On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-awaited rule on Personal Financial Data Rights (referred to herein as the “Open Banking Rule”).

The Open Banking Rule requires banks, credit unions, and other financial service providers to make available consumers’ data upon request to those consumers or other third parties designated by such consumers. The rule is issued to implement the personal financial data rights established by the Consumer Financial Protection Act of 2010 (“CFPA”).  In particular, Section 1033 of the CFPA, provides consumers with a right to access their account information and authorize certain third parties to access such information on the consumer’s behalf.  Subject to the newly finalized Open Banking Rule, Section 1033 requires covered banks, credit unions, financial institutions, and certain payment providers to make available consumers financial data to that consumer or third party authorized to receive such information on the consumer’s behalf.

The Open Banking Rule casts a wide-net and has substantial implications not only on the data providers (defined below), but also on the third parties receiving such information on behalf of the requesting consumer.  The same day the Open Banking Rule was released, a Kentucky-based bank and two trade associations filed a lawsuit in federal district court in Kentucky challenging the rule, and we expect more lawsuits to follow.  These legal challenges could delay or impact implementation of the rule, and Taft will continue to monitor their status.

We’ve boiled down the basics here in an FAQ format to demystify the implications this proposed rule would have on the payments industry.

Q: Who does the Open Banking Rule Apply to?

A: The Open Banking Rule applies to “data providers,” which are financial institutions (as defined in Regulation E), card issuers (as defined in Regulation Z), or any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.

Q: Which entities are considered “data providers”?

A: Data providers include depository institutions such as banks or credit unions, and nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services.

Q: Which entities are not covered under the Open Banking Rule?

A: Data providers are exempt if they are depository institutions that hold $850 million or less in total assets, which is based on U.S. Small Business Administration (“SBA”) size standards.

Q: Who is an “authorized third party” under the Open Banking Rule?

A:   An “authorized third party” is a third party that is authorized to receive “covered data” about “covered financial products and services” available in electronic form to consumers.  An “authorized third party” is defined as a third party that has complied with the authorization procedures set forth in subpart D of the Open Banking Rule. For a third party to comply with subpart D and obtain authorization from a consumer to become an “authorized third party,” it must obtain authorization from the consumer on an annual basis. Continued use of a third party’s services does not constitute authorization. Authorization must include the following “near in time” type disclosures to the consumer as a precursor to obtaining authorization:

  • Name of the third party that will be authorized to access the covered data.
  • Name of the data provider that will be in control or possession of the covered data that will be processed by the third party.
  • The categories of covered data that will be accessed.
  • The purpose of accessing the covered data.
  • The time frame that the authorization will cover (up to one year)
  • A description of the revocation mechanism for granting consent.

 Q: What is “covered data”?

A: “Covered data” is financial information that a financial institution (or “data provider”) must make accessible to consumers and authorized third parties upon request. Financial information includes, among other things, account balances, account terms and conditions, information necessary to initiate payments (including, account and routing numbers), transaction amounts, transaction dates, payment types, rewards credits, fees and finance charges, and verification information necessary to confirm account ownership (e.g., name, address, email address and phone number).

Q: How does the Open Banking Rule impact a person’s obligations or duties under the Gramm-Leach-Bliley Act and Regulation P?

A: Data providers are required to maintain a “developer interface”, which is a functionality through which it receives requests for covered data and makes the data available to authorized third parties.  Data providers are required to have an information security program for their developer interface that meets the requirements of the Safeguards Framework under the Gramm-Leach-Bliley Act (“GLBA”).  If the data provider is not subject to the GLBA’s Safeguards Framework, they must have an information security program that meets the standards under the FTC’s Standards for Safeguarding Customer Information.  Third parties must also have an information security program for their own systems for the collection, use, and retention of covered data that meets these requirements.

Q: How does the Open Banking Rule impact a person’s obligations or duties under the Fair Credit Reporting Act?

A: The obligations of the Open Banking Rule creates overlap with the Fair Credit Reporting Act. A third-party data aggregator or other financial service provider may be classified as a credit reporting agency if it handles covered data that could be used for credit decisions, i.e., in a manner that the Fair Credit Reporting Act deems to be “credit report” like information. This regulatory overlap will impose obligations on fintech and data aggregation companies to comply with the requirements of the Fair Credit Reporting Act for data accuracy, privacy, limitations on use of data, and data security.

Q: When are the mandatory compliance dates? 

A: Compliance dates are staggered, based on the calculation of a data provider’s total assets or total receipts.  Larger entities have a shorter timeframe for compliance.  April 1, 2026 is the compliance deadline for depository institutions with at least $250 billion in total assets, and non-depository institutions that generated at least $10 billion in total receipts in either of the years 2023 or 2024, while April 1, 2030 is the compliance deadline for depository institutions that hold less than $1.5 billion but more than $850 million in total assets.

Taft continues evaluating the Final Rule and is available to assist in analyzing the impact it may have on your new or existing operations and contractual agreements.