Open Banking Developments
On October 22, 2024, the CFPB issued its final "open banking" rule implementing Section 1033 of the Dodd-Frank Act mandating that "covered persons" provide consumers access to their financial data (the "Final Rule "). The Final Rule defines data providers to include bank and non-bank institutions that offer consumer checking or savings accounts or issue consumer credit cards. As expected, the Final Rule largely codifies language in the proposal issued in 2023 and sets the disclosure, technical, and other standards and requirements intended to help consumers and their authorized service providers (including data aggregators) efficiently access their financial data. The Final Rule also includes the certification requirements for standard-setting requirements bodies effective July 11, 2024. Some differences from the proposal to the Final Rule address some of the over 11,000 comments that were submitted, most notably extending the compliance dates in a phased approach starting April 1, 2026, and ending in 2030.
A number of legal and operational questions remain, however, including how participants should reconcile the open banking rules with existing legal and operational requirements under the Fair Credit Reporting Act (FCRA), GLBA, and state privacy rules, data security regulations, business continuity considerations, and others (as further discussed in our First Impressions on CFPB's Proposed Open Banking Rule advisory). In fact, the same day it was issued, the Bank Policy Institute and the Kentucky Bankers Association filed a lawsuit in the U.S. District Court for the District of Kentucky alleging that the CFPB overstepped its authority.
Our Services
Regardless of how the lawsuit proceeds, the era of open banking and finance is here. Data providers, data aggregators, and fintech data users will need to adapt to this upcoming regulatory regime. Since the days when screen scraping was the only method to transfer this data, we have assisted clients on a variety of open banking matters, including:
- Advising data providers (banks) and data recipients on regulatory obligations in providing or gaining access to financial data via 1033-compliant interfaces, including helping these data providers and data recipients assess their existing data sharing agreements for compliance with the CFPB's open banking rules.
- Negotiating data sharing agreements between financial institutions and data aggregators/authorized third parties.
- Counseling open banking participants on how open banking implicates their status under adjacent laws, such as the FCRA (e.g., as consumer reporting agencies or furnishers), the GLBA, and state privacy laws.
- Advising banks, in their role as data providers, on the applicability of third-party risk management requirements under federal banking third-party risk management guidance and ongoing safety and soundness requirements.
- Assisting authorized third parties with consumer authorization, reauthorization, retention, and other open banking obligations.
Insights
We frequently represent financial institutions in all aspects of their open banking relationships, including:
- Interpreting and applying regulations and regulatory guidance, structuring and negotiating contracts and data-sharing terms,
- Assessing risk,
- Tracking and evaluating relevant litigation and settlements,
- Structuring and drafting customer disclosures and consents, and
- Launching products and functionality.
We are actively representing FIs and technology providers in connection with the establishment and structuring of data-sharing networks and hubs through which bank customer data is transferred to multiple permissioned recipients. These are alternative, second-generation models for sharing customer data and are intended to enable the networks to be more flexible in addressing open-banking needs.