Uncertain Times: Navigating the CFPB Open Banking Rule
Amid ongoing legal challenges to the Consumer Financial Protection Bureau’s (CFPB) so-called “open banking rule,” many in the financial services industry wait in a state of regulatory limbo, even as the rule’s compliance requirements remain in effect.
“It’s very much in a holding pattern at the moment,” said Mehul Madia, special counsel at Sheppard Mulin, summarizing the sentiment many in the industry are feeling right now.
When the rule was finalized, many financial institutions began the process of getting their arms around what needed to be done and getting the necessary data management systems into place, added Madia, a former senior attorney at the CFPB.
However, a recent stay of the rule amid CFPB legal challenges has placed financial institutions in a “tough spot,” he said. It forces the question, “Should we continue the process of trying to comply with this rule, or wait to see if it gets struck down?”
This article explores the key provisions of the rule, industry reaction to it, and what next steps are on the horizon.
Key provisions
The CFPB finalized its controversial rule in October 2024, implementing provisions under Section 1033 of the Consumer Financial Protection Act 2010 (CFPA). At a high level, the rule requires “data providers,” including banks and credit card issuers, to make “covered data” in relation to “covered financial products and services” available in a “machine-readable format” to a consumer and to certain “authorized” third parties at a consumer’s request.
The rule defines a third party as “any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data,” including financial technology (“fintech”) companies and data aggregators.
To be “authorized,” a third party must “limit its collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service,” according to the rule. Additionally, the third party must obtain the consumer’s “express informed consent” to access the covered data by obtaining a signed authorization disclosure electronically or in writing.
The rule broadly defines covered information to include transaction information, account information (including information to initiate payment to or from a Regulation E account), terms and conditions, bill information, and account verification information.
Compliance obligations
Data providers must “authenticate” consumers’ identities before making data available and “confirm the scope” of a third party’s authorization to access consumer data. This can be achieved by asking customers to confirm the account(s) to which the third party is seeking access and the categories of covered data to which the third party is requesting access.
Data providers may deny requests in limited circumstances, such as if the request concerns confidential commercial information; information that has been collected for the “sole” purpose of preventing financial crime; or any information required to be kept confidential by law.
To receive and respond to requests for covered data, data providers must establish and maintain both a “consumer interface” and a “developer interface,” through which data providers can receive requests for covered data and make it available in electronic form.
“All of this requires a compliance framework,” Madia said. Not all financial institutions have the data management systems necessary to export consumers’ financial data, he noted. Compliance processes also will need to be implemented to meet the consumer verification requirement. “Those are all things that banks have to build from the ground, up,” he added.
Data providers must establish and maintain written policies and procedures that are “appropriate to the size, nature, and complexity of the data provider’s activities,” the final rule states. When a third party is denied access to a developer interface or a request for information, the data provider’s written policies and procedures must create a record substantiating the basis for denial; and communicate “in a timely manner to the third party, electronically or in writing, the reason(s) for the denial.”
The final rule clarifies that data provider may design its policies and procedures “to avoid acting inconsistently with its other legal obligations, or in a way that could reasonably hinder enforcement against unlawful or potentially unlawful conduct.”
Industry reaction
The proposed rule garnered more than 11,000 comments. While fintechs and consumer groups generally supported the rule, many in the banking industry pressed for substantial changes that largely went ignored. Their concerns fell into three main buckets: statutory overreach by the CFPB, heightened liabilities for banks, and the significant compliance costs the rule necessitates.
Banking industry commentators aired grievances about data providers being prohibited from charging fees to offset compliance costs of maintaining the interfaces, intaking requests, or making available the data in response to requests. “If Congress had intended for information under Section 1033 to be made without the ability to charge a reasonable fee, it would have said so expressly,” Ryan Miller, senior counsel for the American Bankers Association (ABA), stated in a comment letter.
Many in the banking industry also expressed concerns about the inherent risks of screen-scraping. JP Morgan shared in a comment letter, for example, that it has “spent millions” on techniques and technologies to block evasive screen scraping.” Even when screen scraping is blocked, log-in credentials can still be shared with a third party, its comment letter stated. The only real solution, many banking industry participants suggested, is to expressly prohibit screen scraping, which the final rule did not do.
CFPB legal challenges
On Oct. 22, 2024, the same day the CFPB published the finalized rule, Forcht Bank and two banking trade groups – the Kentucky Bankers Association and Bank Policy Institute – filed a complaint in U.S. District Court for the Eastern District of Kentucky alleging many of the same concerns expressed by banking commentators. They seek for the rule to be vacated and set aside.
Central to its complaint, the plaintiffs argue that the CFPB overstepped its statutory mandate and seeks to “jettison a developing, industry-driven system and replace it with a complicated, costly, and fundamentally insecure, mandatory data-sharing framework.”
They further allege that the compliance deadlines the CFPB has set are “entirely unrealistic.” The rule established tiered compliance deadlines, divided into five tiers, based on asset size or revenue by data provider type. The largest depository and non-depository institutions, as defined by the rule, must comply by April 1, 2026, while the smallest institutions have a compliance deadline of April 1, 2030.
On Feb. 25, in a joint motion to stay proceedings, the parties in the case requested a 30-day stay of the litigation and a 30-day tolling of the compliance deadlines. Administrative changes at the CFPB prompted the request, following the appointment of Office of Management and Budget Director Russell Vought being named acting director of the CFPB.
According to court documents, the CFPB requested that Vought be given “time to review and consider the CFPB’s position on various pending agency actions and recently finalized rules.” The judge in the case granted both requests.
In another legal twist in the case, the Financial Technology Association (FTA) filed a motion to intervene in the case. In a declaration filed with the motion to intervene, FTA President and CEO Penny Lee defended the open banking rule, stating that it “increases competition, improves consumers’ choices, and drives momentum for future innovations that benefit consumers…while fostering greater trust in the financial ecosystem.” A judgment invalidating the rule would harm FTA members, Lee said.
Next steps
Plaintiffs have until March 31 to file their motion for summary judgment, while CFPB has until April 30 to file its cross-motion for summary judgment, followed by another round of reply briefs. Madia said that means the soonest that a resolution will be reached in the case will be toward the end of this year.
Meanwhile, financial institutions are still expected to continue getting their compliance houses in order in preparation for meeting the rule’s requirements.
The “9th Annual Legal, Regulatory and Compliance Forum on FinTech & Emerging Payment Systems” will be held on May 12-14 at the New York Bar Association in New York. For more information, and to register, please visit: https://www.americanconference.com/fintech-emerging-payment-systems/