The Consumer Financial Protection Bureau added payment apps and other financial products to its final open banking rule and in keeping with its focus on innovation, provided for some secondary uses of data.
The CFPB is expected to release the final rule Tuesday, but materials describing the final rule were made available to American Banker prior to its release.
The final rule hews closely to the CFPB’s proposal from a year ago but appears to include some substantive changes to the rule’s scope, secondary uses and the compliance period, which has been extended by 10 months for the largest banks. The open banking rule is referred to by the industry as “1033” for the section in the Dodd-Frank Act of 2010 that gave the CFPB authority to implement how consumers control their own financial data.
The CFPB’s rule, named after Section 1033 of Dodd-Frank, requires that banks safely share financial data on checking accounts, prepaid cards, credit cards, mobile wallets, payment apps and other financial products. Payment apps and other financial products were added in the final rule, sweeping Apple Pay, Google Pay, PayPal, Zelle and Venmo and other apps into the scope of the rule. The change is
For banks, the biggest change could be liability for fraud and data breaches by third-party fintechs. Banks are concerned
CFPB Director Rohit Chopra signaled in prepared remarks that the bureau is in constant communication with other financial regulators to advance open banking.
“The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer’s data — those companies are acting on behalf of the consumer,” Chopra said in his prepared remarks. The remarks mean banks may not be able to rely on third party risk management considerations to deny access to third parties.
The CFPB did not issue a larger participant rule for data aggregators, as some had hoped. Rather, all companies involved in data access — not just banks — must comply with the data security requirements of the Gramm-Leach-Bliley Act.
In another change from the proposal
“The rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief,” Chopra said in prepared remarks for a speech to be delivered at a Fintech Week conference hosted by the Federal Reserve Bank of Philadelphia.
The final rule also makes some adjustments to the performance requirements that banks and other data providers must meet for data access. Under last year’s proposal, institutions would have been required to satisfy 99.5% of data requests within just 3.5 seconds — targets that some experts told the CFPB were too hard to meet. What those adjustments are precisely was not specified.
The final rule also clarifies that tokenized account numbers — randomly generated numbers to replace a customer’s actual account number to reduce the risk of financial fraud — are permitted so long as they are not deployed in an anti-competitive manner.
Chopra said the rule aims to address market concentration that limits consumer choice and allow consumers to access their own bank account transaction information — or authorize a third party to access it without charging fees.
“Personal financial data is sensitive, and there are basic protections and rights that should go along with accessing this kind of information,” he said in prepared remarks.
The rule is specifically designed to ensure that data is collected and is “used minimally, stored securely, transferred accurately, and deleted when it’s no longer needed or when the consumer revokes access,” Chopra said.
Chopra has said the proposal
National Economic Advisor Lael Brainard echoed those sentiments in a prepared statement, saying that the rule “will make it easier for consumers to switch banks and use financial services that better fit their needs, provide greater opportunity for innovative new businesses to compete, and lower costs for consumers.”
The rule establishes strong privacy protections, requiring that personal financial data can only
be used for the purposes authorized by the consumer. The final rule bans data harvesting — prohibiting third parties from collecting, using, or retaining consumers’ data for targeted advertising, cross-selling products or any unrelated business reason. The rule does not prohibit any particular uses of data, but rather requires that all use be driven by what is necessary to deliver the product sought by the consumer.
The CFPB said it will be developing additional rules to address other products, services, and use cases that many think will involve mortgage and auto loans.
The CFPB gave the largest banks until April 1, 2026, to comply, while the smallest banks have until April 1, 2030. Only banks and credit unions with more than $850 million in assets and nondepository entities of any size will be required to provide data under the rule. Certain small banks and credit unions are not subject to this rule.
Consumers have been sharing their bank transaction data for years using the common but risky practice of “screen scraping” — giving usernames and passwords to third parties. The CFPB said that screen scraping brings with it inherent risks, such as overcollection of data, inaccurate data sharing, and the spread of login credentials.
The rule would encourage further the adoption of secure application programming interfaces, or APIs, by enabling the exchange of data in a standardized format. The CFPB has already received an application from the Financial Data Exchange to be recognized as
Under the final rule, consumers have the legal right to know what data is being collected, where the data is stored, with whom the data is shared — and to revoke access at any time. When a person revokes access, the rule requires that data access end immediately, with the data deleted. Data access can be maintained for one year unless the consumer agrees to further extended access.
Some experts think the
The prohibition on banks charging fees is in keeping with other countries. No other country with an open banking regime — a list that includes the UK, the European Union, Australia, India and Singapore — allows banks to charge fees.