Are You Ready for Open Banking and the Proposed CFPB Rule

Consumer financial data is the foundation of payments, investments, and loans that, when used safely, can support a well-functioning and inclusive economy. Think of open banking as permissioned access to personal financial data. Consumers can authorize third parties to retrieve their information to transform it into useful services. Examples of this include payments and budgeting apps. My colleague, Chris Colson, recently wrote about pay by bank, a payment method that uses open banking technology. The data shared typically includes transaction account details.

This kind of data sharing currently lacks a solid framework to formally address who can be granted access to consumer data, and under what terms. In October 2023, the Consumer Financial Protection Bureau (CFPB) proposed a rule, authorized by section 1033 of the Consumer Financial Protection Act of 2010 (or Dodd-Frank Act), that would give consumers more control over their financial data. The Personal Financial Data Rights rule would also grant third-party access to consumer data. CFPB is expected to finalize the rule later this fall.

Key points in the proposed rule:

• Depository financial institutions and nonbank financial service providers would be required to make available to consumers and authorized third parties certain data relating to consumers' transactions and accounts. Covered data and products would include those under Regulation E for financial accounts and Regulation Z for credit cards.
• Obligations would be established for third parties accessing a consumer's data through an open banking partnership, including important privacy protections for that data. Impacted parties include financial institutions, credit card issuers, fintechs, data aggregators, and some payment facilitators.
• Basic standards for data access would be provided, like requiring banks to share data via application programming interfaces. Data would need to be provided in an electronic format that's accessible to both consumers and authorized third parties. The developer interface would have to satisfy additional standardized format, performance, and security requirements set forth in the proposed rule.

Besides financial institutions, there is another cohort that should be paying attention to the proposed rule. Payments and fintech firms often seek guardrails on how to innovate safely. They are especially interested in standards that are industry-specific. The new rule and resulting standards aim to help create those guardrails for the industry. Furthermore, the rule seeks to promote fair and inclusive innovation that could stimulate competition and better products in the long run.

The proposed rule is focused on the access rights. Meanwhile, the CFPB is working with the industry to develop standards. Standards are an integral part of making section 1033 a success. In June 2024, the CFPB issued a rule that outlines the attributes that a standard-setting body must possess in order to receive CFPB recognition. It also establishes a comprehensive set of standards when the full rule is finalized. The goal is that standards adopted by CFPB-recognized standard-setters might be used to facilitate the implementation of section 1033. As we await the new standards, those interested in general banking and fintech risk management perspectives might also be interested in reading Third-Party Risk Management: A Guide for Community Banks, published by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency.