The Consumer Financial Protection Bureau (CFPB) has proposed an open banking rule (Proposed Rule) requiring certain financial institutions to allow consumers and approved third-party financial service providers access to a consumer’s banking, transaction, and other financial data known to the financial institution. The CFPB will publish a finalized version of the Proposed Rule this fall.
What is open banking?
The concept of open banking was first introduced in 2003 as part of the open innovation movement and is driven by technological advancements that enabled consumer facing banking to function through new online technologies. Open banking (also known as “open bank data”) facilitates the interconnection of accounts and data across different institutions, providing benefits to consumers, financial institutions, and third-party service providers. Open banking is anticipated to be a major driver of innovation which could revolutionize the banking industry. The result could be a more competitive financial services marketplace as consumers are more easily able to transfer data across financial service providers. The Proposed Rule covers consumer financial data relating to account balances, two years of transaction history, access device information (e.g. account numbers, routing numbers or their tokenized equivalents), account terms and conditions, pending bill payments, and basic information needed to verify the account (e.g. name, address, phone number, etc. of the account holder).
What do we know about open banking from a regulatory perspective?
The CFPB is anticipated to publish the final rule in the fall of 2024. Public comments on the Proposed Rule were accepted from a diverse group of stakeholders until December 29, 2023. The CFPB is presently evaluating these comments and considering them for incorporation into the final rule before its public release.
The regulations generally impact businesses operating in the following three categories, none of which are mutually exclusive:
- “Covered Data Providers” such as financial institutions, card issuers, or other entities that control or process consumer financial information;
- “Third Parties” and “Authorized Third Parties” that receive consumer financial information through the open banking process; and
- “Data Aggregators” which are retained by and provide services to authorized third parties and enable access of third parties to the consumer financial data.
The Proposed Rule includes tiered compliance dates. The first of the four compliance dates would be 6 months after the final rule is published in the Federal Register, while the last compliance date would be 4 years after publication. Typically, larger depository and non-depository entities would be required to comply earlier than smaller depository and non-depository institutions.
Implementation Timing for Proposed Rule
| Tier | Months Until Compliance | Depository Institutions | Nondepository Institutions |
|---|---|---|---|
| Tier 1 | 6 months post rulemaking | >$500B in assets | >$10B in annual revenue |
| Tier 2 | 12 months post rulemaking | From $50B up to $500B in assets | Anything less than $10B in annual revenue |
| Tier 3 | 30 months or 2.5 years post rulemaking | From $850M up to $50B in assets | N/A |
| Tier 4 | 48 months or 4 years post rulemaking | <$850M in assets | N/A |
Key Takeaways
The upcoming release of final CFPB regulations relating to open banking is expected to significantly impact the industry. Financial service providers and businesses that manage consumer financial data should prepare for forthcoming growth opportunities. We are likely to witness the emergence of new service providers as consumers find it easier to transfer data between various financial institutions and seek out products that enable them to tailor their financial services across providers to best meet their needs.
Businesses that are best positioned to benefit from the upcoming CFPB regulation are those that proactively (1) assess their internal infrastructure to verify that their current institutional technology can comply with the forthcoming requirements as outlined by the CFPB, (2) enhance operational capacity to ensure their existing technology can manage significant and numerous data sharing requests from customers and third-parties, and (3) optimize data security practices to ensure that all protected personal financial data of customers is adequately safeguarded during the transfer process and in compliance with all relevant data privacy laws.
This article is the first in a two-part series. Rebecca Rheney will discuss the finalized version of the Proposed Rule when the CFPB publishes it later this fall.
