CFPB Finalizes Long-Awaited Rule to Accelerate Open Banking Development; Immediately Sued

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized a rulemaking on Personal Financial Data Rights (the “Final Rule”). The Final Rule is intended to accelerate a shift towards open banking in the United States, with the goals of reducing financial institution lock-in, improving consumers’ access to financial services on competitive terms, and enabling new functionality through increased access to consumers’ personal financial data. However, certain stakeholders have questioned whether the Final Rule will be effective, or whether it does enough to protect the interests of all stakeholders involved, particularly given its implementation and the ongoing costs of providing the level of access required by the Final Rule. Within hours of the Final Rule’s release, two trade groups filed a lawsuit to challenge the Final Rule on the grounds that it exceeds the CFPB’s rulemaking authority.

Background

Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act states that, “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.”

Although Section 1033 was enacted in 2010, its authorities remained largely dormant pending the rulemaking required by the statute. In the 14 years since its enactment, the CFPB took several preliminary steps to implement Section 1033, such as issuing requests for information and an advance notice of proposed rulemaking. In October 2023, the CFPB proposed rules to implement Section 1033, as we discussed in our Legal Update on the October 2023 proposal. Despite having received more than 11,000 comments on the October 2023 proposal, the Final Rule is similar tothe proposal.

Who would be required to comply with a final rule?

As in the proposal, the Final Rule imposes obligations and restrictions on three types of parties: data providers, authorized third parties and data aggregators.

• Data providers are card issuers, financial institutions or other entities that control or possess information concerning a covered consumer financial product or service that the consumer obtained from the data provider. Although Section 1033 by its terms applies to all consumer financial products or services under the Dodd-Frank Act,¹ the Final Rule initially limits the scope of covered consumer financial products or services (and thus, entities that are considered data providers) to (i) Regulation E accounts (e.g., consumer checking and savings accounts, certain prepaid accounts (including certain digital wallets that hold funds) and other consumer asset accounts); (ii) Regulation Z credit cards (e.g., traditional consumer credit cards, as well as other products treated as credit cards under CFPB interpretations, such as buy now, pay later digital user accounts); and (iii) payment facilitation services from a Regulation E account or a Regulation Z credit card, excluding products or services that merely facilitate first party payments. The CFPB notes the initial scope of coverage is intended to prioritize some of the most beneficial use cases of personal financial data access; however, the CFPB intends to extend coverage to other consumer financial products and services, which include products such as mortgage, auto and student loans, in future rulemakings.
• In a change from the proposal, the Final Rule excludes depository institutions that hold $850 million or less in total assets. This is a deviation from the proposal’s exclusion for depository institutions without a consumer interface. While more than 3,000 banks (and many credit unions) have less than $850 million in assets, this affects only the smallest of institutions, many of whom are too small to be of interest to most authorized third parties and data aggregators.
• Authorized third parties are third parties that have satisfied the authorization requirements under the Final Rule and are thus permitted to access covered data on behalf of a consumer. This definition of “authorized third party” includes more than just open banking platform operators; it covers any party that uses the developer interface to obtain covered data for any purpose (including, e.g., to verify an account or for credit underwriting).
• Data aggregators are entities that are retained by authorized third parties as service providers to assist with accessing covered data on behalf of a consumer. An example of a data aggregator would be a company that provides a platform with a single API for authorized third parties, and that connects to APIs established by myriad data providers. This allows the authorized third party to connect to a single API to access covered data from a broad range of data providers.

What kinds of data must be made available?

A data provider is required to make covered data available to a consumer and to an authorized third party. Under the Final Rule, covered data means, as applicable:

• Transaction information, including at least two years of historical transaction information;
• Transaction information includes amount, date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges.
• Transaction information must include transactions—including pending debit card, credit card, and bill payment transactions—that have been authorized, but have not yet settled.
• The consumer’s account balance;
• Information to initiate payment to or from a Regulation E account, which may be a tokenized account and routing number to initiate an ACH transaction;
• Terms and conditions of the account, limited to data in agreements evidencing the terms of the legal obligation between a data provider and a consumer;
• Terms and conditions include the applicable fee schedule, any annual percentage rate or annual percentage yield, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement.
• Upcoming bill information, including information about third-party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider; and
• Basic account verification information, limited to the name, address, email address, phone number associated with the product or service and certain account-identifier information in situations where a data provider directly or indirectly holds a Regulation E or Regulation Z account.

In providing covered data, the data provider must make available the most recently updated data that it has at the time of a request (including, as discussed above, information regarding authorized, but not yet settled, transactions).

Data providers are not required to make the following types of information available:

• Confidential Commercial Information: Data Providers are not required to share “confidential commercial information.” This includes algorithms used to derive credit scores or other types of risk scores. It does not include any information about the consumer or the account covered by the definition of “covered data.”
• AML Information: Data providers are not required to share “information collected for the sole purpose of preventing fraud or money laundering, or for detecting or reporting other potentially unlawful conduct.”
• The words “sole purpose” are key. Information captured by the data provider for multiple purposes (e.g., identifying information about the customer) will not be excluded simply because the information is also used for AML-related purposes.
• Confidential Information Under Applicable Law: Data providers are not required to share information required to be kept confidential under other applicable law.
• This restriction does not include information about the consumer, which is subject to privacy protections restricting disclosure.
• Information Not Retrievable in the Ordinary Course of Business: Data providers are not required to share information that is not retrievable in the ordinary course of business.
• In the preamble to the Final Rule, the CFPB noted that historical terms and conditions stored as image files by the data provider, which may require “extraordinary, manual effort” to collect and translate the relevant information into machine-readable form, could fall within the exception.

How must data providers enable access to data?

Data providers are required both to maintain consumer interfaces (e.g., online banking), as well as to establish and maintain developer interfaces (e.g., application programming interfaces, or APIs) through which the data provider receives, and responds, to requests from authorized third parties. For specific requests, data providers must also make available machine-readable files containing covered data suitable for loading into a consumer or authorized third party’s own systems. Data providers are prohibited from charging fees to either consumers or authorized third parties to access the interfaces.

In addition to providing standardized access to covered data, developer interfaces must meet certain minimum performance standards, such as thresholds for response times and downtime, and must be covered by an information security program that satisfies the Gramm-Leach-Bliley Act’s Safeguards Framework (for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or the FTC’s Safeguards Rule (for entities not subject to the GLBA). Data providers are required to establish and maintain reasonable written policies and procedures, appropriate for the size, nature and complexity of the data provider’s activities, to achieve the objectives of the Final Rule.

Cybercriminals could exploit the access required by the Final Rule to steal consumer data. Before producing covered data to a third party, data providers must receive sufficient information to authenticate the consumer, but that authenticating information may be provided by the third party. Data providers are permitted to ask consumers to confirm the scope of third-party access to their data, but they are not required to do so, nor does the Final Rule require data providers to vet third parties. Modern cybercrime organizations have the ability to create millions of individualized, high-quality fake documents. Based upon other cybercrime examples, there is a concern that criminal organizations could flood data providers with fraudulent requests for data that are supported by fake documentation. Distinguishing real requests from fake requests will be a major challenge, and the Final Rule is vague as to how data providers can resolve the tension between providing third parties with the level of access required by the Final Rule and managing the cybersecurity risks posed by such access.  

What restrictions apply to third parties’ access to and use of the data?

For a third party to become an authorized third party capable of accessing covered data on behalf of a consumer, it must first obtain the consumer’s “express informed consent” by obtaining a signed authorization disclosure (which may be electronic) that is clear, conspicuous and segregated from other materials, and which provides:

• The names of the third party and the data provider for which access is sought, which must be “readily understandable” by the consumer;
• A description of the service to be provided by the third party, and the categories of data that will be accessed;
• A certification that the third party will comply with specific obligations (discussed below) related to collection, use and retention of data, access to data, data accuracy and data security; and
• A description of the process through which the customer can revoke the third party’s access.

Authorized third parties are subject to a number of obligations related to their access to covered data on behalf of a consumer, including:

• Restrictions on collection, use and retention. Authorized third parties must limit collection, use and retention of covered data only to what is reasonably necessary to provide the requested product or service (i.e., the service identified in the authorization disclosure). In particular, authorized third parties are prohibited from using covered data for targeted advertising or cross-selling or from selling covered data unless that is the requested product or service. Authorized third parties are required to limit collection, use, or retention of covered data to one year—subject to annual reauthorization by the consumer—and to no longer use or retain information after authorization expires and there is no renewal.
• Requirements to ensure data accuracy. Authorized third parties must maintain policies and procedures to ensure that the authorized third party accurately receives data from data providers and that any data relayed to another third party is done so accurately.
• Information security requirements. Systems for the collection, use or retention of covered data must be covered by an information security program that satisfies the GLBA Safeguards Framework (for financial institutions subject to the GLBA) or the FTC’s Safeguards Rule (for entities  not subject to the GLBA).
• Communication requirements. Authorized third parties must ensure that the consumer is informed of the status of their authorization. An authorized third party must make available to the third party a copy of the authorization disclosure, provide contact information for the third party in case the consumer has questions, and, upon request, provide specific information regarding the third party’s collection and use of the consumer’s information.
• Revocation requirements. Authorized third parties must provide a means for the consumer to easily revoke the third party’s access to covered data and, upon such revocation, must (i) notify the data provider and any data aggregator or other third-party recipients of covered data, and (ii) no longer collect, use or retain covered data under the prior authorization.

As with data providers, authorized third parties are required to maintain reasonable written policies and procedures to ensure compliance with certain requirements, including ensuring data accuracy, responding to consumer information requests and retaining records to evidence compliance with the Final Rule.

Where an authorized third party uses a data aggregator to assist in accessing covered data, the data aggregator must be disclosed in the authorization disclosure, and the data aggregator must comply with the conditions and obligations described above. Notwithstanding the involvement of a data aggregator, the authorized third party remains responsible for compliance.

How does the rule incorporate (or seek to establish) consensus standards?

Notably, the Final Rule does not set forth detailed technical standards for compliance. The CFPB acknowledged that providing such detailed standards would not be able to keep pace with changes in the market and technology. Instead, the Final Rule leans on compliance with consensus standards to satisfy certain requirements (e.g., the requirement to provide covered data in a standardized format), or to provide indicia that a requirement has been satisfied (e.g., whether performance is commercially reasonable). This aligns with the CFPB’s final rule on consensus standards recognition.²

Additionally, the Final Rule in certain situations establishes fairly specific minimum thresholds for compliance, regardless of consensus standards. For example, although the Final Rule provides that a developer interface must have commercially reasonable performance, the CFPB states that this means it must have a response rate equal to or greater than 99.5% in each calendar month.

Will the Final Rule end the practice of screen scraping?

Maybe. The Final Rule is intended to establish a system for open banking platforms to access consumer account information as an alternative to screen scraping. But the Final Rule stops short of actually prohibiting open banking platforms (or other parties) from using screen scraping to access consumer account information.

Some commenters urged the CFPB to prohibit screen scraping in the Final Rule, but the CFPB decided that this was “unnecessary.” First the CFPB noted that the Final Rule imposes “limitations on the collection, use, and retention of covered data that third parties could not feasibly meet through screen scraping.” (However, these limitations apply only if the platform accesses the data as an authorized third party; if a party accessed the data through screen scraping, it arguably would not be an “authorized third party” for purposes of the Final Rule.) Second, the CFPB suggested that it “might well” be an unfair, deceptive or abusive act or practice  for a party to use screen scraping if a safer alternative is available. While parties that use screen scraping should note this ominous statement, it falls far short of prohibiting screen scraping.

The CFPB also stated in the preamble to the Final Rule that the Final Rule has no impact on the practice of screen scraping for consumer accounts not subject to the Final Rule, such as mortgage or other non-credit card loan accounts.

When must a covered person comply with the rule?

Data providers will be required to comply with its requirements on a staggered schedule based on asset and revenue thresholds and whether the data provider is a depository institution or a nondepository institution. Compliance would be required by:

• April 1, 2026, for depository institutions that hold at least $250 billion in assets or for nondepository institutions that generated at least $10 billion in revenues in 2023 or 2024;
• April 1, 2027, for depository institutions that hold between $10 billion and $250 billion in assets and for all other nondepository institutions;
• April 1, 2028, for depository institutions that hold between $3 billion and $10 billion in assets;
• April 1, 2029, for depository institutions that hold between $1.5 billion and $3 billion in assets; and
• April 1, 2030, for depository institutions that hold between $850 million and $1.5 billion in assets.

What are the next steps?

Within hours after the Final Rule’s release, the Bank Policy Institute, Kentucky Bankers Association, and a local bank filed a lawsuit to invalidate the Final Rule. As long as that lawsuit remains pending, market participants should consider the possibility that the Final Rule will be delayed or invalidated.³ Therefore, it may be appropriate to begin planning for compliance, but not expend significant funds or redesign existing systems until the outcome of the case is apparent. That being said, the outcome of the litigation might remain uncertain past the point that covered persons will need to begin compliance implementation in earnest to meet compliance deadlines.

 

---

 

¹ 12 U.S.C. § 5533(a).

² In June 2024, the CFPB finalized part of the proposal by establishing the attributes a standard-setting body must possess to receive CFPB recognition for purposes of issuing consensus standards, as well as establishing the application process for CFPB recognition.

³ Additionally, if former President Donald Trump is elected in November, then a future CFPB director could  consider rescinding the Final Rule, in the same manner that the Office of the Comptroller of the Currency rescinded the Community Reinvestment Act final rule following President Joe Biden’s inauguration.