Exciting changes are on the horizon for US consumers and payment service providers (PSPs). The Consumer Financial Protection Bureau (CFPB) has mandated that PSPs share individual financial data with other providers at no charge, upon customer request. This requirement comes from the long-awaited Open Banking rules announced on October 22, 2024.
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra on the day of the announcement. “Today’s action will empower people to secure better rates and service on bank accounts, credit cards, and more.”
But how have these new rules been received? What are banks expected to do? And what does it all mean for consumers?
Open Banking in the US
These changes have been a long time coming. The CFPB’s new Open Banking rules were first proposed in 2023 but have been 14 years in development. They activate Section 1033 of the Consumer Financial Protection Act, a provision passed in 2010 in response to the 2008 financial crisis. It has been largely dormant until now.
As a result, the US lags regions such as India with UPI and the EU with PSD2, which have been quicker to adopt formal Open Banking policies. The US has instead relied on private-sector initiatives. But this has led to concerns over inconsistent consumer protection, security, data privacy, and standardization in financial data sharing.
To address them, the CFPB took its first major step forward in October 2023 by releasing a proposed rule to formalize Open Banking in the U.S. Now, after receiving feedback, the CFPB has finalized the rule on October 22, 2024. This marks a significant shift toward establishing a secure, standardized, and competitive Open Banking system.
What is the CFPB Trying to Achieve?
The new CFPB’s Open Banking rules aim to:
- Enhance consumer access to their financial data.
- Boost competition in financial services, enabling consumers to switch providers for better rates and services.
- Foster transparency, innovation, and consumer choice by making data more accessible and standardized.
- Ensure secure financial data sharing between consumers and third-party providers, reducing reliance on risky practices like screen scraping.
While the CFPB’s original proposal included many of the same core elements, the final rule reflects several key changes based on public feedback. Staggered compliance deadlines, for example, aim to accommodate smaller financial institutions.
The final rule also clarifies privacy protections regarding third-party data usage and reinforces protections around data retention. Providers must immediately withdraw access and delete customer data if an individual revokes consent.
Who’s Set to Gain from the New Rules?
Consumers will get greater control over their financial data, along with increased autonomy and trust in the financial system. Open Banking will allow consumers to switch financial providers more easily, access personalized financial services, and make better-informed decisions. Robust consumer protections ensure they are safeguarded in the event of data breaches or misuse, with clear recourse for resolving such issues. It’s a big step in the right direction.
Traditional banks and credit unions face both challenges and opportunities. They will need to invest in building secure data-sharing systems or partner with FinTech companies and technology firms to comply. Compliance will likely increase operational costs due to technology upgrades and the need to develop or acquire APIs for data sharing. However, this also opens new opportunities for collaboration and innovation in consumer services.
For FinTech companies, the rules level the playing field. By granting regulated access to consumer financial data – historically controlled by larger financial institutions – the door is open for innovation. This shift is likely to spur the development of new financial products and services. Smaller FinTechs may face challenges in meeting cybersecurity requirements, but those already offering open banking services will have a competitive advantage.
How Have the New Rules Been Received?
The new rules have elicited a range of responses. Consumer advocates have largely praised the CFPB for expanding consumer rights and protecting privacy.
The American Fintech Council (AFC), meanwhile, welcomes the potential for innovation but has expressed concerns about limitations on data usage for services like targeted advertising. “AFC recognizes and appreciates the monumental effort put forward by the Consumer Financial Protection Bureau (CFPB) to establish a robust Open Banking framework through the finalization of its Personal Financial Data Rights rule,” the organization stated in a press release.
“However, we are deeply concerned about the CFPB’s decision to finalize this rule without adequately considering and amending regulatory provisions regarding the secondary use of consumers’ data for cross-selling financial products and conducting targeted advertising.
But it’s banks that have expressed the most concern. Larger financial institutions have raised issues about the rule’s compliance costs, while smaller banks and credit unions worry about being competitively disadvantaged, despite receiving extended compliance deadlines.
What Are Banks Supposed to Do?
To comply with the CFPB’s new Open Banking rules, banks must take several key actions:
- Provide Consumer Financial Data Access: Institutions must give consumers access to their financial data and authorize third-party access, including details like account balances, transaction history, and payment information.
- Build Secure API Interfaces: Secure, standardized APIs are required for data sharing with authorized third parties, replacing riskier methods like screen scraping to ensure reliable data transfer.
- Obtain Explicit Consumer Consent: Before sharing data with third parties, banks must obtain clear and informed consumer consent, with systems in place to document and manage it effectively.
- Enhance Privacy and Security Measures: Consumer data must only be shared for authorized purposes and handled securely.
- Adhere to Phased Compliance Deadlines: Compliance deadlines begin in April 2026 for larger institutions and April 2030 for smaller ones. Banks with assets under $850 million are exempt.
- Prohibit Fees for Data Access: Banks cannot charge consumers or third parties for data access and must absorb any related compliance costs.
- Monitor Third-Party Compliance: Institutions must ensure third-party providers comply with CFPB rules, establishing contracts to define data usage and security responsibilities.
- Prepare for Regulatory Audits: Detailed records and documentation should be maintained to demonstrate compliance with CFPB rules during regulatory audits. To become compliant and meet the deadlines, banks may need to consider support from payment experts. Experience in markets like the UK and EU, where the Open Banking market is more developed, will be particularly beneficial.
Banks Push Back
Immediately after it was published, the Bank Policy Institute and the Kentucky Bankers Association filed a lawsuit against the CFPB over its rules on data sharing. They claim the rule endangers consumer privacy and security, accusing the CFPB of overstepping its authority with a disruptive regulatory framework. They also criticize the CFPB for imposing costly compliance burdens without allowing banks to charge fees to offset expenses.
The lawsuit argues that the rule forces banks to engage in risky data-sharing practices, disclosing sensitive customer data to third parties, thereby heightening security risks without sufficient data protection. If successful, it could invalidate the CFPB’s rules under the Administrative Procedure Act.
It’s not just banks—credit unions also share these concerns, warning that data-sharing with outside parties could expose them to legal liabilities and financial strain. This could lead to delays or changes in the rule’s rollout, adding uncertainty to the future of open banking in the U.S.
What Does This Mean for the US market?
The US has lagged other regions in implementing open banking. Europe’s PSD2 regulation and the UK’s Open Banking Standards have set the benchmark for promoting financial transparency, competition, and secure data-sharing frameworks. These systems provide valuable insights into how structured regulations can foster innovation while managing consumer privacy and security risks. Other regions such as India, Brazil, and Southeast Asia are also advancing rapidly.
The CFPB’s final rule represents the US’s first major step in this direction. By learning from global experiences, the U.S. can better manage security and privacy concerns while encouraging competition and innovation in its financial services landscape.
I Don’t Know Where to Start with the CFPB’s New Open Banking Rules. What Should I Do?
Speak to RedCompass Labs. We have extensive experience helping some of the world’s largest banks comply with Open Banking regulations in the EU and UK.
We are experts in regulatory compliance and financial innovation, specializing in helping financial institutions and fintech companies navigate complex regulatory landscapes.
Our team can guide you through the challenges of implementing the CFPB’s new rule, from building compliant and scalable data-sharing infrastructures to integrating seamless API solutions.
Get ready for the future of Open Banking. Get in touch today.
Share this post
Written by
Arun Kumar Saravanan
Senior Business Analyst, RedCompass Labs
Resources