Open Banking Update: CFPB Recognizes First Open Banking Standard-Setting Body

On January 8, 2025, the Consumer Financial Protection Bureau (CFPB) issued a decision and order approving the application of Financial Data Exchange, Inc. (FDX) for recognition as a standard-setting body (SSB) under the agency’s final rule to implement its authority under Dodd-Frank Act Section 1033 (12 U.S.C. § 5533) to facilitate open banking (the “Final Rule”). FDX’s application was submitted and reviewed pursuant to the CFPB’s June 5, 2024 rule, which supplements the Final Rule and lays out the requirements for becoming recognized by the CFPB as an SSB. The approval of FDX could have a significant effect on the timing and nature of compliance obligations for data providers and third parties subject to the Final Rule.

Background

SSBs are set to play a pivotal role in the open banking structure contemplated by the CFPB’s Final Rule. They are to be “fair, open and inclusive” industry bodies that meet specific requirements for openness, balance of decision-making power, due process and appeals, consensus, and transparency. SSBs are required to issue industry standards (“Consensus Standards”) that will provide guidelines to data providers and third parties regarding compliance with the Final Rule. Many significant compliance obligations of the Final Rule will be set by Consensus Standards, including (1) data elements that data providers are required to provide; (2) service-level standards that data providers are required to maintain (e.g., down time, response rates, etc.); and (3) restrictions that data providers can place on third parties for the frequency of data access requests.

Outlook

The CFPB said it approved FDX to be an SSB for a five (5) year period subject to conditions including:

• Ban on “pay to play” and other conflicts of interest – FDX is restricted from developing Consensus Standards with financial incentives that could benefit market participants to the detriment of others. FDX and its staff may not make any business arrangements that skew its financial incentives toward particular market players.
• Mandatory reporting on market adoption – FDX is required to provide reporting to the CFPB on the use of its Consensus Standards and maintain a public resource for market participants to disclose use of the Consensus Standards.
• Transparency and availability of standards – FDX must make its Consensus Standards available to members of the public as if they were members of FDX.

As detailed in our prior alert, the Final Rule is effective January 17, 2025 and has a phased roll-out for data providers, by asset size or annual revenue, for depository institutions and non-depository institutions, respectively. Larger data providers become subject to the Final Rule on April 1, 2026, while smaller data providers are subject to a phased implementation within four years after the effective date of the Final Rule. However, there does not appear to be a prohibition on data providers coming into compliance with the Final Rule prior to their respective compliance date. With the approval of FDX and the forthcoming Consensus Standards, data providers may implement the Consensus Standards in advance of the compliance regulatory dates. Early implementation could have important implications for third party’s receiving consumer financial information. Specifically, the Final Rule fails to provide prescribed compliance dates for third parties, leaving ambiguity as to when third parties must comply with the Final Rule. If the CFPB takes the view that third-party compliance is triggered upon the compliance of the data provider that they are collecting data from, then the early roll-out of Consensus Standards could result in a shortened timeline for third parties to comply with the authorization and data use limitations on covered data set forth in the Final Rule.

Despite the approval of FDX, questions remain regarding the future of SSBs and their impact on the open banking landscape in the U.S. For example, the CFPB has stated that it will continue to review SSB applications. It is not clear what the effect of multiple SSBs would have on the development of Consensus Standards, but at least one entity, the Digital Governance Standards Institute, has submitted an application that the CFPB has yet to act upon.

Additionally, the CFPB is still facing challenges to the scope of authority that SSBs have been provided under the Final Rule. On the day the Final Rule was released last October, a national bank and two bank trade associations filed a complaint against the CFPB challenging the Final Rule. The plaintiffs allege, among other things, that the Final Rule’s outsourcing of the authority to set compliance standards to SSBs (i.e., private organizations) raises constitutional and statutory concerns because Section 1033 does not contemplate such delegation and setting regulatory compliance dates was premature, as data providers are not aware of what standards they need to comply with.

MoFo will continue to track developments related to SSBs and the development of open banking under the Final Rule.