The goal of the Consumer Financial Protection Bureau’s final rule on data sharing unveiled Tuesday (Oct. 22) is to promote competition and, by extension, financial services innovation.
But a deeper reading of the rule itself reveals that for banks, compliance with the rule has a few heavy lifts — technical and operational in scope — as well as liability risk. The heavy lifting will be done across an implementation schedule that will take years.
It’s a work in progress that promises to reshape the interplay between banks, FinTechs and consumers, and, as with all works in progress, there may be a few things that need to be ironed out along the way.
The rule paves the way for further adoption of open banking in the United States and was expanded to include payment apps. The implementation of Section 1033 of the Dodd-Frank Act is focused on data sharing — specifically, consumer-permissioned data that banks must share with the consumers themselves and with authorized third parties.
The mechanics of data-sharing include the implementation of APIs and “the developer interface must make available covered data in a standardized and machine-readable format,” per the rule. It also dictates “that the format satisfies this requirement [including] that it conforms to a consensus standard.”
The process for setting standards — and who will set those standards, among banks, third parties and consumer groups — is still ongoing. (No final date is mentioned in the current documentation.)
The covered data includes account details of the transaction level and balances. The data remains portable, in that the consumer is the owner of the information and can take their business from one provider to another. The same level of granular data should serve as a foundation for financial institutions and others to personalize products and services, especially with credit, account-to-account payments and other offerings.
The final rule should make consumers aware of what data they must share and the breadth of their ownership of that data. PYMNTS Intelligence found that 46% of consumers are “highly willing” to use open banking payments for at least one product or service. The same survey showed that only 11% had done so. It follows, then, that increased awareness will translate into increased embrace of open banking.
As is typical with the rulemaking process, the rule becomes official in 60 days.
For banks, there’s a staggered timeline for compliance. The 594-page notice of final rulemaking said compliance begins April 1 of the years 2026, 2027, 2028, 2029 or 2030 for data providers, which includes depository institutions (including credit unions). The providers also include non-depository institutions that hold or issue credit cards and other types of accounts.
The largest institutions, with at least $250 billion in assets, must meet the earliest timeline. The second timeline tier applies to firms with between $10 billion and $250 billion in assets. The third tier is for firms with between $3 billion and $10 billion in total assets. The fourth tier is for firms with between $1.5 billion and $3 billion in total assets. The final tier is for firms with between $1.5 billion and more than $850 million in total assets.
“The compliance periods for each tier in the final rule will ensure that data providers of different sizes and resources will have the appropriate amount of time to comply, in part, because the largest, most resourced data providers will be complying first and smaller depository institution data providers who are most likely to be relying on core providers and other third parties will be split into additional, smaller, more manageable tiers,” per the notice of final rulemaking. “…. The [final tiers], which constitute the smallest depository institution data providers by asset size and the entities most likely to depend on core processors or other third parties to assist with compliance, will be able to learn from the experiences of the data providers that had to comply earlier and should have a smoother transition than they might otherwise.”
The rule’s language hints at some of the concerns and wrinkles — for lack of a better term — that need to be ironed out. A lot must happen behind the scenes to make open banking a fully-fledged reality, notwithstanding the benefits that would accrue to consumers and forward-thinking providers.
Although banks have timelines, the same does not (perhaps yet) hold for the third parties they would connect to as consumers permission their data.
“The final rule does not set explicit compliance dates for third parties because they are unnecessary,” the notice of final rulemaking said. “The CFPB is providing additional time for the largest data providers to come into compliance with the rule, which will give third parties and aggregators additional time to prepare for implementation of the rule. In addition, transitioning the market from screen scraping will further incentivize third parties and aggregators to meet the requirements to request proper access under the terms of the rule.”
PYMNTS Intelligence found that 57% of U.S. consumers trust their banks to deliver open banking services. These same consumers remain concerned about data security, which may be less defined than some might hope if standards setting on that data is still being hammered out, third parties are not governed by hard and fast timelines, and liability on the part of banks has yet to be fully established if those third parties might be compromised.
In the notice of final rulemaking, the CFPB detailed that during the commentary period, “data providers expressed concern that they would unfairly bear the burden of managing liability risks presented by nondepository third parties that are not subject to the same regulatory oversight… Many data provider commenters asserted that the proposal had not accounted for data providers’ potential exposure to liability-related costs or ensured third parties had incentives to manage liability and otherwise demonstrate capacity to cover losses directly caused by third parties.”
Other data providers (banks) have expressed concern that they would not be able to recoup losses tied to those third parties or set in place specific fraud protections for pay-by-bank transactions.
“The CFPB has determined it would not be appropriate for this rule to impose a comprehensive approach to assigning liability among commercial entities or safe harbors from the requirements of EFTA and Regulation E or TILA and Regulation Z,” the notice of final rulemaking said, “…To the extent there are complex factual or legal questions about a data provider’s liability for directly contributing to consumer harm, commenters did not identify particular scenarios, and the CFPB does not believe it would be appropriate to make statements about a data provider’s liability in this final rule.”
Banks and credit unions began releasing concerns Tuesday. The Bank Policy Institute pointed to the possibility that data might be shared without appropriate safeguards in place. Separately, the Defense Credit Union Council said credit unions would share data that might expose them to legal troubles tied to third-party handling of that data, which in turn would wind up “compounding operational and financial burdens.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More