About a year after issuing a Notice of Proposed Rulemaking on Personal Financial Data Rights, on October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule (the “Rule”) under Section 1033 of the Consumer Financial Protection Act of 2010 (“CFPA”). The Rule, also referred to as the “open banking rule,” implements Section 1033 by giving consumers a right to request their consumer financial information from a covered entity and to be able to authorize certain third parties to access the information. Covered data that must be made available upon request includes consumer transactional data, payroll data, credit reporting data, retirement and investment balances, payment information and more.
According to the CFPB, the Rule is meant to promote fair, open, and inclusive industry standards, that helps people get more competitive and affordable credit. In recent prepared remarks, CFPB Director Rohit Chopra commented, “To make our banking and payments market more competitive, it needs to be open and decentralized using a common set of data standards, free of powerful gatekeepers and middlemen that can impose private regulations and extract fees.”
Banks, credit unions, and other financial service providers are required to make consumers’ data available upon request in a secure, timely, and reliable manner. The Rule establishes basic standards for data access interface requirements. Covered entities must share data with consumers and authorized third parties through secure application programming interfaces (“APIs”) that meet prescribed security standards. The data providers must develop, establish, and maintain the APIs at their own cost. Covered entities are also prohibited by the Rule from charging consumers or authorized third parties a fee to cover any of the costs.
The Rule also establishes obligations for third parties accessing a consumer’s data on their behalf, including important privacy protections. When a consumer authorizes a third party to access their data, those companies may only act on behalf of the consumer and not act as a service provider to the financial institution that is holding the consumer data. Consumers may limit the duration of the third parties’ access to the consumer data and require that data be deleted if the consumer’s authorization to access the information expires or is revoked by the consumer.
The Rule establishes a timeline of staggered compliance dates based on the size of the provider. Larger providers are subject to the Rule sooner. Data providers must comply with the requirements in subparts B – Making Covered Data Available and C – Data Provider Interfaces; Responding to Requests by the dates indicated below:
April 1, 2026: depository institutions with at least $250 billion in total assets and non-depository data providers that generated at least $10 billion in total receipts in 2023 or 2024.
April 1, 2027: depository institutions with at least $10 billion but less than $250 billion in total assets and non-depository data providers that generated less than $10 billion in 2023 or 2024.
April 1, 2028: depository institutions with at least $3 billion but less than $10 billion in total assets.
April 1, 2029: depository institutions with at least $1.5 billion but less than $3 billion in total assets.
April 1, 2030: depository institutions with less than $1.5 billion but more than $850 million in total assets.
The CFPB has excluded depository institutions with less than $850 million in total assets from coverage under the Rule, but states that it will continue to monitor market conditions and engage with providers to determine if changes to the Rule’s coverage are warranted.
Specific data standards that must be met by providers have not yet been established. The Rule provides that several requirements will be assessed using “consensus standards” established by standard-setting organizations. An appendix to the Rule provides instructions for how a standard-setting organization may apply to be accredited by the CFPB to help develop industry standards. To date, the CFPB has published two applications of organizations seeking accreditation, but no organizations have yet been approved. Standards established under the Rule are expected to evolve over time as technology and the market change. The CFPB has indicated that it intends to issue additional guidance and advisory opinions as needed to advance implementation of the Rule.
