Maryland Legal Alert for Financial Services

In This Issue

CFPB ISSUES FINAL "OPEN BANKING" RULE

CFPB FAULTS FINANCIAL INSTITUTION FOR RUSHED CORE CONVERSION

CFPB Issues Final “Open Banking” Rule

The Consumer Financial Protection Bureau (CFPB) issued an "open banking" rule under Section 1033 of the Dodd-Frank Act. This rule mandates that financial institutions that issue credit cards and maintain transaction accounts must provide account holders and authorized third parties with access to information regarding transactions, charges, and usage in an electronic format upon request. It establishes a legal right for consumers to obtain details about what data is collected by the financial institution, where that data is stored, and how it is shared.  Additionally, the rule mandates that financial institutions covered under the new rule create two distinct interfaces for accessing covered data: a consumer interface for direct consumer access (like online banking) and a developer interface for authorized third parties (such as APIs). Financial institutions must share specific information, including their legal name, website link, Legal Entity Identifier (LEI), and contact details for inquiries. This information must be provided free of charge. 

Certain information, like confidential commercial data and fraud prevention data, is exempt from disclosure.  In contrast to the CFPB’s prior proposed rule from 2023 concerning this topic, the final rule applies only to financial institutions with assets exceeding $850 million. For financial institutions that meet this threshold, compliance is required based on a rolling scale determined by asset size. The earliest compliance date is April 1, 2027 (for financial institutions with assets between $10 billion and $250 billion), while the latest compliance date is April 1, 2030 (for financial institutions with assets between $850 million and $1.5 billion).  Already, the new rule has faced legal challenges in the United States District Court for the Eastern District of Kentucky, with concerns raised that the open banking rule could increase risks of consumer fraud and impose undue compliance costs on financial institutions.  

Practice Pointer: Financial institutions subject to the new rule should start implementing written policies and procedures to manage the availability of covered data, respond to information requests, and handle requests for developer interface access, data accuracy, and record retention. 

For more information, contact Christopher R. Rahl or Tamia J. Morris.

Contact Christopher R. Rahl | 410-576-4222

Contact Tamia J. Morris | 410-576-4021

Back to In This Issue.

CFPB Faults Financial Institution for Rushed Core Conversion

On October 31, 2024, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with a large credit union based in Florida.  The credit union’s members include a large number of military service members and their families. In 2022, the credit union attempted to launch a new online and mobile banking platform with a new and untested core account hosting provider. The credit union’s online system did not function properly, causing the credit union to pull the system offline.  The online access was restored with limited functionality for several months, resulting in significant restrictions on credit union members’ ability to access funds.  The CFPB faulted the credit union for failing to properly plan for the core conversion, including the failure to do sufficient due diligence on its service provider and the failure to leave enough time for adequate development and testing.   

The CFPB found that the significant problems experienced by the credit union’s members were foreseeable and preventable and that the credit union’s deficient planning and service provider oversight constituted an unfair practice in violation of the Consumer Financial Protection Act of 2010 that caused financial and non-financial harm to consumers (including fees, costs, and inconvenience). The consent order requires the credit union to come into compliance with applicable law, establish a governance committee to ensure proper management of projects involving consumer facing banking systems, make appropriate redress to impacted consumers, and pay a $1.5 million civil money penalty.  The enforcement action serves as a reminder to financial institutions considering core processor conversions to be mindful of applicable interagency guidance concerning service provider oversight. 

For more information, contact Christopher R. Rahl.

Contact Christopher R. Rahl | 410-576-4222

Back to In This Issue.