Executive Summary 

• The Consumer Financial Protection Bureau (CFPB) finalized a long-awaited open banking rule that seeks to give consumers better control over their financial data and make it easier to shop around for competing products and services. 

• Proponents of the rule note the opportunities for enhanced competition, better products and services for consumers, improved data security, and decreased barriers to entry for financial services providers. 

• Opponents of the rule question whether the CFPB is operating within the scope of its powers, and note the increased opportunities for fraud as well as the unequal flow of rights to fintechs and responsibilities to the traditional banking sector. 

Introduction 

On Tuesday the Consumer Financial Protection Bureau (CFPB) released a milestone rulemaking policing the relationship between financial institutions and their customers’ data. For the first time, consumers will be able to request that their financial services providers share their privileged information with third-party competitors and fintechs offering competing products. The rule has met with unusual public and bipartisan political support, suggesting that it will survive future Congresses – provided it survives legal challenge. Two bank trade groups will seek to argue in court that the rule exceeds the CFPB’s mandate and will expose consumers to unacceptable levels of fraud. 

The Rule 

Under the new rule, companies will be required to share their clients’ privileged information, at the consumer’s request, to banks and fintechs offering competing products, and make that data freely available to customers at zero cost. By “unlocking” consumers’ access to their own data, the CFPB aims to meet several policy goals, chief of which is enhanced competition by reducing the barriers to swapping financial providers. The rule has a secondary objective, however, to “level the playing field” between the banking sector and nascent fintechs seeking to enter traditional banking with new products and services. The rule also improves the data guardrails at these fintechs to better safeguard customer data. 

The finalized rule exempts banks and credit unions holding less than $850 million in assets but applies to all non-depository institutions and remains largely similar to its proposed version. Implementation of the rule will be phased-in by institution size between 2026 and 2030.  

Analysis 

The CFPB rule seeks to give consumers better control over their data and make it easier for consumers to find better offers on different goods and services, all while improving the standards for digital data storage. Enhanced competition between banks and fintechs necessarily improves the quality of financial products while lowering the costs, as well as reducing the operational and financial barriers to entry for new financial services organizations. Notably, the rule prohibits companies from using consumers’ data for targeted advertising. 

Less than a day after the release of the finalized rule, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit in Kentucky arguing that the CFPB has exceeded its authority and that the final rule will endanger both consumers and “the entire financial services ecosystem.” To the first charge, banks point to the rule being a distortionary expansion of the CFPB’s rights and responsibilities under Dodd-Frank, that it abdicates the Bureau’s responsibility to decrease financial risk, and note the inherent oddity of a rule covering fintechs the CFPB does not oversee or regulate. To the second charge, banks point to the potential for a significant increase in fraud and note that the finalized rule does not prevent or reduce “screen scraping,” in which third parties use data collected improperly for nonauthorized functions. In a press release, the Bank Policy Institute laid out a number of other concerns it has with the CFB rule, among them that the rule provides no additional liability protection for banks, with whom all legal responsibility lies; allows fintechs and third parties to profit from systems built by banks; and offers an unreasonable implementation timeline. 

At its heart, the CFPB’s rulemaking is the latest attempt to govern how consumer data is owned, stored, and shared across increasingly decentralized platforms. As noted by House Financial Services Committee Chair Patrick McHenry, who was otherwise supportive of the rule, “Congress must build on the bipartisan consensus regarding financial data privacy.” The CFPB open banking rule is no substitute for a federal standard for national data privacy. The Bank Policy Institute alluded to this in its suit, noting that despite calling for greater protection of consumer data, particularly by fintechs, the rule gave no practical requirements or guidance for how financial institutions should actually do so. 

Conclusion 

A CFPB rule that meets with overwhelming bipartisan support in Washington is a novelty. Increased competition, enhanced data safety, and a more open financial services ecosystem are policy goals to be applauded. Provided that the rule fends off legal challenge – which is in no way guaranteed considering the continued questions over the bureau’s constitutionality and source of funding – it is likely to survive future Congresses. It remains to be seen, however, whether the rule will prove a victory for consumers, an avenue for fraud that destabilizes the economy, or some combination of both.