Skip to main content
close search
site logo

CFPB issues final rule on open banking

Payment apps are included in the data-control rule, in a change from last year’s proposal. Banks and credit unions with less than $850 million in assets are exempt.

Published Oct. 22, 2024
Dan Ennis's headshot
Senior Editor
Consumer Financial Protection Bureau Director Rohit Chopra testifies before the Senate Banking, Housing and Urban Affairs Committee April 26, 2022 in Washington, DC.
Consumer Financial Protection Bureau Director Rohit Chopra on April 26, 2022 in Washington, DC. Win McNamee via Getty Images

The Consumer Financial Protection Bureau on Tuesday issued its long-awaited final rule on open banking — with a major tweak.

The rule would require financial institutions, credit card issuers and other firms to transfer personal financial data to other providers for free at the consumer’s request. But while last year’s proposal applied to data linked to bank accounts, credit cards and mobile wallets, Tuesday’s final rule applies to payment apps, too.

Rules surrounding the transfer of financial data, such as transaction records and information needed to initiate payments, are meant to ensure consumers maintain control of their banking history if they switch from one financial institution to another.

The CFPB asserts the greater freedom of movement will boost competition by helping consumers comparison-shop to earn higher interest on deposits or get loans with lower interest rates. That, in turn, will jolt providers into offering better products, the agency argued.

“Too many Americans are stuck in financial products with lousy rates and service,” CFPB Director Rohit Chopra said in a statement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards and more.”

The rule also may help users with shorter credit histories obtain credit by allowing lenders to access income- and expense-related data held on other platforms, the CFPB said.

Further, the framework could make direct account payments, or “pay-by-bank,” transactions a more common alternative to credit cards. That would make payments cheaper for consumers and merchants alike and allow a growth avenue for real-time services such as FedNow and ACH, advocates say.

Under the rule, third parties can only collect, use or retain data to deliver the product the consumer requested, the CFPB said. That means they can’t secretly use or keep consumers’ data for unrelated business reasons — marking a pivot away from screen scraping.

The rule forces banks and other data providers to establish a developer interface to share information, rather than relying on a third party’s technology. After that interface is established, screen scraping attempts may be considered unfair, deceptive and abusive acts or practices under the Consumer Financial Protection Act because the third party’s storage of user credentials could be seen as "needlessly exposing consumers to harm,” American Banker reported.

“The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer’s data — those companies are acting on behalf of the consumer,” Chopra said Tuesday at a conference held by the Federal Reserve Bank of Philadelphia.

The rule permits third parties, however, to engage some secondary uses of consumer-authorized data, such as those to improve the requested product or service.

There would be a time limit on data access, too. Financial providers can maintain access for no more than a year without express reauthorization. Consumers can revoke access, also — forcing companies to delete collected data with immediate effect.

In another change from the proposed rule, the CFPB is delaying the compliance timeline for the rule by 10 months, compared with initial estimates. Compliance will be phased in waves, with the largest institutions due to comply by April 1, 2026, and the smallest by April 1, 2030.

Banks and credit unions with less than $850 million in assets will be exempt, but nondepository entities of any size must comply.

Reactions

A spokesperson for the nation’s largest bank said “open banking” is a misnomer for the rule. 

Rather, it’s “open season for more fraud and scams,” JPMorgan Chase spokesperson Trish Wexler said in a statement seen by Bloomberg.

“By mandating banks must hand over sensitive customer account data to any third party that got someone to click ‘I accept’ on their app, this rule handcuffs banks’ ability to demand high security standards from third parties,” Wexler said.

But not all affected companies are against the rule. John Pitts, global head of policy at the data aggregator Plaid, said the rule “will ensure more people have secure, reliable access to their financial information and accelerate innovations that benefit consumers.”

Under the rule, large data aggregators will be subject to supervisory examinations by the CFPB.

Penny Lee, CEO of the Financial Technology Association, said the rule will “drive momentum for future innovations that benefit consumers ... while fostering greater trust in the financial ecosystem.”

“We are hopeful that future rulemakings will allow consumers to unlock more benefits by tapping into other aspects of their financial lives, such as payroll, student loan, investment and mortgage accounts,” she said. 

Banking trade groups, however, saw it differently. Consumer Bankers Association CEO Lindsey Johnson said the CFPB “exceeds its statutory authority” in issuing the rule.

“The CFPB … has contorted this very clear and limited statute into enabling thousands of third parties to access consumers’ data,” Johnson said.

She said many CBA members support an open-banking framework, but Tuesday’s rule “severely misses the mark” by failing to incorporate industry feedback from the public comment period.

American Bankers Association CEO Rob Nichols called the rule “disappointing after so many years of good-faith efforts by parties on all sides to improve consumer outcomes.”

“What began two administrations ago as a collaborative exercise in securing consumers’ personal financial data has devolved into a press-release driven, political exercise based on the false premise that consumers lack choices and a misunderstanding of whether Dodd-Frank grants CFPB the authority to radically reshape the financial services marketplace,” Nichols said. “Our long-standing concerns about scope, liability and cost remain largely unaddressed.”

Bank Policy Institute CEO Greg Baer said banks “have worked for years to establish secure ways to share customer data whenever the customer asks.”

“The CFPB’s rule disrupts this established process,” Baer said, adding that the bureau’s final rule “retains many of the deficiencies and omissions that plagued” last year’s proposal.  

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Agent IQ
October 31, 2024
Editors' picks
Latest in Payments
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell