The Consumer Financial Protection Bureau on Tuesday issued its long-awaited final rule on open banking — with a major tweak.
The rule would require financial institutions, credit card issuers and other firms to transfer personal financial data to other providers for free at the consumer’s request. But while last year’s proposal applied to data linked to bank accounts, credit cards and mobile wallets, Tuesday’s final rule applies to payment apps, too.
Rules surrounding the transfer of financial data, such as transaction records and information needed to initiate payments, are meant to ensure consumers maintain control of their banking history if they switch from one financial institution to another.
The CFPB asserts the greater freedom of movement will boost competition by helping consumers comparison-shop to earn higher interest on deposits or get loans with lower interest rates. That, in turn, will jolt providers into offering better products, the agency argued.
“Too many Americans are stuck in financial products with lousy rates and service,” CFPB Director Rohit Chopra said in a statement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards and more.”
The rule also may help users with shorter credit histories obtain credit by allowing lenders to access income- and expense-related data held on other platforms, the CFPB said. The framework also may boost security of “pay-by-bank” transactions, the agency said.
Under the rule, third parties can only collect, use or retain data to deliver the product the consumer requested, the CFPB said. That means they can’t secretly use or keep consumers’ data for unrelated business reasons – marking a pivot away from some of the consequences generated by screen scraping.
"The final rule makes clear that when consumers authorize companies to obtain their personal financial data on their behalf, these companies are not acting as service providers to the financial institutions holding the consumer's data — those companies are acting on behalf of the consumer," Chopra said in prepared remarks for a speech he was set to deliver at a conference held by the Federal Reserve Bank of Philadelphia. "The rule is designed to ensure that open banking does not become a new data pipeline that fuels surveillance pricing or other manipulative mischief.”
The rule does, however, permit third parties to engage some secondary uses of consumer-authorized data, such as those to improve the requested product or service.
There would be a time limit on data access, too. Financial providers can maintain access for no more than a year without express reauthorization. Consumers can revoke access, also – with immediate effect.
In another change from the proposed rule, the CFPB is delaying the compliance timeline for the rule by 10 months, compared with initial estimates. Compliance will be phased in waves, with the largest institutions due to comply by April 1, 2026, and the smallest by April 1, 2030.
Banks and credit unions with less than $850 million in assets will be exempt, but nondepository entities of any size must comply.
Banking trade groups Tuesday decried the rule. Consumer Bankers Association CEO Lindsey Johnson said the CFPB “exceeds its statutory authority” in issuing the rule.
“The CFPB … has contorted this very clear and limited statute into enabling thousands of third parties to access consumers’ data,” Johnson said.
She said many CBA members support an open-banking framework, but Tuesday’s rule “severely misses the mark” by failing to incorporate industry feedback from the public comment period.
“This has created an even less durable final rule that does not reflect market, technological, and practical realities,” Johnson said.
Bank Policy Institute CEO Greg Baer said Tuesday’s action “retains many of the deficiencies and omissions that plagued the proposed rule.”
“Banks have worked for years to establish secure ways to share customer data whenever the customer asks,” he said. “The CFPB’s rule disrupts this established process, requiring banks to share financial data with any third party without adequate safeguards to ensure the data is protected from fraud, misuse and abuse.”
Johnson took the criticism a step further, saying the CBA “continues to strongly object to the CFPB’s inaccurate assertions that this rulemaking is needed to increase competition in the marketplace.”
“The consumer credit card and deposit account markets specifically are highly competitive and the CFPB should not rely on mischaracterizations of the marketplace to justify the necessity of this rulemaking,” she said.