The rule aims to reduce market concentration by guaranteeing consumer access to personal financial data, but faces strident criticism and immediate legal challenge.
By Arthur S. Long, Parag Patel, Barrie VanBrackle, Pia Naib, Mik Bushinski, and Deric Behar
On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized the Personal Financial Data Rights rule (the Rule) under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The Rule requires covered financial institutions to make consumer financial data available both to consumers and to a consumer’s authorized third parties (including data aggregators acting on behalf of authorized third parties) at the consumer’s request and without any accompanying fees.
According to the CFPB, the Rule empowers consumers and authorized third parties “to access account data controlled by providers of certain consumer financial products or services in a safe, secure, reliable, and competitive manner.”
The Rule is years in the making, and was likely spurred by a July 9, 2021, Executive Order on Promoting Competition in the American Economy, which encouraged the CFPB to “consider … commencing or continuing a rulemaking under section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products” (for more information, see this Latham blog post).
While open banking in the US has been market-driven in the past, the Rule creates a regulatory open banking regime similar to what has been in place for some time in other jurisdictions like the European Union and United Kingdom.
The Rule
The Rule was first proposed on October 19, 2023, as a Notice of Proposed Rulemaking. As finalized it hews closely to the proposal, save for provisions regarding slightly more permissive use of data; a lower threshold that defines the largest entities in scope (set at $250 billion or more in total assets rather than the proposed $500 billion or more); compliance exemption for smaller entities (those with less than $850 million in total assets); and extended compliance dates.
Banks and credit unions with $850 million or more in assets and non-depository entities of any size will be required to provide data under the rule. Small banks and credit unions (those with less than $850 million in total assets) are exempt from the Rule.
Highlights of the Rule include the following:
- Applicability:
- Covered entities: covered entities include depository institutions (including credit unions) and non-depository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. The inclusion of non-depository institutions (of any size) that facilitate payments means that, while not all fintechs will be covered, many fintech payment apps and digital wallet providers will be data providers subject to the Rule. As noted above, depository institutions with less than $850 million in total assets are not subject to the Rule, alleviating the compliance costs for small depository institutions.
- Covered data: consumers will be able to access or authorize a third party to access data concerning consumer financial products or services such as checking accounts, prepaid cards, credit cards, mobile wallets, or payment apps. Such data would include basic account verification information, transaction history, account balances, upcoming bills, information needed to initiate payments, and terms and conditions. Tokenized account and routing numbers (i.e., randomly generated numbers to replace a customer’s actual account number) may be used to reduce the risk of fraud as long as the practice is not used in an anti-competitive manner.
- Current data: data providers must make available the most recently updated covered data that they have in their control or possession at the time of a request, including information concerning transactions that have been authorized but not yet settled.
- Limited use of data: authorized third parties may not obtain more data than is reasonably necessary to provide consumers with a specific, requested product or service. The Rule prohibits third parties from collecting, using, or retaining consumers’ data for targeted advertising, cross-selling other products or services, or sale of covered data.
- Reauthorization necessary: authorized third parties must limit the duration of collection of covered data to a maximum of one year after the consumer’s most recent authorization.
- Revocability: consumers may revoke third-party access to their data at any time. When a consumer revokes access, the Rule mandates that data access end immediately, with the data deleted. Means of revocation must be as easy to access and operate as the initial authorization, and cannot be subject to costs or penalties.
- No fees or evasion: data providers will be required to provide requested data without charging any fees to either consumers or authorized third-parties. Data providers are also not permitted to discourage requests for covered data, unreasonably restrict requests or responses from or to an authorized third party, or knowingly make data unusable to requesters. Data providers may, however, deny data access requests if the denial is not unreasonable, and granting access would be inconsistent with safety and soundness risks, information security standards, or other applicable laws and regulations regarding risk management.
- Consumer and developer interfaces: data providers must establish and maintain both a consumer and developer interface to facilitate data transfer.
- Consent and disclosure: authorized third parties must obtain a consumer’s express informed consent to access covered data on behalf of the consumer. They also must provide an authorization disclosure that certifies adherence to certain obligations regarding collection, use, and retention of the consumer’s information.
- Security standards: authorized third parties must implement data security standards for the collection, use, and retention of covered data to prevent exposing consumers to cybersecurity threats (i.e., the requirements of Section 501 of the Gramm-Leach-Bliley Act, or if Section 501 of the Gramm-Leach-Bliley Act does not apply to the third party, the Federal Trade Commission’s Standards for Safeguarding Customer Information). A data provider must apply the same data security standards to its developer interface for authorized third party requests.
- Liability for misuse of data: the CFPB declined to “impose a comprehensive approach to assigning liability among commercial entities.”
- Screen scraping: the Rule prohibits data providers from “allow[ing] a third party to access the data provider’s developer interface by using any credentials that a consumer uses to access the consumer interface.”
- Policies: data providers must maintain written policies that ensure the accurate and reliable sharing of data with authorized third parties, as well as policies regarding information request denials and record retention. Third parties must have written policies and procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and, if applicable, accurately provided to other third parties.
Voices of Support
CFPB Director Rohit Chopra applauded the Rule in a speech at the Federal Reserve Bank of Philadelphia. Chopra said “[t]he rule will provide more freedom, promote decentralization, and spur greater competition.”
Patrick McHenry, Chairman of the House Financial Services Committee and habitual opponent of CFPB initiatives, generally supported the Rule. He affirmed that “Americans should have greater control over their sensitive financial data,” and that the Rule “is progress for American innovation and consumers.” He also encouraged Congress to take additional steps to protect financial data by passing H.R. 1165, the Data Privacy Act of 2023, which would modernize financial data privacy law and give consumers more control over how their personal information is collected and used.
Lael Brainard, national economic advisor, supported the Rule and stated that it “will make it easier for consumers to switch banks and use financial services that better fit their needs, provide greater opportunity for innovative new businesses to compete, and lower costs for consumers.”
Legal Challenges
The Rule, however, faced immediate challenge from the banking industry as the Banking Policy Institute (BPI) and other banking entities filed a complaint in Kentucky federal court. BPI criticized the Rule for “retain[ing] many of the deficiencies and omissions that plagued the proposed rule.” The lawsuit raises several issues with the Rule as finalized by the CFPB:
- The CFPB is “overstepping its statutory mandate” under Dodd-Frank by implementing a “mandatory regulatory framework that Congress never authorized.”
- It has the potential to open a Pandora’s box of scams, fraud, and misuse of sensitive consumer data due to inadequate security measures (ostensibly undermining the CFPB’s core purpose of protecting consumers).
- Responsibility for protecting customer data and liability for data misuse appears to be left to banks under the Rule, while the CFPB “takes no accountability for the oversight or supervision of data recipients” (who may or may not be operating with good intentions, or with adequate data security measures).
- By imposing enormous compliance costs on banks and not permitting the banks to charge fees for data access, the CFPB is allowing third parties to profit from systems and information that banks have spent years to develop and maintain.
- The compliance timeline is flawed, although it appears more generous than the proposal’s. It is “not tied to the promulgation of any consensus standards that will naturally become the industry’s default standard for compliance under the rule.” Banks cannot in reality begin to implement compliance measures until consensus standards are recognized and widely accepted in the industry.
Other banking organizations, including the American Bankers Association (ABA) and the Consumer Bankers Association (CBA) also criticized the Rule upon release. The ABA stated that “it is clear that [the ABA’s] longstanding concerns about scope, liability, and cost remain largely unaddressed” in the final Rule, “a rulemaking that puts both [consumer data and responsible innovation] at risk.” The CBA asserted that the CFPB has “far exceed[ed] its statutory authority” in finalizing a Rule that “severely misses the mark,” and “fail[s] to incorporate much of the critical feedback provided by industry through the comment period.”
The Fintech Response
Fintech organizations were generally supportive of the Rule. The head of the Financial Technology Association, a fintech industry lobbying group, called the Rule “a win for consumers” that “will increase competition, improve consumers’ choices, and drive momentum for future innovations that benefit consumers.”
The American Fintech Council, however, previously criticized the proposal as overly restrictive. Specifically, it criticized the CFPB for (among other things) the “limitations imposed on data providers and third parties regarding the acceptable use of consumer data” and the requirement that consumers must reauthorize data access annually.
Conclusion
CFPB Director Chopra brushed aside criticism of the Rule as protectionism by incumbents, and asserted that it promoted an open banking and payments system that is “free of powerful gatekeepers and middlemen that can impose private regulations and extract fees.”
The CFPB’s foray into open banking is far from complete, as it plans to develop additional rules promoting consumer data access rights for more products, services, and use cases. Indeed, CFPB Director Chopra confirmed that the CFPB will be “developing a roadmap for the next set of rules to advance open banking.”
Whether the Rule will survive in its current form remains to be seen, as the CFPB faces challenges to this Rule as well as to other recent rulemakings, while defending against challenges to its statutory authority. Recent US Supreme Court decisions and the 2024 election will also have important ramifications for federal agencies, with the CFPB at the forefront of these changing tides.
The Rule becomes effective 60 days after publication in the Federal Register. Compliance dates begin on April 1, 2026, for the largest depository institutions ($250 billion or more in assets) and extend yearly through April 1, 2030, for the smallest depository institutions that are in scope (less than $1.5 billion but $850 million or more in total assets). The largest subject non-depository institutions, those with $10 billion or more in receipts, must comply starting April 1, 2026. All other subject non-depository institutions (regardless of size) must comply by April 1, 2027.
Latham & Watkins will continue to monitor developments in this area.