NEWS: Last week, the CFPB finalized its comprehensive open banking rule. The 594-page document implements Section 1033 of the Dodd-Frank Act. It will require credit unions, other financial institutions, credit card issuers, and third-party fintech providers to make consumers’ personal financial data available to transfer to another provider for free.
The goal behind the rule is to let consumers add or switch providers to access better rates, receive better terms, and find services that best suit their needs. The CFPB said that the rule promotes competition and consumer choice and will ultimately help improve customer service.
The League filed a comment letter with the CFPB in late 2023, voicing Wisconsin credit unions’ opposition after the rule was proposed. Credit unions told us that the CFPB’s proposal went too far and that it would present real dangers to members’ privacy and security, as well as significant expenses for credit unions. We wrote:
We understand that Congress required the CFPB to develop an open banking rule, but what the CFPB has put forward exceeds Congress’ intent. And while CFPB may believe that this rule would foster competition for small and new financial institutions, The League fears that it will do just the opposite – harm competition by putting small financial institutions – and credit unions are small in comparison to their banking counterparts – at a distinct competitive disadvantage.
The final rule differs in some specifics from the CFPB’s original proposal. For example, it exempts credit unions and other institutions with $850 million or less in assets.
Preliminary analysis of the new rule
The following material is based on an article written by The League’s outside law firm, Husch Blackwell. It includes information about a free webinar the firm is hosting this Friday.
What is Dodd-Frank Act Section 1033?
Dodd-Frank Act Section 1033(a) and (b) provide that, subject to rules prescribed by the CFPB, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, subject to certain exceptions. The information must be made available in an electronic form usable by consumers.
In addition, Congress mandated in Section 1033(d) that the CFPB prescribe standards to promote the development and use of standardized formats for data made available under Section 1033.
In June 2024, the CFPB finalized a separate rule addressing the data standard-setting component of Section 1033.
Who is covered in the 1033 Rule?
The rule applies to “data providers,” which include depository institutions such as banks and credit unions, as well as non-depository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide payment facilitation services and specific “authorized third parties.”
However, in a change from the proposal, small depository institutions (i.e., those with $850 million or fewer in assets) are exempt from the rule.
One surprise: In a change from the proposal, the CFPB included digital wallet providers and payment apps as data providers. Moreover, the rule notes that digital wallet providers constitute “data providers” even when they are only facilitating pass-through payments. This means that many of the most popular fintech payment platforms and wallet providers will be subject to the open banking regime.
What is covered in the 1033 Rule?
“Covered data” encompasses information about transactions, costs, charges, and usage related to consumer financial products and services. These include information about account balances, historical transaction information (24 months) in the control or possession of the data provider, terms and conditions, upcoming bills, and Reg. E payment initiations. Consumers can authorize third parties to access this data, provided they adhere to strict security and data use limitations.
What does this mean for “data providers”?
The final rule mandates that data providers make covered data accessible to consumers and to authorized third parties upon request, ensuring the process is reliable, secure, and competitive.
Data must be provided in a standardized, machine-readable format, and data providers are required to meet a minimum response rate for data requests.
Restrictions on request frequency are prohibited, and data providers generally are prohibited from utilizing “screen scraping” as a method for granting data access to third parties under the rule. Furthermore, the rule prohibits any fees or charges related to consumer and third-party data access.
Data providers are required to have written policies and procedures and retain records that are evidence of a data provider’s actions in response to a consumer’s or third party’s request for information for at least three years after a data provider has responded to the request.
What does this mean for “third parties”?
For third parties to become “authorized,” they must seek data access on behalf of consumers to provide requested products or services, furnish an authorization disclosure with key terms, and obtain the consumer’s express consent.
Third parties must limit the collection, use, and retention of data to what is necessary for the requested services, excluding targeted advertising and cross-selling.
The rule sets a maximum data collection duration of one year, requiring renewed consumer authorization after that point.
Moreover, third parties must certify to have written policies for data accuracy, apply an information security program in line with the Gramm-Leach-Bliley Act (GLBA) Safeguards Framework, and provide consumers with copies of authorization disclosures and a method to revoke consent.
Data aggregators can assist third parties with authorization procedures but must certify compliance with third-party obligations. Third parties are required to retain records for a minimum of three years.
Compliance dates
Compliance with the rule will be phased in over several years. Larger providers are required to comply by April 1, 2026, while smaller providers have until April 1, 2030. The CFPB has also established qualifications for recognized industry standard-setting bodies, which can issue standards to aid compliance with the rule.
New rule already challenged in court
There is already litigation over the new rule. On October 22—the day the CFPB released its open banking rule—the Bank Policy Institute (BPI), the Kentucky Bankers Association, and Forcht Bank, N.A. filed a lawsuit against the CFPB, challenging the final rule in District Court in Kentucky.
The BPI alleges that the CFPB exceeded its statutory authority and violated the federal Administrative Procedure Act in various ways. According to the complaint, the rule:
- Requires no oversight of third parties who are using customer banking data, thereby leaving it up to banks to ensure the protection of sensitive customer information,
- Increases the likelihood of fraud and scams by “failing to address weak safeguarding practices,”
- Does not outright eliminate “unsafe” practices such as screen scraping,
- Does not hold third parties accountable for data security,
- “[A]llows third parties to profit, at no cost, from systems built and maintained by banks,” and
- “[I]mposes an unreasonable implementation timeline.”
The lawsuit asks for an injunction. The League will alert credit unions about the court’s decision.
Free webinar this Friday
Husch Blackwell is hosting a free webinar on the new open banking rule this Friday, Nov. 1, 2024, from noon to 1 p.m. Central Time.
The webinar will cover key aspects of the rule, including who and what is covered, consumer benefits like seamless switching and potentially better rates, the challenges and opportunities the rule presents for different market participants, major changes from the proposed rule, and compliance timelines.
Registration is required. If you are unable to join on Friday, a webinar recording will be available after the event. You can register using this on-demand link to access the recorded program.