Maryland Legal Alert for Financial Services
CFPB Issues Final “Open Banking” Rule
The Consumer Financial Protection Bureau (CFPB) issued an "open banking" rule under Section 1033 of the Dodd-Frank Act. This rule mandates that financial institutions that issue credit cards and maintain transaction accounts must provide account holders and authorized third parties with access to information regarding transactions, charges, and usage in an electronic format upon request. It establishes a legal right for consumers to obtain details about what data is collected by the financial institution, where that data is stored, and how it is shared. Additionally, the rule mandates that financial institutions covered under the new rule create two distinct interfaces for accessing covered data: a consumer interface for direct consumer access (like online banking) and a developer interface for authorized third parties (such as APIs). Financial institutions must share specific information, including their legal name, website link, Legal Entity Identifier (LEI), and contact details for inquiries. This information must be provided free of charge.
Certain information, like confidential commercial data and fraud prevention data, is exempt from disclosure. In contrast to the CFPB’s prior proposed rule from 2023 concerning this topic, the final rule applies only to financial institutions with assets exceeding $850 million. For financial institutions that meet this threshold, compliance is required based on a rolling scale determined by asset size. The earliest compliance date is April 1, 2027 (for financial institutions with assets between $10 billion and $250 billion), while the latest compliance date is April 1, 2030 (for financial institutions with assets between $850 million and $1.5 billion). Already, the new rule has faced legal challenges in the United States District Court for the Eastern District of Kentucky, with concerns raised that the open banking rule could increase risks of consumer fraud and impose undue compliance costs on financial institutions.
Practice Pointer: Financial institutions subject to the new rule should start implementing written policies and procedures to manage the availability of covered data, respond to information requests, and handle requests for developer interface access, data accuracy, and record retention.
For more information, contact Christopher R. Rahl or Tamia J. Morris.