CFPB Finalizes New "Open Banking" Rule; Prompt Court Challenge Is Pending

The Consumer Financial Protection Bureau (CFPB) on Oct. 23, 2024, issued its final "open banking" rule. Starting for some institutions as early as 2026, financial service providers must, upon a consumer's request, make financial data available to them and authorized third parties. Financial institutions must provide this data electronically in a secure and reliable manner, requiring third-party data accessors to protect consumers' privacy.

This is the CFPB's first attempt at an "open banking" rule since Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act gave consumers a right to freely access their account information and authorize third parties acting on their behalf to access that information. The CFPB hopes to provide consumers more choice and increase competition in the industry. Under the agency's logic, if consumers can more easily assess their account data, they can compare service providers and switch more easily to providers offering the best value. Such an ability increases competition and innovation for service providers to attract and retain customers. The CFPB specifically sought to avoid "entrenching the roles of incumbent" financial services companies and third parties "whose commercial interests might not align with the interests of consumers and competition generally."

The new rule applies to "data providers," including depository and nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access accounts or provide other types of products that facilitate payments. Data covered by the rule includes information about transactions, costs, charges and usage.

The rule requires data providers to offer, without fees or charges, access to data upon request in a standardized, machine-readable format within a certain number of days of the request. A data provider cannot "unreasonably" restrict request frequency. Additionally, the rule limits third-party "screen scraping," where the third party uses the consumer's credentials to log into accounts and retrieve data.

Third parties providing access to consumer data must provide the consumer disclosures explaining the terms of access and obtain the consumer's express written consent for data access. They cannot use consumer data in ways that the consumer did not expressly request. Importantly, third parties can collect data for only one year from the date of authorization. Without renewed authorization, the third party must cease collection, use and retention of collected data (unless such use or retention remains reasonably necessary to provide the consumer's requested product or service). Third parties must also provide the consumer a method to revoke authorization.

Under the rule, financial services providers should prepare to comply with this new rule in phases. The largest institutions will need to comply by April 1, 2026, while the rule is phased in over stages through April 1, 2030, for smaller institutions based on their total asset size. Depository institutions with less than $850 million in total assets are exempt from the rule.

Early Challenge

The rule has already been challenged in a case brought in the U.S. District Court for the Eastern District of Kentucky by the Bank Policy Institute and the Kentucky Bankers Association. The banking groups allege that the CFPB overstepped its statutory authority and that the rule's framework is fundamentally unsafe for consumers because it mandates sharing of sensitive financial information, limits banks' authority to stop sharing data with risky third parties, sets unrealistic compliance deadlines and prohibits collection of fees for the required services.

However, many have praised the new rule, among them, Rep. Patrick McHenry (R-N.C.), chair of the U.S. House Financial Services Committee, who called the new rule "a promising step forward to protect Americans' financial data privacy." A well-known financial technology (FinTech) company stated that it was "encouraged by the CFPB's efforts to promote consumer choice and competition and establish additional safeguards for consumers and our industry."

Holland & Knight will continue monitoring legal developments and is available to discuss strategies for compliance with the CFPB's open banking rule. For more information or questions, please contact the authors.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.