On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-anticipated rule implementing Section 1033 of the Dodd-Frank Act. The 594-page final rule arrives nearly one year after the CFPB’s proposed rule, which received over 11,000 comments from industry participants concerning its implementation. The rule requires institutions that issue credit cards and hold transaction accounts, among others, to provide information about transactions, costs, charges, and usage to consumers and authorized third parties in electronic form upon request. While the text of the final rule closely adheres to the 2023 proposed rule, there are several substantive changes to the rule’s scope, secondary uses, and the compliance period. 

Importantly, the final rule expressly exempts depository institutions of less than $850 million in assets. For those above this threshold, the rule also provides rolling compliance dates, which are dictated by asset size.

• April 1, 2030, for banks with assets between $850 million and $1.5 billion
• April 1, 2029, for banks with assets between $1.5 billion and $3 billion in assets
• April 1, 2028, for banks with assets between $3 billion and $10 billion in assets
• April 1, 2027, for banks with $10 billion to $250 billion in assets

The rule represents the first significant step in the United States toward an open banking system. Specifically, the rule mandates that financial institutions and providers allow consumers to access and transfer their financial data to other providers for free, which the CFPB believes will promote competition within the industry. The rule also establishes privacy protections, limiting the purposes for which consumers’ financial data may be accessed or utilized – a provision that has been met with significant commentary by industry participants. Under the final rule, consumers now have the legal right to know what data is being collected, where the data is stored, and with whom the data is shared – with the right to revoke access at any time. Covered entities must develop written policies and procedures regarding the availability of covered data, responses to requests for information, and requests for developer interface access, data accuracy, and record retention.

Notably, the rule was immediately challenged in a lawsuit filed in the United States District Court for the Eastern District of Kentucky by notable industry groups. The complaint alleges the CFPB has overstepped its authority, and that the rule “jeopardizes consumers’ privacy, financial data and account security.” The lawsuit raises several concerns consistent with those raised by industry participants during the comment period. Key issues raised in the lawsuit largely focus on the potential risks associated with the general lack of oversight and accountability of third parties who access and use bank customer data, increasing the risk of fraud and the cost of compliance for depository institutions. The lawsuit also challenges the compliance deadlines, highlighting the lack of promulgated consensus standards that function as default industry standards for compliance under the rule. Without default standards, industry participants subject to the rule run the risk of developing compliance programs that must immediately be unwound and redone to adapt to standards that are later adopted.

While this may be the CFPB’s first significant rule to accelerate open banking in the U.S., it certainly will not be the last, as the CFPB has already announced its intent to develop additional rules to address more products, services, and use cases.

Listen to this post