A few weeks back, the U.S. Consumer Financial Protection Bureau introduced new open banking rules designed to simplify the process for consumers to switch financial services providers and encourage competition. The Open banking rules mandate that traditional banks and fintech firms allow consumers to transfer their personal data between providers at no cost.
Banking industry groups, which the rule could negatively impact, quickly criticized it, raising concerns about consumer data security and questioning the agency’s authority. In contrast, fintech organizations welcomed the rule, saying it would enable secure consumer data transfers.
Key Takeaways
- Greater Control and Flexibility for Consumers: The rule lets consumers transfer their banking history and other financial data between providers without fees, making it easier to switch to institutions offering better services or terms.
- Boosted Competition and Access to Better Rates: The rule is expected to drive competition by allowing consumers to compare and move accounts more freely. Consumers can seek higher deposit rates, lower loan rates, and improved credit options, particularly benefiting those with limited credit history.
- Enhanced Data Security and Privacy Standards: Financial service providers and third-party firms must follow strict data access and usage guidelines, limiting data collection to specific consumer requests. They must also have clear revocation and data deletion processes, empowering consumers to control how their information is used.
- Mixed Reception and Legal Challenges: While fintech advocates see the rule as a positive step for consumer choice, the banking sector has raised concerns over data security and regulatory overreach, leading to a lawsuit claiming the rule imposes security risks and could increase compliance burdens.
CFPB’s New Rule Enhances Consumer Data Control and Aims to Boost Competition in Financial Services
The Consumer Financial Protection Bureau just finished a rule that gives people more control over their financial data. This wraps up a project they started back in 2010 with section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which established the right for consumers to access their account data freely and to permit third parties to access this data on their behalf.
On October 23, 2024, the bureau issued its final Open banking rules. The rule’s implementation will be staggered, starting with larger providers who will be required to comply earlier than smaller ones. Financial institutions must adhere to the rule depending on their size. The largest will need to meet the requirements by April 1, 2026, whereas the smallest institutions have a deadline of April 1, 2030. Under this rule, financial service providers must provide consumers and their authorized third parties with access to financial data upon request. This data must be delivered electronically and safeguarded to ensure both security and reliability. Additionally, third parties accessing this data must adhere to privacy protections.
Through this regulation, the CFPB aims to enhance consumer choice and stimulate more competition within the financial sector.
The new rule spans 38 pages and includes over 500 pages of explanatory comments from the CFPB, addressing feedback received on the contentious regulation and the bureau’s responses. It has already led to a lawsuit filed by the Kentucky Bankers Association, the Bank Policy Institute, and a community bank in Lexington, Kentucky, alongside endorsements from consumer advocacy groups and indications of further regulations in the future. The lawsuit, filed in the Eastern District of Kentucky, asserts that the rule undermines established private data-sharing practices, increases cybersecurity risks, and imposes a complex compliance framework that could increase the likelihood of data breaches.
According to the CFPB, the rule could foster increased competition within the financial services sector, potentially reducing prices and interest rates. Consumers gain greater access to their own financial data, enabling them to share it with third-party providers more easily. This is intended to increase consumer choice, promote competition, and reduce reliance on entrenched financial institutions.
The new rule mandates that companies must, upon consumer request, share clients’ confidential information with banks and fintech companies offering alternative products, allowing consumers free access to their data. By broadening consumer access to their data, the CFPB aims to promote competition by lowering obstacles to switching financial providers. A secondary goal of the rule is to create a more competitive environment for fintech firms looking to enter the banking sector with innovative products and services. The rule also strengthens data protection standards at fintech companies to better secure customer information.
Under the finalized rule, banks and credit unions with assets under $850 million are exempt. The rule applies to all non-depository institutions and remains mostly unchanged from its proposed version. Implementation will be staggered based on institution size from 2026 to 2030.
However, critics argue that it might also increase the risk of fraud and scams, which are current issues for consumers and banks. The banking lobby has expressed concerns that the rule may compromise consumer data security and overstep the agency’s legal authority. Meanwhile, the American Fintech Council (AFC) criticized the rule as too limiting regarding consumer data provisions. Critics added that the rule compromises data security by requiring financial institutions to share sensitive information with third-party providers, many of whom lack the stringent oversight applied to traditional banks. Additionally, critics claim that banks are unreasonably restricted from refusing third-party access, limiting their ability to manage security risks effectively.
Rohit Chopra, Director of the U.S. Consumer Financial Protection Bureau, likened the rule’s impact to the regulations that allow mobile phone users to switch providers while retaining their numbers. He suggested this change would align U.S. payment systems with those of other advanced countries.
During a speech at a financial technology event hosted by the Federal Reserve Bank of Philadelphia, Chopra emphasized that the rule includes robust privacy safeguards and gives consumers significant control over their data. He stated that while a company can use consumer data to deliver requested products or services, it cannot use the data for unrelated purposes that the consumer has not agreed to.
How New Open Banking Rules Help Consumers Move Accounts, Access Better Rates, and Make Secure Payments?
The Personal Financial Data Rights final rule grants consumers more control over their financial data, aiming to boost choice and competition by enabling people to:
- Switch providers for better service: Consumers can transfer their banking history to a new bank or fintech provider without facing fees or obstacles, making it easier to leave institutions with poor service.
- Seek better rates on financial products: Consumers can compare rates and move their accounts to providers offering better terms, such as higher interest on deposits or lower loan rates. This rule also allows people with limited credit history, like young consumers, to access better credit options by using data on income and expenses from other institutions.
- Make secure payments, including through “pay-by-bank” options: Consumers can securely share payment information, allowing for direct bank payments to merchants, peers, or across accounts, which may foster competition in the payments sector.
How Are Third Parties Limited in Data Use, and What Rights Do Consumers Have for Revocation and Deletion?
Third parties can only collect and use data directly for the product or service the consumer requests. Without explicit consumer consent, they are barred from retaining or repurposing data for unrelated activities, such as targeted advertising.
Additionally, consumers can revoke data access immediately, and data deletion becomes the default. Continued access requires reauthorization within one year, and the revocation process must be straightforward to prevent confusing or manipulative practices.
Conclusion
The CFPB’s final rule on open banking marks a significant shift in U.S. financial regulations. It offers consumers enhanced control over their financial data while aiming to increase competition in the sector. The rule empowers consumers to explore better financial products and switch providers without facing barriers by facilitating the secure transfer of personal data between banks and fintech companies.
While this regulation has sparked mixed reactions, support from fintech firms and consumer advocates, and concerns from traditional banking groups, it lays the groundwork for a more consumer-centered financial ecosystem. As larger financial institutions prepare for the 2026 implementation deadline, this rule could pave the way for future data rights and financial transparency developments in the U.S.