The Consumer Financial Protection Bureau (CFPB) swung for the fences this morning (October 22) as it issued the final version of its long-awaited Rule 1033 on personal financial data rights. As expected, the rule will mark a significant step toward open banking in the United States. But the rule also took a cut at regulating payments apps and left a lot of latitude for credit unions and community banks to compete with larger financial institutions.
The rule, which implements Section 1033 of the Dodd-Frank Act, aims to give consumers greater control over their financial data and the ability to share it securely with third-party service providers. Under the new rule, banks, credit unions and other financial institutions will be required to make consumers’ financial data available upon request to both consumers and authorized third parties. This data includes information about transactions, costs, charges and usage related to consumer deposit accounts, credit cards and payment services.
The CFPB is much wider in scope than expected, covering data in payment apps and digital wallets as well as bank accounts. “Digital wallet providers hold similar valuable data that can provide a complete understanding of a consumer’s finances,” reads a section of the rule. “Today, a digital wallet can initiate payments from multiple credit cards, prepaid accounts and checking accounts. A digital wallet can facilitate payments from accounts that the digital wallet provider offers through depository institution partners, or from linked accounts issued by other institutions (sometimes referred to as pass-through payments).” This indicates that the rule covers digital wallets and payment apps that facilitate payments from covered accounts. The document also notes that digital wallet providers are generally considered data providers under the rule, even if they only facilitate pass-through payments from other accounts.
The rule also establishes strict guidelines for third parties seeking to access consumer data. These entities must obtain explicit consumer consent, limit their data collection and use to what is necessary for providing requested services, and implement data security measures. The rule also prohibits the use of consumer data for targeted advertising or sale to other parties. It will require banks to develop standardized APIs or other secure methods for data sharing, moving away from less secure practices like screen scraping. The rule also bans institutions from charging fees for data access.
The CFPB has taken a phased approach to implementation, focusing initially on deposit accounts, credit cards and payment services. Larger financial institutions will need to comply first, with compliance dates staggered from 2026 to 2030 based on asset size. Notably, depository institutions with assets of $850 million or less are exempt from the rule’s requirements.
Bank Policy Institute President and CEO Greg Baer released the following statement: “On initial review, it appears the CFPB’s final rule retains many of the deficiencies and omissions that plagued the proposed rule. Banks have worked for years to establish secure ways to share customer data whenever the customer asks. The CFPB’s rule disrupts this established process, requiring banks to share financial data with any third party without adequate safeguards to ensure the data is protected from fraud, misuse and abuse.”
House Financial Services Committee Chairman Patrick McHenry, R-North Carolina, said the CFPB’s rule is a “promising step forward” but does not do enough.
“This is progress for American innovation and consumers, but we can’t stop here,” McHenry said in a statement released Tuesday. “Congress must build on the bipartisan consensus regarding financial data privacy. It’s critical that we make these protections permanent by passing Republicans’ Data Privacy Act of 2023.”
CFPB Director Rohit Chopra said Tuesday the release of the final rule will be followed by the agency “developing a roadmap for the next set of rules to advance open banking.”
In remarks prepared for delivery Tuesday at the Federal Reserve Bank of Philadelphia, Chopra said: “This first rule covers a wide range of accounts for payments and transactions. We are considering a number of other use cases, such as how to reduce costs and complexity in the mortgage market. During the rulemaking process, there were a number of important issues raised, such as coverage of accounts used for government benefits, like EBT cards, and the ability for nonprofit researchers to use consumer-permissioned data.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More