What Banks Need to Know About the CFPB's Open Banking Rule

Community banks with $850 million or more in assets will soon need to comply with new open banking regulation, though smaller institutions might still want to prepare for data sharing if their customers start demanding it. 

In October, the Consumer Financial Protection Bureau (CFPB) finalized its Personal Financial Data Rights Rule, a rule “that will give consumers greater rights, privacy and security over their personal financial data,” the agency said in a press release announcing the final rule.

The rule says customers will be able to authorize a third party to access data associated with their bank accounts, credit cards, mobile wallets, payment apps and other financial products. Such data includes information about transactions, account balance, upcoming bill information, basic account verification and the kind of information needed to initiate payments.

Financial providers must make this information available without charging fees, through a secure “digital interface” that third parties can access via APIs after a customer authorizes access.

The rule’s effective compliance dates will be staggered based on size, with the largest institutions having to comply by April 1, 2026. The smallest covered institutions will have until April 1, 2030.

Smaller banks can be led by customer preference

ICBA was instrumental in allowing institutions with less than $850 million in assets to be exempt from having to build a digital interface, says Mickey Marshall, ICBA assistant vice president and regulatory counsel.

“We felt that was necessary, because for a bank that size, this is not something they’re going to be able to build in-house,” he says, “and they’ll be completely dependent on vendors.”

However, Marshall notes, if smaller institutions hear from their customers that they would like to share this data, then those institutions have the option to set up a portal.

While third parties, including other banks or fintechs, can use customer data to counter competing offers, the ability to share will go both ways, he says. Community banks can essentially be the “third party” and entice customers of other institutions or fintechs to share their information, which could help them win that business.

“Community banks can then offer them superior prices, superior products and services, and try to win over those customers,” Marshall says. “They can do that more quickly now, because they’re getting all of that information about the customer within those companies, so it allows them to be more nimble in terms of gaining new customers.”

Third-party privacy concerns

According to Marshall, ICBA is now advocating for the CFPB to change the rule to enable institutions to charge third parties a fee for accessing the digital interface, to recoup the costs associated with building and maintaining it.

Under the new rule, the potential for fraud is a big concern, notes Marshall. Banks are going to be asked to share this data with companies with which they may not have any previous relationship. They also won’t be able to determine how well the third party is securing the data.

While third parties receiving customer information are required to protect customers’ privacy per the Gramm-Leach-Bliley Act, as well as adhere to the Federal Trade Commission’s Standards for Safeguarding Customer Information, “there’s a difference between being required to comply and actually doing it,” Marshall says.

“If they’re a fintech that’s not supervised or examined by any federal agency, then how is a bank going to know if they’re actually in compliance with that regulation or not?” he says. “If a customer then has their information compromised or suffers a loss when money goes out of the bank account, they may wrongly blame the bank.”

Customer education is critical

Community banks developing such interfaces should educate customers on the potential risks of sharing information with fintechs that have weak security standards. Customers should also be aware of the possibility that the third party could actually be a fraudster posing as a fintech to steal customer account numbers and other sensitive information.

Banks also should let third parties know that they will independently confirm whether the customer actually authorized access, Marshall says. This is more feasible now that the CFPB’s final rule states that access should be granted in a reasonable time—and not within 3.5 seconds, as proposed in the initial rule.

According to Marshall, “That’s another way banks can make this a little bit safer, and the verification should also come with some sort of warning about the risks of sharing information.”

The CFPB’s Personal Financial Data Rights Rule is part of the agency’s efforts to finally activate Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act enacted by Congress in 2010. The CFPB will be developing additional rules to address more products, services and use cases, the agency said in its press release.

---