The Consumer Financial Protection Bureau (CFPB) has introduced the Personal Financial Data Rights Rule, often referred to as the “open banking” rule. This regulation aims to facilitate consumer access to financial services by allowing individuals to authorize third-party non-bank institutions to access their financial data. The CFPB’s Director, Rohit Chopra, advocates for this shift, underscoring that many Americans find themselves tethered to financial products with subpar rates and services offered by traditional banks and credit unions.
Despite the potential benefits touted by the CFPB, traditional banks and credit unions face significant challenges due to this rule. The regulation imposes stringent compliance obligations, prohibits the imposition of fees for data sharing, and holds banks liable for any unauthorized transactions that might result from data transfers. While the final ruling offers some relief compared to its proposed version, the landscape remains fraught with complexities for traditional financial institutions.
Notably, the final rule acknowledges existing privacy and security requirements under other legislation, allowing banks to comply with multiple regulatory frameworks without conflict. It further extends the compliance timeline for large banks to April 2026 and for smaller institutions, with less than $850 million in assets, to April 2030. This extension accommodates the complexities large banks face due to their sophisticated systems, although some argue that it remains insufficient.
The rule also clarifies that banks are not considered “furnishers” under the Fair Credit Reporting Act (FCRA) when they share data under the new regulation, averting additional regulatory burdens associated with the FCRA. Furthermore, the rule permits banks to challenge the practice of screen-scraping, a risky security practice that enables third parties to access consumer accounts using their login credentials.
Despite these adjustments, the banking sector has expressed concerns about the rule’s implications. The Bank Policy Institute, alongside Forcht Bank, N.A. and the Kentucky Bankers Association, has filed a lawsuit against the CFPB, arguing that the rule could hinder consumer protection, restrain open banking innovation, and elevate risks to consumer data and deposits.
While the rule aims to foster competition and improve consumer choice, it also highlights the potential vulnerabilities associated with non-bank entities in financial ecosystems. This is underscored by recent events, such as the bankruptcy of Synapse Financial, a significant back-end provider for fintechs, which resulted in some consumers losing track of their deposits temporarily. This incident illustrates the potential hazards as consumers increasingly engage with fintech solutions over traditional banking entities.
Ultimately, the CFPB’s ruling marks a significant shift in consumer finance, posing both opportunities and challenges for traditional banks. As legal challenges loom, and unless the Eastern District Court of Kentucky provides immediate injunctive relief, banks must prepare to navigate the complex regulatory landscape ahead. The complete text of the rule is available here, and for further analysis, Bloomberg Law provides detailed coverage here.