Mark Taylor
Senior Editorial Manager
Open banking has officially arrived in the US.
The Consumer Financial Protection Bureau (CFPB) has finalised its Required Rulemaking on Personal Financial Data Rights (Final Rule), aimed at giving consumers greater control over their personal financial data.
Now, financial institutions, credit card issuers, and other providers must hand over an individual’s financial data to another provider at the consumer’s request and at no charge.
Regulators anticipate that consumers will soon be able to switch bank accounts as seamlessly as they switch mobile phone providers.
Here’s a breakdown of what the CFPB’s open banking rules mean for compliance functions.
The scope of the Final Rule is very broad
The Final Rule casts a wide net.
It covers “data providers,” “third parties,” and “data aggregators,” which include financial institutions, credit card issuers, and any other entities controlling consumer data related to financial products or services.
This means all retail banking and payment services providers are within regulatory capture as a data provider.
Notably, digital wallets are also included, and the CFPB has indicated it may expand its definition of a data provider in the future.
“Third parties” refers to any entity, other than the consumer or the data controller, that handles consumer data, often the consumer’s new bank or payment provider.
The rule includes additional requirements for “data aggregators” that ssist third parties in accessing financial data, encompassing tech firms that provide app interfaces or payment solutions.
“Covered data” spans transaction information, account balances, bill information, payment initiation details, account verification, and more. No explicit exclusions are provided for de-identified or anonymised data.
Strong privacy protections are a must
Lucrative financial data is at stake here, which means already strict privacy requirements will be further tightened.
Personal financial data can only be used for purposes requested by the consumer. Third parties are prohibited from leveraging consumer data for unrelated purposes that benefit the third party but are not desired by the consumer.
The rule also moves the industry away from “screen scraping,” a high-risk practice in which consumers share their login credentials with third parties who access data through online banking portals.
In providing consumers with more control over their data, the Final Rule aims to promote greater choice and competition.
Consumer financial protection standards are tighter than ever
Having granted access, regulators have made it clear they expect customer transactional data to be handled with extreme care.
Third parties may only collect and use data to deliver the product or service the consumer requested, not for unrelated purposes like targeted advertising.
While the rule does not ban specific data uses, they must strictly concern the consumer’s expressed needs.
Consumers also have the right to revoke access to their data, which must then be deleted by default. Access can persist only for up to one year without reauthorisation, and revocation procedures must be simple and straightforward to prevent “dark patterns”.
Attention must be paid to third-party risks
For the CFPB, sharing is caring. For banks, it is a little more complicated.
The Final Rule mandates that data providers (e.g., banks) allow authenticated consumers and authorised third parties to access updated covered data in a portable, electronic format without fees.
The provider must establish two interfaces: one for consumers and another for developers. The developer interface, which provides third-party access to covered data, must meet specific format, performance, and security requirements, with safe harbour available for those adhering to qualified industry standards.
Additionally, data providers must publicly disclose certain information in both human and machine-readable formats, going beyond standard annual privacy policy updates. Written policies and procedures for data accuracy, retention, and access requests are also required.
Third parties are allowed access to the data under certain conditions; the Final Rule establishes a three-part authorisation procedure involving disclosure, certification of obligations, and the consumer’s informed consent.
Obligations must be met by data aggregators to perform this authorisation. The rule limits secondary uses of consumer data, explicitly prohibiting use for targeted advertising, cross-selling, or data resale.
While some sought clarity on de-identified data and AI training, the rule permits data use solely for improving requested products or services.
Additional provisions address data security, retention, consent revocation, reauthorisation, and procedural documentation.
Implementation will be phased in
In a change from initial proposals, compliance with the rule will be phased in based on the size of the firm sharing the data.
Larger institutions must comply by April 1, 2026, while smaller institutions have until 1 April, 2030. Certain small banks and credit unions are exempt.
This streamlined structure should help compliance teams better understand and prepare for the impact of the CFPB’s open banking rules on their operations.
CUBE comment
For compliance professionals, the main takeaway is that adapting to the new CFPB rules will require quick and precise responses to ongoing regulatory changes.
With the CFPB’s broad definitions and data privacy requirements, regulations can evolve quickly. Automated Regulatory Intelligence can track and interpret these updates, allowing compliance teams to adapt faster without manually monitoring changes.
A clear and reliable data management process is also required given the greater emphasis on strong controls around data access, revocation and deletion, and revocation workflows.
Contact CUBE today to learn how Automated Regulatory Intelligence can help your business turn regulatory change management into a strategic advantage.