CFPB finalizes so-called Open Banking Rule

10/23/24

The Consumer Financial Protection Bureau (CFPB) this week released the final rule implementing Section 1033 of the Dodd-Frank Act, which mandates that banks and other financial institutions provide consumers with access to their financial information or share it with a third party at the consumer's direction. The rule also prohibits third parties from using consumer data for unsolicited product advertising and requires businesses to delete personal information once customers revoke their data access permissions.

 Initially proposed last year, this rule aims to advance the U.S. toward an "open banking" system, allowing customers to share and access data related to their bank accounts, credit cards, and other payment products with fewer restrictions. One notable change from the original proposal is that coverage under the final rule depends on the total assets held by a data provider. Institutions holding $850 million or less in assets are exempt from the rule’s requirements. Compliance dates for the rule vary by the size of the institution. Institutions with at least $250 billion in total assets and no depository institutions with at least $10 billion in total receipts in 2023 or 2024 must comply by April 1, 2026. Institutions with at least $10 billion in assets that did not generate $10 billion in receipts must comply by April 1, 2027. Institutions with at least $3 billion in assets have until April 1, 2028, and those with at least $1.5 billion must comply by April 1, 2029. Finally, institutions holding more than $850 million in assets must comply by April 1, 2030.

 

Upon release of the final rule the Bank Policy Institute, and Kentucky Bankers Association filed a lawsuit against the CFPB, challenging the rule’s provisions. The lawsuit, filed in U.S. District Court in Lexington, KY, argues that the CFPB exceeded its statutory authority and that the rule threatens consumer privacy, data security, and the integrity of bank accounts. The lawsuit outlines several key issues, including:

  • Lack of oversight for third parties accessing bank customer data.
  • Increased fraud risks due to weak safeguarding practices.
  • The continued use of unsafe practices like screen scraping.
  • Insufficient accountability for third parties handling consumer data.
  • Unfair costs imposed on banks while third parties profit from systems built by banks.
  • An unreasonable implementation timeline without established compliance standards.

 The OBL has voiced its opposition to Section 1033, citing concerns that the rule does not provide adequate oversight for third parties. It treats sensitive financial data with minimal care, similar to how web browsing history is handled. Without proper safeguards, the rule could allow technology companies to access highly sensitive information, including account balances and transaction histories, without appropriate privacy concerns or regulatory supervision.