by Jarryd Anderson, Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, and Kannon Shanmugam

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) published a 594-page Notice of Final Rulemaking for its “Personal Financial Data Rights” rule, commonly known as the “Open Banking” rule, which will require covered entities—generally, providers of checking and prepaid accounts, credit cards, digital wallets, and other payment facilitators—to provide consumers and consumer-authorized third parties with access to consumers’ financial data free of charge.[1] Covered entities are required to comply with uniform standards to provide access to this financial data through consumer and developer interfaces.[2] The rule imposes requirements on authorized third parties (such as fintechs), as well as data aggregators that facilitate access to consumers’ data, including required disclosures to consumers regarding the third parties’ use and retention of the requested data and a requirement that the data only be used in a manner reasonably necessary to provide the requested product or service (thus foreclosing selling the data or using it for targeted advertising or cross selling purposes).[3]

The final rule is the latest step in a lengthy process that the CFPB has engaged in to develop its policy around section 1033 of the Dodd Frank Act, which became law more than a decade ago. The CFPB released and received comments on a request for information on consumer rights to access financial data in 2016; released principles around data sharing in 2017; and then held a symposium, released a summary of proceedings, and released and received comments on an Advanced Notice of Proposed Rulemaking in 2020.[4] It then issued an outline for the Small Business Regulatory Enforcement Fairness Act (“SBREFA”) process in October 2022, inviting other stakeholders to submit feedback on the outline by January 25, 2023.[5] The CFPB also issued CFPA section 1022(c)(4) market monitoring orders to data aggregators and large data providers to collect information related to personal financial data rights in January 2023.[6] Following an SBREFA panel, the CFPB issued an SBREFA panel report in April 2023 and the proposed rule in late October 2023.[7] CFPB staff also met with staff from a wide variety of boards and agencies before and after issuing the proposal.[8]

Below, we provide a high-level overview of the final rule and offer some observations.

Key Requirements Under the Final Rule

Covered Entities, Consumer Financial Products, and Data

The final rule provides that an entity is a covered data provider if it “controls or possesses covered data concerning a covered consumer financial product or service that the consumer obtained from the data provider.”[9] Covered consumer financial products are Regulation E accounts, Regulation Z credit cards, and other services that facilitate payments from such cards and accounts, “excluding products or services that merely facilitate first party payments.”[10] A first party payment is “a transfer initiated by the payee or an agent acting on behalf of the underlying payee,” such as a payment “initiated by a loan servicer.”[11] Covered data include account balance information and at least 24 months of transaction information, information allowing the third party to initiate payments to or from the Regulation E account held by the data provider, terms and conditions of the financial product or service (such as applicable fee schedules or credit limits), upcoming bill information (such as the minimum amount due on the data provider’s credit card billing statement or scheduled payments to third parties), and basic account information.[12] Exceptions from covered data apply for confidential commercial information, information collected only to prevent or report unlawful conduct like fraud or money laundering, information required by law to be kept confidential, and information that the data provider cannot retrieve in the ordinary course of business.[13]

Maintaining Consumer and Developer Interfaces

The final rule requires covered data providers to maintain consumer and developer interfaces that produce requested consumer data in a standardized, machine-readable format that can be retained and transferred to a different information system.[14] Although the Bureau rejected screen scraping as a method for data providers to fulfill their obligations to supply covered data, the final rule does not prohibit screen scraping expressly.[15] For developer interfaces (often application programming interfaces or “APIs”), the final rule requires that the interface’s performance be commercially reasonable, including a 99.5% minimum response rate to requests.[16] Data providers may set reasonable access caps[17] and deny requests for data when denial is reasonable, such as when granting a third party access to financial data would be inconsistent with safety and security standards[18]. When defining reasonableness under different provisions of the rule, the Bureau frequently refers to compliance with consensus standards as one indicator, which are standards to be set by CFPB-recognized standard-setting bodies. The CFPB established the “minimum attributes” a standard-setting body must have to obtain CFPB recognition for purposes of issuing consensus standards in a final rulemaking on June 5, 2024.[19] The Financial Data Exchange and the Digital Governance Standards Institute have each submitted applications for standard-setter recognition.[20]

Third Party Data Use Restrictions and Authorization Procedures

The rule also requires third parties that retrieve financial data on behalf of consumers to comply with certain authorization procedures, including additional requirements when third parties use data aggregators. Third parties may use consumer financial data only for practices that are part of, or reasonably necessary to provide, the product or service requested by the consumer—specifically, selling the data or using it for targeted advertising or cross selling purposes is not reasonably necessary to any other product or service.[21] Third parties must certify that they will comply with the limitations on collection, use, and retention imposed on them by the rule; that they will employ certain data security and privacy measures; and that they will ensure that consumers are aware of both the third party’s authorized access and the consumers’ ability to revoke authorization.[22] Third parties must obtain consumers’ express consent via an authorization disclosure form signed electronically or in writing.[23] The authorization disclosure form must identify the relevant parties; describe the consumer’s requested product or service, categories of consumer data to be accessed, and the expected duration of the data collection; and describe the mechanism for revoking authorization.[24] If a data aggregator will be used, the disclosures to the consumer must include the name of the data aggregator, and the data aggregator separately must certify to the consumer that it will comply with the requirements for authorized third-party access to consumer financial data.[25] Data aggregators may perform these third-party authorization procedures on behalf of the third party, but the third party bears the ultimate responsibility for compliance with authorization procedures.[26]

Compliance Timeline

The rule establishes a five-tiered compliance timeline for covered data providers based on total asset holdings for depository institutions and total receipts for nondepository institutions.[27] Compared to the proposed rule, the final rule extends the compliance deadlines for all covered entities. The first compliance date, which applies to the largest bank and non-bank covered entities, is April 1, 2026. The rule sets out later deadlines for smaller institutions grouped into tiers according to total assets or total receipts, and it exempts depository insitutions with assets of less than $850 million.[28]

Detailed summaries of the rule for each of the above sections are available here.

Observations

The final rule is one of the CFPB’s most ambitious regulatory initiatives and, once implemented, will alter the dynamics among different types of consumer financial service providers in the years to come. The rule is expected to create significant burdens on covered entities, while also creating commercial opportunities for a number of companies (including some of those same covered entities) to make greater use of consumer-permissioned financial data. Though the Bureau received comments requesting modifications and clarification from many stakeholders, the final rule retains several controversial elements, including:

• Prohibition on fees for maintaining developer interfaces and responding to requests for covered data;
• Coverage of entities that “facilitate” payments (the Bureau also declined to add an express exclusion for online marketplaces);
• Lack of an unequivocal screen scraping prohibition; and
• Allowance for reasonable data access caps for requests on developer interfaces.

Some notable differences between the proposed rule and the final rule include:

• Exemption for depository institutions that have total assets under $850 million (this exemption replaced an exemption in the proposed rule for depository institutions that did not have a consumer interface by the compliance date);
• Exemption of facilitation of first party payments from covered products or services; and
• Extension of the compliance deadlines for all data providers.

Some critics of the rule say it does not do enough to protect consumer privacy, fails to address fraudulent or unsafe third-party activity sufficiently, and burdens financial institutions with costs that should be shared by third parties. On the same day the final rule was published, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit in the U.S. District Court for the Eastern District of Kentucky challenging the rule. The plaintiffs claim, among other things, that the rule exceeds the Bureau’s statutory authority, which they say covers only disclosure of data to consumers and not disclosures to third parties as defined broadly by the rule.[29] The plaintiffs also fault the rule for requiring covered entities to provide consumer financial data to less regulated third parties and failing to articulate principles for apportioning liability for data mishandling.[30]

Implementation and enforcement of the rule also may be stymied by the change in administration. A Trump CFPB may revisit a number of the agency’s recent policy actions.  The rule also could be challenged under the Congressional Review Act.

Despite uncertainty surrounding the rule, banks and nonbanks should undertake a review to determine which of their products and services are covered under the final rule, and they should pay special attention to the “facilitation” prong, whose application may not be clear in certain circumstances. Covered entities will then need to plan the operations and systems changes necessary to comply with the rule. They will also need to build out new compliance procedures and processes, including appropriate methods for evaluating third parties seeking access to consumer data, in a way that limits security and other risks. Third parties that expect to access consumer data will likewise need to adjust their operations and systems, and build compliance procedures, to comply with the requirements of the final rule. Adding to this complexity, the upcoming change in administration and recently filed lawsuit challenging the rule increase the uncertainty around the rule’s timing and ultimate implementation.

Footnotes

[1] The Notice of Final Rulemaking is available here.

[2] Final Rule § 1033.301(a).

[3] Final Rule §§ 1033.421, 1033.431.

[4] Preamble to the Final Rule, p. 16. See also Preamble to the Proposed Rule, pp. 182–183; CFPB, CFPB Outlines Principles for Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 17, 2023), available here.

[5] Preamble to the Final Rule, p. 16; see also Preamble to the Proposed Rule, p. 24.

[6] Preamble to the Final Rule, p. 16; see also Preamble to the Proposed Rule, p. 25.

[7] For in-depth analysis of the proposed rule, see our memorandum discussing the proposed rule, available here.

[8] Preamble to the Final Rule, p. 17.

[9] Final Rule § 1033.111(a).

[10] Final Rule § 1033.111(b). See also 12 U.S.C. 5481(5); 12 CFR 1005.2(b); 12 CFR 1026.2(a)(15)(i).

[11] Final Rule § 1033.111(b).

[12] Final Rule § 1033.211.

[13] Final Rule § 1033.221.

[14] Final Rule § 1033.301(b).

[15] Preamble to the Final Rule, p. 165.

[16] Final Rule § 1033.311(c). The relevant performance specifications include: response rate and time; total amount of scheduled and unscheduled downtime; and the amount of advance notice for scheduled downtime. Id.

[17] Final Rule § 1033.311(d).

[18] Final Rule § 1033.321(a).

[19] CFPB, Required Rulemaking on Personal Financial Data Rights; Industry Standard Setting (June 05, 2024), available here.

[20] See CFPB, Applications for open banking standard setter recognition (Last visited Oct. 28, 2024), https://www.consumerfinance.gov/personal-financial-data-rights/applications-for-open-banking-standard-setter-recognition/.

[21] Final Rule § 1033.421(a)(2).

[22] Final Rule § 1033.421.

[23] Final Rule § 1033.421(g).

[24] Final Rule § 1033.411(b).

[25] Final Rule § 1033.431(b) and (c).

[26] Final Rule § 1033.431(a).

[27] Final Rule § 1033.121.

[28] Final Rule § 1033.111(d).

[29] Bank Policy Institute, Banks Challenge CFPB Rule Jeopardizing Security and Privacy of Consumer Financial Data (Oct. 22, 2024), available here.

[30] Id.

Jarryd Anderson, Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, and Kannon Shanmugam are Partners at Paul, Weiss, Rifkind, Wharton & Garrison LLP. Associate Max H. Siegel and Law Clerks Naji Alabed and Josh Stallings contributed to this article. A longer version of this article was originally posted on the firm’s website.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).