule are larger community banks, medium and large banks, as well as credit unions, but the Final Rule impacts all "data providers." The term “data provider” includes (i) depository institutions, such as banks and credit unions, (ii) non-depository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide payment facilitation services, and (iii) any other person that "controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person,” according to the regulation. The Final Rule expressly provides that a digital wallet provider falls under the third category of a “data provider.”

Under the Final Rule, the largest depository institutions (defined to mean those that hold at least $250 billion in total assets) will have until April 1, 2026 to comply. Depository institutions with between $250 billion and $10 billion in total assets will have until April 1, 2027; those with between $10 billion and $3 billion in total assets have until April 1, 2028; those with between $3 billion and $1.5 billion in total assets have until April 1, 2029; and those with between $1.5 billion and $850 million in total assets have until April 1, 2030. Small depository institutions (i.e., those with $850 million or fewer in total assets) are exempt from the Final Rule.

Key Aspects of the Open Banking Rule

The Final Rule mandates that data providers must make available to consumers and authorized third parties (including data aggregators acting on behalf of an authorized third party), upon request, the most recently updated covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider. Access must be in electronic format that is usable by consumers and authorized third parties, and data providers cannot impose any fee or charge to consumers or third parties. The CFPB has stated that the purpose of this requirement is to encourage competition, while critics have stated that it will allow third parties to profit from consumer data at the expense of banks and other data providers.

“Covered data” is defined as:

1. Transaction information, including historical transaction information in the control or possession of the data provider. A data provider is deemed to make available sufficient historical transaction information if it makes available at least twenty-four (24) months of such information. Examples of “transaction information” are amount, transaction date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges.
2. Account balance information.
3. Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider. This includes an account and routing number that can be used to initiate an Automated Clearing House transaction. This does not include data providers that merely facilitate pass-through payments.
4. Terms and Conditions, which is limited to data in agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, such data in the account opening agreement and any amendments or additions to that agreement, including pricing information. This includes the applicable fee schedule, any annual percentage rate or annual percentage yield, credit limit, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement.
5. Upcoming bill information, which includes information about third party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider.
6. Basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service. If a data provider directly or indirectly holds a Regulation E or Regulation Z account belonging to the consumer, the data provider must also make available a truncated account number or other identifier for that account.

“Covered consumer financial product” means a consumer financial product or service, as defined in 12 U.S.C. 5481(5), that is:

1. A Regulation E account, which means an account, as defined in Regulation E, 12 CFR 1005.2(b);
2. A Regulation Z credit card, which means a credit card, as defined in Regulation Z, 12 CFR 1026.2(a)(15)(i); or
3. Facilitation of payments from a Regulation E account or Regulation Z credit card, excluding products or services that merely facilitate first party payments. For purposes of the Final Rule, a first party payment is a transfer initiated by the payee or an agent acting on behalf of the underlying payee. First party payments include payments initiated by loan servicers.

Data providers are required to maintain both a consumer interface and a developer interface and make covered data available via both a standardized and machine-readable format.

Data providers will also need to establish and maintain written policies and procedures that are reasonably designed to achieve the objectives set forth in the Final Rule. In addition, the Final Rule further establishes how personal financial information may be accessed, what safety and security and other grounds may disallow access to personal financial data, which costs will be borne by data providers, and how regulatory compliance standards will be determined by private standards developers rather than the CFPB.

With respect to third parties, the Final Rule provides that a third party may only collect, use or retain information received from the data provider that is reasonably necessary to provide a product or service requested by the consumer, excluding targeted advertising and cross-selling and contains a three-part authorization procedure to become an authorized third party. After one year, the consumer’s authorization must be renewed. Third parties are also required to certify that they have written policies for data accuracy, apply an information security program in line with the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Framework, and provide consumers with copies of authorization disclosures and a method to revoke consent.

Legal Challenges and Criticisms

On the same day that the CFPB issued the Final Rule, the Bank Policy Institute filed a lawsuit in federal court challenging aspects of the CFPB's rulemaking and alleging that the CFPB acted outside of its statutory authority. The complaint asks the court to set aside the Final Rule in its entirety pursuant to the Administrative Procedure Act, and to enter an order permanently enjoining the CFPB from enforcing the Final Rule.

Other industry groups have been similarly critical of the Final Rule. Many have voiced the opinion that the CFPB was mistaken in not sunsetting the practice of “screen scraping” in the Final Rule. Screen scraping is a method whereby third parties or data aggregators collect data from a website or application by using consumer credentials to log into consumer accounts. Others also complain about the compliance deadlines. While such dates have been extended from the deadlines in the proposed rule, many claim that these extended deadlines will still present difficulties for organizations to meet given that qualified industry standards have not yet been set by any recognized industry setting body.

Preparing for Compliance

In the meantime, financial institutions should begin assessing data systems and capabilities to ensure consumer requests can be responded to as required by the Final Rule in the event the Final Rule does ultimately survive the legal challenges. It is also important to create written policies and procedures to ensure accurate data sharing, and robust record retention in order to demonstrate a financial institution’s compliance with the Open Banking Rule. Early preparation is key for meeting the applicable deadlines if the court determines that the Final Rule shall stand.

Conclusion

Through promulgation of the Final Rule, the CFPB intends to give consumers greater rights, privacy, and security over their financial data, however, there is great concern in the industry regarding unintended consequences of the Open Banking Rule. While the lawsuit that has been filed plays out, it is prudent for financial institutions subject to the Final Rule to take note of the January 17, 2025 effective date and to begin working through systems and policy changes needed in order to comply with the applicable compliance date.

This advisory is a general overview of the Open Banking Rule and is not intended as legal advice. The Final Rule is very detailed and should be reviewed in its totality. If you have any questions about the Open Banking Rule, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenllp.com, Elizabeth A. Murphy at (516) 296-9154, or via email at emurphy@cullenllp.com, David Curatolo at (516) 357-3733 or via email at dcuratolo@cullenllp.com, or Gabriela Morales at (516) 357-3850 or via email at gmorales@cullenllp.com.