On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) issued its final rule implementing Section 1033 of the Dodd-Frank Act (the “Final Rule” or the “Open Banking Rule”), granting consumers greater access rights to the data their financial institutions hold. Although there are some differences, the Final Rule largely tracks the Proposed Rule announced by the CFPB last year on October 19, 2023, with the largest concession coming in form of the extended effective date.
The Final Rule was immediately met with criticism from industry groups, with the Banking Policy Institute and Kentucky Bankers Association filing a lawsuit on the day the Final Rule was issued in the U.S. District Court for the Eastern District of Kentucky seeking injunctive relief, alleging that the CFPB exceeded its statutory authority.
Scope of the Final Rule
The Final Rule applies to data providers, third parties, and data aggregators. “Data provider” is defined to mean a financial institution under Regulation E, card issuers under Regulations Z, or any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained form that person. Digital wallet providers are specifically listed as an example. While some commenters pushed the CFPB to expand the scope of data providers, it declined to do so at this time, although it did explain that it intends to do so in the future.
“Third parties” are defined to mean any person or entity that is not the consumer about whom the covered data pertains or the data provider that controls or possesses that data. To become an “authorized third party,” entities must comply with authorized procedures outlined in the Final Rule. The Final Rule also has additional requirements for “data aggregators,” which are defined to mean a person that is retained by and providers services to authorized third parties to enable access to covered data.
The Final Rule defines covered data to mean transaction information, account balance information, information to initiate payment to or from a Regulation E account, terms and conditions, upcoming bill information, and basic account verification information. The Final Rule includes examples for some, but not all, of those categories, and it does not contain any express exclusions for de-identified or anonymized data.
Substance of Final Rule
The Final Rule requires data providers to provide a right of access to authenticated consumer sand authenticated third parties (including data aggregators acting on behalf for an authorized third party) to the most recently updated covered data. Access must be in electronic format that is transferrable to consumers and third parties and usable in a separate system (known as portability under privacy laws), and data providers cannot impose any fee or charge to consumers or third parties. The CFPB has stated that the purpose of this requirement is to encourage competition, while critics have stated that it will allow third parties to profit from consumer data at the expense of banks and other data providers.
Data providers must also establish and maintain two interfaces—one for consumers, and one for developers. The developer interface is defined to mean the interface through which a data provider receives requests for covered data and makes available covered data to authorized third parties, and it would need to satisfy several requirements relating to format, performance, and security. Adhering to standards set by a qualified industry standard would constitute an indicia of compliance that would provide a safe harbor in some instances. The CFPB’s rule outlining the qualifications to become a recognized industry standard setting body, which can issue standards, was finalized in June.
Data providers will also need to make certain information publicly available in both human and machine readable formats, which go well beyond the standard annual privacy policy updates. Additionally, data providers will need to maintain written policies and procedures relating to data availability and accuracy, as well as data retention and access requests.
With respect to third parties, the Final Rule contains a three-part authorization procedure to become an authorized third party: providing the consumer with an authorization disclosure, certifying that the third party agrees to specific obligations, and obtaining the consumer’s express informed consent. The Final Rule allows data aggregators to perform the third party authorization, subject to specific requirements.
The Final Rule also imposes limitations on the third party’s secondary uses of consumer data, explicitly prohibiting the use of consumer data for targeted advertising, cross-selling of other services of products or services, and the sale of data. Many commentators requested greater clarity on the secondary use limitations, especially on how to determine primary versus secondary uses, and seeking carve outs for de-identified data. The Final Rule did not specifically address de-identified data or how data may be used to train artificial intelligence or algorithms, but it did explicitly allow for the use of covered data for “uses that are reasonably necessary to improve the product or service the consumer requested.”
It is also worth noting that the Final Rule carried through numerous other specific requirements relating to data security, data retention, consent revocation, reauthorization, and written policies and procedures.
Compliance Timelines
In perhaps the biggest change from the Proposed Rule, the CFPB extended the earliest compliance timeline. Under the Proposed Rule, the largest depository institutions would have had to comply within six months after publication, while the smallest institutions would have had four years to comply.
Under the Final Rule, the largest depository institutions—defined to mean those that hold at least $250 billion in total assets—will have until April 1, 2026 to comply. While this extended compliance date is obviously welcome news, the threshold for a company to fall within the category of the largest depository group was previously set at $500 billion in total assets under the Proposed Rule, which means more institutions will now be subject to the new initial deadline set forth in the Final Rule.
Depository institutions with between $250 billion and $10 billion will have until April 1, 2027; those with between $10 billion and $3 billion have until April 1, 2028; those with between $3 billion and $1.5 billion have until April 1, 2029; those with between $1.5 billion and $850 million have until April 1, 2030; and those with less than $850 million are exempt from the Final Rule entirely.
Reception and Criticisms
On the same day that the CFPB issued the Final Rule, the Bank Policy Institute filed a lawsuit in federal court challenging aspects of the CFPB’s rulemaking under Section 1033 of the Dodd-Frank Act. The complaint asks the court to set aside the Final Rule in its entirety pursuant to the Administrative Procedure Act, and to enter an order permanently enjoining the CFPB from enforcing the Final Rule.
Other industry groups have been similarly critical of the Final Rule. In particular, many organizations and groups in the banking industry have voiced the following criticisms in response to the Final Rule:
- under the Final Rule, third parties are able to profit, at no cost, from a system built and maintained by banks, and that banks are not able to exercise control over customer data once it is transferred to third parties;
- the CFPB was mistaken in not affirmatively and explicitly sunsetting the practice of “screen scraping” in the Final Rule, a method whereby third parties or data aggregators collect data from a website or application by using consumer credentials to log into consumer accounts
- the new compliance deadline in the Final Rule, which while extended, will still be difficult for organizations to meet given that qualified industry standards have yet to be set by any recognized industry setting body.
* * *
Compliance with the Final Rule will be a long and arduous process for data providers, third parties, and aggregators alike, requiring an update to technical processes and legal procedures. Indeed, for some companies, the Final Rule will require not just updates to account for the specific requirements set forth in the Final Rule, but also a more comprehensive overhaul to their underlying security procedures to align with the security standard set forth in the federal Gramm-Leach-Bliley Act. Companies would be wise to start assessing the impact of the Final Rule on their operations now, even if implementation of some of the technical updates will need to be delayed until standard setting bodies are formed.