Open Banking Update: CFPB’s Final 1033 Rule, What’s New, What’s Different, and What’s Next?

Key Takeaways

• Access to Consumer Data: The CFPB released its Final Rule under Dodd-Frank Act Section 1033, which is intended to facilitate open banking by requiring data providers to grant access to covered data to consumers and the third parties that consumers authorize to access their data.
• Phased Implementation for Data Providers: The requirements for data providers under the Final Rule will be rolled out in phases over six years, depending on the asset size or annual revenue of the data provider, with the first band starting on April 1, 2026 for the largest institutions.
• Requirements for Third Parties: Authorized third parties must disclose specific information to consumers when seeking authorization to access data on their behalf. The third parties are limited in their use of the data to purposes "reasonably necessary" to provide the requested service to consumers.
• Legal and Industry Implications: The Final Rule prompted legal challenges and concerns regarding data security and regulatory burden, highlighting the need for ongoing monitoring by industry stakeholders.

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) issued its final rule to implement its authority under Section 1033 of the Dodd-Frank Act (12 U.S.C. § 5533), which is intended to facilitate open banking (the “Final Rule”). The Final Rule imposes new data access requirements on various parties in the financial ecosystem, including financial institutions, data aggregators, and businesses that consumers authorize to access information on the consumer’s behalf. With limited exceptions discussed below, the Final Rule tracks the CFPB’s October 2023 proposed rule.

This alert covers the key scoping and definitional concepts in the Final Rule (Section I), identifies the key requirements imposed on data providers (Section II) and third parties (Section III), and provides some initial analysis of the Final Rule’s impact (Section IV) before sharing thoughts on the outlook for the industry (Section V).

I.  Scope and Definitions

The Final Rule places obligations on “data providers,” “third parties,” and “data aggregators,” and provides guidelines and restrictions for certain data related to “covered financial products and services.”

• Data Providers. A “data provider” includes an account-holding financial institution (e.g., banks and credit unions), credit card issuer, digital wallet provider, and generally any other entity that controls or possesses information concerning a covered consumer financial product or service (i.e., Regulation E “accounts,” Regulation Z “credit cards,” and facilitation of payments from either) that the entity provides to the consumer. The inclusion of entities that “facilitate pass-through payments” will result in many fintech payment platforms and wallet providers being subject to the data provider requirements. In a change from the proposed rule, small depository institutions (i.e., those with $850 million or less in assets) are exempt from the rule.
  
  It is worth noting that the initial scope of “covered products and services” excludes many entities that may provide financial services or hold financial data, including certain Regulation Z creditors (such as mortgage, auto, and payday lenders), payroll providers, holders of tax records, electronic bill presentment providers, investment products, retirement accounts, small business lenders, and others. However, the CFPB has signaled that it intends to cover more products under future Section 1033 rulemakings (e.g., mortgages, auto loans, and student loans).
• Covered Data. “Covered data” is account data related to a covered financial product or service, including transaction information, account balance, payment-initiation data, terms and conditions, upcoming bill information, and basic account verification information.
• The payment initiation data category would include account and routing numbers used to create ACH transactions. However, a data provider would be permitted to provide a “tokenized account number instead of, or in addition to, a non-tokenized account number, as long as the tokenization is not used as a pretext to restrict competitive use of payment initiation information.”
• Notable exclusions from the definition of “covered data” include (i) confidential commercial information (e.g., underwriting algorithms); (ii) information collected for the sole purpose of preventing fraud or money laundering, or for detecting, or making any report regarding unlawful conduct; (iii) information required to be kept confidential by any other provision of law; and (iv) information that the data provider cannot retrieve in the ordinary course of business.
• Third Parties. The Final Rule also defines third parties who may access consumer data, including “third parties” and “data aggregators.”
• “Third parties” include any person in receipt of covered data that is not a data provider or consumer.
• “Authorized third parties” are a subset of “third parties” that seek access to covered data on behalf of a consumer and meet specified authorization procedures set forth in the Final Rule.
• “Data aggregators” are entities that are retained by, and provide services to, authorized third parties to enable access to covered data.
• Standard-Setting Bodies. The Final Rule also defines “Standard-Setting Bodies” (“SSBs”) to set Qualified Industry Standards (“QSIs”), which will provide guidelines to data providers and third parties regarding compliance with the Final Rule. An SSB is defined as a “fair, open and inclusive” industry body that meets specific requirements for openness, balance of decision-making power, due process and appeals, consensus, and transparency. In June, the CFPB published a rule supplementing the Final Rule, which lays out the requirements for submitting applications to become recognized by the CFPB as an SSB and issuer of QSIs.

II. Key Requirements for Data Providers

Upon the data provider’s compliance date, the data provider will need to meet specific obligations including:

• Consumer and Developer Interface. A data provider is required to establish a “developer interface” and a “consumer interface.”
• The developer interface must be designated for handling data requests from authorized third parties (or aggregators).
• A developer interface must be provided in addition to a consumer interface, such as a mobile application, through which a data provider makes data available to consumers.
• A data provider may not allow third parties to access the developer interface by using any credentials that a consumer uses to access the consumer interface.
• Data Access. A data provider is required to grant authenticated consumers, authorized third parties, or data aggregators acting on behalf of authorized third parties access to covered data in electronic, consumer-usable form through the developer interface.
• There are additional requirements regarding how the data must be made available, and the CFPB indicated that the requirements should promote the use and development of standardized formats.
• A data provider is prohibited from imposing any fees or charges for the interfaces or for receiving requests or providing covered data through the interfaces.
• A data provider is not required to grant authorized consumers or third parties access to covered data if the data provider’s denial of the request for access is directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security.
• Written Policies, Procedures, and Reporting. A data provider is required to maintain written policies and procedures that align with the objectives of the Final Rule, including:
• The terms by which covered data is made available; and
• The mechanics of data access, including basic operational, performance (i.e., response service-level agreements), and security standards. Specifically, the Final Rule obligates a data provider to apply to the developer interface an information security program that satisfies the Gramm-Leach-Bliley Act (GLBA) or the Federal Trade Commission (FTC) Safeguards Rule for covered data.
• Reporting. A data provider is also required to make certain developer interface documentation and performance information readily available to the public, in a format at “least as available as it would be on a public website.” Specifically, a data provider must make available performance specifications that the data provider’s developer interface achieved (e.g., uptime percentages) in the previous calendar month (and a rolling 13 months of the required monthly figure).
• Record Retention. A data provider is required to retain records related to the data provider’s response to a consumer’s or authorized third party’s request for information for three years (other records that are evidence of the data provider’s compliance also must be retained for at least three years).

Phased Implementation

The Final Rule has a phased roll out for data providers, by asset size or annual revenue, for depository institutions and non-depository institutions, respectively. As described in the table below, larger data providers become subject to the Final Rule on April 1, 2026, while smaller data providers are subject to a phased implementation within four years after the effective date of the Final Rule. The Final Rule has an effective date of 60 days after its publication in the Federal Register.

As indicated above, a data provider is exempt if it is a depository institution or credit union with less than $850 million in assets, and the minimum asset threshold will fluctuate in the future based on Small Business Association (“SBA”) size standards referenced in the Final Rule.

III.  Key Requirements for Authorized Third Parties and Data Aggregators

The Final Rule requires a third party authorized by a consumer to access the consumer’s data to comply with numerous requirements.

• Authorization Disclosure to Consumers. An authorized third party is required to make a specific disclosure to the consumer in the context of seeking authorization to access covered data. The disclosure must include:
• The name of the third party and the name of any data aggregator the third party uses to access the data;
• A brief description of the product or service that the consumer has requested;
• A statement that the third party will collect, use, and retain the consumer data only to provide the consumer with the requested product or service;
• A description of the expected duration of covered data collection (not longer than one year); and
• A description of the mechanism to revoke authorization.
• Certification to Consumer. The authorized third party must certify that it agrees to abide by the obligations required of third parties under the Final Rule.
• Limitations of Use. An authorized third party is generally limited in its use of covered data to what is “reasonably necessary” to provide the consumer with the requested product or service.
• Permissible uses of covered data also include (i) uses that are specifically required under other provisions of law; (ii) uses that are reasonably necessary to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (iii) servicing or processing the product or service; and (iv) uses that are reasonably necessary to improve the product or service the consumer requested.
• The Final Rule specifically prohibits the use of account data collected through an interface for targeted advertising, marketing, or selling to data brokers.
• The Final Rule also imposes a time limit on retention of the data; specifically, covered data collected by an authorized third party can be maintained for a maximum of one year after the consumer’s most recent authorization, and collection beyond the one-year period requires a new authorization from the consumer.
• Accuracy and Security. An authorized third party must establish and maintain written policies and procedures to ensure that covered data is accurately received and accurately provided to another third party. Moreover, the Final Rule obligates the authorized third party to maintain an information security program, applicable to the systems used for the collection, use, and retention of covered data, that satisfies the GLBA or the FTC Safeguards Rule for covered data.
• Data Aggregators. The Final Rule allows authorized third parties to contract with data aggregators to assist in accessing covered data through the developer interface. In providing such services, a data aggregator is permitted to perform the authorization procedures described above on behalf of the third party; provided that, the data aggregator certifies to the consumer (i.e., the consumer whose data is being obtained by the authorized third party) that it agrees to the same data use limitations, data security, and compliance obligations to which the third party is subject. The certification must be provided, electronically or in writing, separately from the authorization disclosure, and contain the name of the data aggregator.

The Final Rule does not provide an express compliance date for authorized third parties or data aggregators. Instead, authorized third parties must be prepared to request covered data in accordance with the Final Rule when requesting it from a data provider after that data provider’s compliance date.

IV. Analysis and Impact

• Screen Scraping. While “screen scraping” is not expressly banned under the Final Rule, the CFPB said it believes the practice will phase out with implementation of the Final Rule. The CFPB anticipates that screen scraping will not be a viable long-term method of access, in part because data providers will prevent any third-party's access to the data provider’s developer interface by using any credentials that a consumer uses to access the consumer interface. As such, the Final Rule appears to place the onus on data providers to prevent screen scraping but does not address screen scraping outside of their control. Despite the CFPB’s expectation, screen scraping may persist as a method of collecting data held by entities that are outside of the scope of a “data provider,” who may hold important financial data about consumers, such as payroll providers, landlords, and others.
• Existing Relationships Between Data Aggregators and Data Providers. Since the Dodd-Frank Act was enacted, and prior to promulgation of the Final Rule, the industry has taken steps to negotiate and execute data access agreements to set standards for access to consumer data. As such, there is a network of bilateral agreements governing the exchange of covered data between data providers and data aggregators (on behalf of third parties) through Application Programming Interfaces (APIs). The Final Rule will force parties to these bilateral agreements to adapt their practices to come into compliance with the obligations under the Final Rule. Ultimately, each stakeholder will need to analyze the individual relationships and agreements that it has with its customers and counterparties to understand the implications of the Final Rule and what changes may need to be made.
• Updated Authorizations. Similarly, the Final Rule will require authorized third parties and data aggregators to review their consumer authorizations and disclosures. While third parties under the existing aggregator model will have obtained the consumer’s express informed consent to access covered data, it is unlikely that the authorizations include the language prescribed by the Final Rule. Additionally, authorized third parties and data aggregators will need to create disclosures that certify to the consumer, in advance of accepting covered data, that the authorized third parties and data aggregators agree to the conditions regarding access to the covered data.
• Bank Regulatory Considerations. Banks, as data providers, are required to enable data aggregators and authorized third parties to access consumer financial data. This ongoing relationship is subject to the federal banking regulators’ third-party risk management guidance, as discussed previously. The Final Rule recognizes that data providers may reasonably deny access to their interface to consumers or third parties based on risk management concerns, including those related to safety, soundness, or data security requirements in federal law; however, access denials must be narrowly tailored to specific risk management concerns without obstructing a consumer’s right to access data relating to them.
• Secondary Use Limitations. As noted above, the Final Rule generally limits an authorized third party’s use of covered data to uses that are “reasonably necessary” to provide the consumer with the requested product or service. The CFPB notes in the supplementary information to the Final Rule that the “reasonably necessary” standard is designed to ensure the resulting use by an authorized third party is in alignment with true consumer control and informed consent and limits any “secondary uses” not reasonably necessary to provide the product or service. Moreover, the CFPB states that the “product or service” for which the use must be reasonably necessary is the product or service that “the consumer sought in the market and that accrues to the consumer’s benefit”—not what the terms say that the authorized third party is providing.
• Expansion of Secondary Uses. Under the Final Rule, the CFPB expanded an authorized third party’s uses of covered data to include any uses that are reasonably necessary to improve the product or service the consumer requested. While this may allow an authorized third party to use covered data to develop the existing product, the development must be tied to improving the product the customer is receiving as discussed above.

V. Outlook

Despite its length, the Final Rule leaves industry participants with unanswered questions. The staggered compliance timelines for data providers and lack of clarity around the definition of covered data creates uncertainty for authorized third parties trying to operationalize compliance with the Final Rule. Similarly, there remain questions about how and when the SSBs will issue QSIs, which will be a critical input component for data providers looking to establish compliance.

The lack of clarity and questions about the scope of the Final Rule has resulted in mixed industry reactions. While data aggregators have reacted favorably in some respects, traditional banking institutions have expressed concerns about the rule’s impact on data security and the potential for increased regulatory burdens, and questions remain for authorized third parties, as well.

On the same day the final rule was released, a national bank and two bank trade associations filed a complaint against the CFPB challenging the Final Rule. The plaintiffs allege that the CFPB has exceeded its statutory authority under Section 1033 by mandating that banks provide customer financial information to third parties, such as fintech companies and data aggregators, which are not defined as “consumers” under the Dodd-Frank Act, thereby allowing access to sensitive data without implementing adequate security measures for the third parties. Furthermore, the plaintiffs claim that the Final Rule outsources the authority to set compliance standards to SSBs (i.e., private organizations), which, according to the plaintiffs, raises constitutional and statutory concerns, because Section 1033 does not contemplate such delegation. Lastly, the plaintiffs make economic burden arguments related to the Final Rule’s prohibition on charging fees to third parties, which the plaintiffs allege provides an unfair financial advantage at the direct expense of the data providers.

The MoFo Open Banking team will continue to track developments related to the Final Rule and industry’s efforts to implement the requirements in the Final Rule.