NEWS: The League has filed a comment letter with the CFPB, urging it to revise several key areas of its “open banking” rule.
Background
The CFPB finalized the rule about a year ago, as reflected in this Compliance Courier. Formally known as the Personal Financial Data Rights Rule, it implements section 1033 of the Dodd-Frank Act.
The rule is designed to give consumers control over their financial data by requiring banks, credit unions, and certain fintechs to share account information (like transaction history and account balances) with authorized third parties if consumers consent. The rule’s goal is to let consumers add or switch financial services providers to access better rates, receive better terms, and find services that best suit their needs.
The current rule provides for compliance dates to be phased in over time, with larger providers required to comply in spring 2026 and smaller providers in spring 2030. But compliance has been stayed as the rule is being litigated in a federal court in Kentucky.
The League’s comments on the reconsideration
The CFPB is considering certain changes to the rule, and it asked commenters to address four issues that it plans to consider revising.
- The Dodd-Frank Act permits a consumer and/or representative acting on behalf of the consumer to request covered data from a financial institution. The CFPB asked who should be allowed to serve as a representative acting on behalf of the consumer.
The current rule interprets the phrase “representative acting on behalf of an individual” to include third parties that access consumers’ data pursuant to certain authorization procedures and substantive obligations. We told the CFPB that, “This reading is far too broad and ambiguous, especially given the risks to data security and fraud that are inherent in open banking. Simply allowing any supposedly authorized person to access a consumer’s sensitive personal information would open the door to fraudsters, who will certainly try to exploit the rule’s weakness to falsely claim authorization to access consumers’ data. We respectfully ask the CFPB to strictly define an authorization process that users must follow to make a request on a consumer’s behalf.”
- Under the final rule in its current form, a financial institution is prohibited from imposing any fee and/or charge on a consumer when fulfilling an information request. The CFPB asked whether the Dodd-Frank Act specifically requires this, and if so, what steps a financial institution should be allowed to take to defray some of its costs associated with fulfilling the information request.
We urged the CFPB to let credit unions charge reasonable fees for sharing information under the rule. “Sharing financial data under the open banking rule will require every credit union and other financial institution in the U.S. to invest heavily in systems, infrastructure, staffing, training, and security,” we wrote. “The rule should allow them to recoup at least a portion of those expenses from consumers by charging reasonable fees.”
- The final rule requires financial institutions to have appropriate safeguards in place to protect against malicious actors in the use, retention, and transmission of consumer financial data. The CFPB sought comment as to whether the final rule’s information security standards go far enough.
We told the CFPB that no, the rule’s information security standards do not go far enough: “The security of members’ information is a top concern for Wisconsin’s credit unions. They worry that members who share login credentials or identifying information with unvetted third parties will be more vulnerable to fraud. They also worry about complying with overlapping (and perhaps contradictory) standards for safeguarding member information and for complying with the amorphous standards under the open banking rule.”
We urged the CFPB to “ensure that all of those sharing information under this rule are subject to the existing information security standards in the Gramm-Leach-Bliley Act. Credit unions are subject to such standards already, via Part 748 of the NCUA Regulations, but not all other participants in an open banking system are subject to such rules. In addition, the rule should set security standards for data transmission, akin to standards in place under Nacha Rules & Guidelines for ACH transmissions.”
- The final rule requires a financial institution to obtain express informed consent from the consumer before making their consumer financial data available to a third party. The CFPB sought comment as to whether the rule, in its current form, provides adequate consumer privacy protection.
We repeated a recommendation that we made in early 2024, after the open banking rule was proposed: “Every party that collects or holds consumers’ personal financial data should be held to the same rigorous standards for data security under this rule. And so, we urge the CFPB to adopt the Safeguard Guidelines promulgated by the federal banking agencies and the NCUA as the appropriate standard for third parties.”
We want to thank Summit Credit Union for sharing its views on open banking and its impacts.
The League will alert you about further developments on this rule.