Financial Services Litigation & Investigations Group
Financial Services Litigation & Investigations Group
In the face of turmoil and uncertainty, the world's major financial institutions continue to choose our team to help them manage their business, litigation and reputational risks and thrive in the new economic and regulatory climate. To our clients we are much more than litigators - we are business partners who have a stake in their success.
CFPB Issues Final “Open Banking” Rule Requiring Covered Entities to Provide Consumers Access and Transferability of Financial Data
October 29, 2024 Download PDF
On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) published a 594-page Notice of Final Rulemaking for its “Personal Financial Data Rights” rule, commonly known as the “Open Banking” rule, which will require covered entities—generally, providers of checking and prepaid accounts, credit cards, digital wallets, and other payment facilitators—to provide consumers and consumer-authorized third parties with access to consumers’ financial data free of charge.[1] Covered entities are required to comply with uniform standards to provide access to this financial data through consumer and developer interfaces.[2] The rule imposes requirements on authorized third parties (such as fintechs), as well as data aggregators that facilitate access to consumers’ data, including required disclosures to consumers regarding the third parties’ use and retention of the requested data and a requirement that the data only be used in a manner reasonably necessary to provide the requested product or service (thus foreclosing selling the data or using it for targeted advertising or cross selling purposes).[3]
The Bureau received over 11,000 comments on its October 19, 2023 proposal,[4] and the Bureau implemented only limited changes to the proposed rule. For example, despite the requests of several commentors, the final rule maintains the proposed rule’s coverage of entities that “facilitate” payments from Regulation E accounts or Regulation Z credit cards, such as digital wallets, but adds an exception for “first party payments.”[5] The final rule also extends the compliance deadlines for all covered entities. The first compliance date, which applies to the largest bank and non-bank covered entities, is April 1, 2026. The Bureau also decided to exempt depository insitutions with assets of less than $850 million.[6]
The CFPB estimates that at least 100 million Americans have authorized a third-party company to access their account data, and the rule is aimed at further facilitating this process by giving consumers a legal right to readily transfer their financial data from one financial provider to another.[7] The rule reflects Director Chopra’s goals of “shift[ing] toward open and decentralized banking”[8] and giving consumers “more power to get better rates and service on bank accounts, credit cards, and more.”[9] According to the CFPB, the rule will promote consumer choice, incentivize financial service providers to provide better service because customers can more easily switch providers, and allow newer providers to compete more easily.[10] In addition to allowing consumers to switch providers more readily, the CFPB cites the main use cases for sharing this data as facilitating “personal financial management tools, payment applications and digital wallets, credit underwriting (including cashflow underwriting), and identity verification.”[11]
Critics of the rule say it does not do enough to protect consumer privacy, fails sufficiently to address fraudulent or unsafe third-party activity, and burdens financial institutions with costs that should be shared by third parties. On the same day the final rule was published, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit in the U.S. District Court for the Eastern District of Kentucky challenging the rule. The plaintiffs claim, among other things, that the rule exceeds the Bureau’s statutory authority, which they say covers only disclosure of data to consumers and not disclosures to third parties as defined broadly by the rule.[12] The plaintiffs also fault the rule for requiring covered entities to provide consumer financial data to less regulated third parties and failing to articulate principles for apportioning liability for data mishandling.[13]
Below, we provide a high-level overview of the final rule and offer some observations.
Requiring Covered Entities to Provide Consumers and Authorized Third Parties with Access to Covered Financial Data
Subpart B of the final rule requires covered entities to provide covered data to consumers and authorized third parties. Covered data providers are any entities—including banks and digital wallet providers—that control or possess covered data concerning consumer financial products and services that the consumer obtained from the data provider. Covered consumer financial products and services include:
- Personal checking, savings, and other consumer asset accounts held directly or indirectly by a financial institution;[14]
- Prepaid accounts, including payroll card accounts, certain government benefit accounts, and an account which is capable of being loaded with funds and whose “primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, or at automated teller machines, or to conduct person-to-person transfers, and . . . [t]hat is not a checking account, share draft account, or negotiable order of withdrawal account”;[15]
- Credit cards;[16]
- Other products or services that facilitate payments from the asset accounts or credit cards described above (further discussion of this facilitation category is immediately below).[17]
Covered Data Providers Include Facilitators of Payments
The proposed rule provided that covered consumer products or services would include “facilitation of payments from a Regulation E account or Regulation Z credit card.”[18] It also provided that a covered data provider would include any entity that “controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.”[19] As an example, the proposed rule stated that a digital wallet provider would be considered a covered data provider.[20]
Several comments on the proposed rule argued that the payment facilitation prong should be deleted or significantly clarified or narrowed because it could be read to sweep broadly to include pass-through payment providers of various kinds, including potentially certain online marketplaces and ride-sharing apps.[21] These comments argued that data related to pass-through payments “would be duplicative, introduce errors, provide limited consumer benefit relative to the increased burden on digital wallet providers, and conflict with their belief that the account-holding bank should control access to that data.”[22]
The CFPB declined to remove the facilitation prong, and the final rule continues to note digital wallet providers as an example of covered entities. The final rule, however, does add an exclusion for any products or services that “merely facilitate first party payments.”[23] The rule defines a “first party payment” as “a transfer initiated by the payee or an agent acting on behalf of the underlying payee.”[24] As examples of this exclusion, the final rule mentions “payments initiated by loan servicers,” while the preamble further discusses “an online merchant initiating a payment to itself for goods it sold directly to the consumer, or a utility company initiating payment to satisfy a consumer’s electric bill.”[25] The preamble explains that “some first party payments continue to fall within the definition of covered consumer financial product or service, such as situations where the data provider is initiating a transfer to itself in conjunction with a product that facilitates payments to other payees, or the data provider is otherwise providing a Regulation E or Regulation Z account.”[26] The CFPB provides the following examples that remain covered by the final rule: “a digital wallet provider initiating a transfer from an external bank account to the consumer’s digital wallet held by that same provider, a digital wallet provider initiating a pass through transfer from the consumer’s Regulation E or Regulation Z account to another payee that participates in the debit or credit card network, and a credit card provider initiating a credit card payment from the consumer’s external bank account to itself.”[27]
The CFPB noted that since digital wallet providers tend to be “Regulation E financial institutions, the marginal compliance burden of including the payment facilitation prong is limited.”[28] It also noted that the “few digital wallet providers” who do not offer Regulation E or Regulation Z accounts “tend to be very large, sophisticated technology companies that commonly access and use data as third parties.”[29] Moreover, the CFPB believes that “non-bank providers may control or possess different or more robust covered data than the underlying depository institution” and that “consumers benefit from being able to permission access to digital wallet pass-through data.”[30]
The first party payment exception is related to, but different from, two exceptions to the Bureau’s authority that are provided by the Dodd Frank Act and incorporated by reference in the final rule. First, Dodd Frank exempts from the Bureau’s authority merchants and others that sell nonfinancial goods or services, “except to the extent” that they are “engaged in offering or providing any consumer financial product or service.”[31] Second, Dodd Frank excludes from the definition of “consumer financial product or service” “financial data processing by transmitting or storing payments data about a consumer exclusively for purpose of initiating payments instructions by the consumer to pay such person for the purchase of, or to complete a commercial transaction for, such nonfinancial good or service sold directly by such person to the consumer.”[32]
Exemption of Depository Institutions With Assets of $850 Million or Less
While the proposed rule would have exempted depository institutions that do not already have a consumer interface in place by the compliance date, the Bureau subsequently determined that “[a]sset size is a more accurate proxy than the mere existence of a consumer interface to help approximate a depository institution’s resources and ability to comply with the rule’s requirements.”[33] Accordingly, the final rule exempts “depository institutions with assets of $850 million or below.”[34] Just as with the proposed rule, the final rule does not provide a similar exception for nondepository data providers.[35] The total assets limitation is intended to save smaller depository institutions—such as credit unions—from “additional challenges” and “competitive disadvantages” they would face in complying with the rule.[36] According to the CFPB, the threshold “excludes approximately 10 percent of covered accounts.”[37]
Covered Data
The final rule makes slight modifications to the list of covered data elements in the proposed rule, particularly with respect to payment initiation information, discussed below. Under the final rule, covered data includes:
- Account balance information and at least 24 months of transaction information, which includes “amount, transaction date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges”;[38]
- Information allowing the receiving entity to initiate payments to or from a Regulation E account directly or indirectly held by the data provider (generally a consumer asset or prepaid account);[39]
- Terms and conditions such as an “applicable fee schedule, any annual percentage rate or annual percentage yield, credit limit, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement”;[40]
- Upcoming bill information, including, for example, the minimum amount due on the data provider’s credit card billing statement, and also scheduled payments to third parties, such as a utility company;[41]
- “Basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service.”[42]
Exceptions apply for:
- Any confidential commercial information, including an algorithm used to derive credit risk or other risk scores or an underwriting model;[43]
- Any information collected only to prevent fraud or money laundering, or to detect, or make any report regarding, other unlawful conduct;[44]
- Any information required by law to be kept confidential;[45]
- Any information that cannot be retrieved in the ordinary course of business by the data provider.[46]
With the exception of basic account information, CFPB notes that the final rule presents covered data in a “categories and examples approach” and the examples are “non-exhaustive.”[47] The CFPB intends for this approach to strike a balance between “resolving areas of market disagreement with avoiding detailed specifications . . . that could interfere with efficiency and innovation.”[48]
Further, the requirement to provide payment initiation information is limited to data-providers that directly or indirectly hold a Regulation E account and to that which can be “retrieve[d] in the ordinary course of business.”[49] As such, data providers that only facilitate pass-through payments are not required to provide such information and debit card numbers are not considered covered data.[50]
Requiring Covered Data Providers to Establish and Maintain Interfaces to Provide Consumers and Authorized Third Parties Access to Covered Data for Free Upon Request
Subpart C of the final rule imposes obligations on covered data providers to establish and maintain interfaces that allow consumers and authorized third parties to access covered data.[51]
The final rule prohibits data providers from imposing fees or charges in connection with data access services provided under the final rule (a point that is challenged in the ongoing litigation), though the provider may charge fees for other services available through the consumer interface that are not covered by the final rule.[52] For example, banks would still be able to charge account maintenance or wire transfer fees. The CFPB believes that the “prohibition ensures that data providers do not inhibit consumers’ ability to access their data, authorize third parties to access their data, or choose which third parties to authorize to access their data.”[53]
Subpart C distinguishes between consumer interfaces (e.g., online banking applications) and developer interfaces (e.g., application programming interfaces or APIs), and requires covered data providers to maintain both consumer and developer interfaces in order to comply with requests for covered consumer data.[54] The CFPB rejected the use of screen scraping and tokenized screen scraping as methods for data providers to fulfill their obligations to supply covered data, finding such methods to present security, reliability, and interoperability issues.[55] Further, the CFPB noted that neither the proposed rule nor the final rule prohibits data providers from disallowing screen scraping, but that, in certain circumstances, doing so could “violate the CFPA’s prohibition on acts or practices that are unfair, deceptive, or abusive.”[56] Likewise, it notes that use of screen scraping by third parties once data providers have established compliant developer interfaces could also be a violation of that prohibition.[57]
Both consumer interfaces and developer interfaces are required to produce requested consumer data as machine-readable files that can be retained and transferred to a different information system.[58] However, the final rule does not require data providers to meet this formatting requirement for payment initiation information and account verification information provided through consumer interfaces.[59] The rule also carves out terms and conditions from the requirement. [60]
Developer interfaces must produce requested consumer data in a “standardized and machine-readable format.”[61] A standardized format is one that “conforms to a format widely used by other data providers and designed to be readily usable by authorized third parties.”[62] Conformity to a “consensus standard,” which will be set by a CFPB recognized standard setting body, is an indicator that this requirement has been satisfied.[63] Several provisions are defined with respect to such consensus standards.
The final rule requires the performance of developer interfaces to be “commercially reasonable” according to several criteria, including conformity to an applicable consensus standard, as well as performance compared to developer interfaces of similarly situated data providers and the data provider’s own consumer interface.[64] The final rule also establishes a minimum response rate of 99.5% for each calendar month, excluding requests and responses during scheduled maintenance. [65] The final rule establishes requirements for scheduled downtime for interfaces and other industry standard performance and technical specifications.[66] Several of the technical specifications are defined with respect to consensus standards.[67]
Data providers also may not unreasonably restrict the frequency of requests for data or responses to those requests.[68] Frequency restrictions must not be discriminatory and must comply with the provider’s own written policies and procedures. [69] A restriction’s compliance with a consensus standard is one indicator that it is reasonable.[70] In the preamble, the CFPB notes that “reasonable access caps” for third-parties are permitted under the final rule, but that caps on consumer data requests “generally will be unreasonable” and that “reasonable access caps will be confined to other requests such as ‘batch’ requests.”[71]
Subpart C also requires data providers to undertake security measures, including disallowing third parties from accessing consumer data on a developer interface “using any credentials that a consumer uses to access the consumer interface.”[72] The CFPB notes that this supports the final rule’s goal to “transition the market away from using screen scraping to access covered data.”[73] The final rule requires Gramm-Leach-Bliley Act (“GLBA”) financial institutions to apply to their interfaces a data security program that complies with that Act.
The final rule obligates data providers to provide requested data to consumers and authorized third parties. However, covered data providers may deny requests if “granting access would be inconsistent with policies and procedures reasonably designed to comply” with certain safety and security standards or if the “denial is reasonable.”[74] A denial is reasonable only if it “directly relate[s] to specific risk of which the data provider is aware” and is “applied in a consistent and non-discriminatory manner.”[75] Indicia that a denial is reasonable include conformity to a consensus standard, conformity to the data provider’s standardized risk management criteria, and the third party’s identification of fitness by a recognized standard setter or the CFPB. [76] Moreover, the final rule provides that certain conditions form a sufficient basis for a denial, including the third party’s failure to present any evidence that its information security practices are adequate to safeguard the covered data or its failure to make certain information publicly available.[77] Data providers are permitted to confirm the scope of a third party’s request with a consumer by verifying the relevant accounts and the categories of covered data being requested.[78]
The final rule allows data providers to establish a reasonable method for consumers to revoke any third party’s authorization to access consumer data, so long as the method does not violate the rule’s prohibition against evasion.[79] That prohibition forbids data providers to “take any action: with the intent of evading the [requirements of the rule] . . . [t]hat the data provider knows or should know is likely to render unusable the covered data . . . [or] is likely to prevent, interfere with, or materially discourage a consumer or authorized third party from accessing covered data.”[80] Conformity with a consensus standard indicates that a method for revoking authorization is reasonable.[81] Upon receipt of a revocation request, the data provider must inform the affected third party and revoke its access.[82]
Requiring Third Parties to Comply with Authorization Procedures, Obtain Informed Consent from Consumers, and Adhere to Limitations on the Use of Received Data
Subpart D establishes authorization procedures for third parties that retrieve financial data on behalf of consumers, including additional requirements when third parties use data aggregators. Subpart D broadly defines an authorized third party as a third party that seeks covered data from a covered provider and complies with certain consent, certification, and disclosure procedures.[83] Data aggregators are not third parties under the proposed rule, though they may perform authorization procedures on behalf of third parties. Third parties are required to provide an authorization disclosure to consumers explaining the purpose for which they will use the consumer’s data.[84] Third parties must certify that they will comply with the limitations on collection, use, and retention imposed on them by the rule; that they will employ certain data security and privacy measures; and that they will ensure that consumers are aware of both the third party’s authorized access and the consumers’ ability to revoke authorization.[85] Third parties must obtain consumers’ express consent to the authorization disclosure via electronic or written signature.[86] The authorization disclosure must be presented to consumers in a form that is “segregated” from other disclosure materials.[87] The third party must provide a signed authorization form to the data provider to prove that it obtained the consumer’s authorization and complied with the authorization procedures.
The Bureau did not make significant changes from the proposed rule to the requirements under Subpart D. The Bureau added clarification that, when the names of parties must be disclosed, they must be readily understandable to consumers. As compared to the proposed rule, the final rule adds one element to the required content of the disclosure: a brief description of the expected duration of the data collection.[88] The final rule also clarifies that the categories of covered data listed in the disclosure must be described with a similar level of specificity to the categories of covered data as outlined in Subpart B, Section 1033.211.[89] The authorization disclosure form must include:
- the name of the authorized third party;
- the name of the data provider;
- a description of the consumer’s requested product or service to be provided by the third party, including a statement that the third party will use the requested data for that purpose only;
- the categories of data that will be accessed;
- a certification that the third party will comply with consent, certification, and disclosure procedures;
- a brief description of the expected duration of data collection and a statement that collection will not last longer than one year after the consumer’s most recent reauthorization; and
- a description of the mechanism for revoking authorization.
Third parties may use consumer financial data only for practices that are part of, or reasonably necessary to provide, the product or service requested by the consumer. In the final rule, the Bureau clarified that third parties may use consumer data as reasonably necessary to improve the product or service the consumer requested.[90] The rule makes clear that targeted advertising, cross-selling, and data sales are not part of, or reasonably necessary to provide, any other product or service, effectively prohibiting the use of consumer data for those purposes.[91] The Bureau’s rationale is that these practices are not primarily intended to benefit the consumer, consumers often do not understand the breadth of their authorization to include these practices, and many consumers consider these practices invasive.
The rule allows third parties to collect data for a one-year period after receiving authorization, after which it requires third parties to obtain new authorization.[92] If reauthorization is not provided, the third party may no longer use or retain covered data that was previously collected unless use or retention remains reasonably necessary to provide the consumer’s requested product or service.[93]
Third parties are required to provide, without fee or penalty to the consumer, an authorization revocation method that is as easy to access as the authorization method itself.[94] Upon a consumer’s request to revoke authorization, the third party must notify “the data provider, any data aggregator, and other third parties to whom it has provided the consumer’s covered data.”[95] The third party also must stop collecting data pursuant to the most recent authorization. Further, it must stop using and retaining data collected pursuant to the most recent authorization unless reasonably related to providing the consumer’s requested product or service.[96]
The rule requires third parties that are GLBA financial institutions to apply an information security program to their data collection systems that satisfies the GLBA requirements or, if they are not subject to the GLBA, an information security program that satisfies the FTC’s Standards for Safeguarding Customer Information.[97]
Subpart D addresses the use of data aggregators to access and process consumer financial data. It allows but does not require data aggregators to perform the third-party authorization procedures on behalf of the third party.[98] The third party still bears the ultimate responsibility for compliance with authorization procedures.[99] Regardless, if a data aggregator will be used, the disclosures to the consumer must include the name of the data aggregator and a certification from the data aggregator to the consumer that it will comply with the requirements for authorized third-party access to consumer financial data.[100] The final rule clarifies that the data aggregator’s certification must be provided to the consumer separate from the authorization disclosure, in the same language as the authorization disclosure, and segregated from other material.[101] The rule amends 12 CFR § 1001 to explicitly include data aggregators and similar financial data processing products in the definition of a financial product or service.[102]
Compliance Deadlines
Subpart A establishes a five-tiered set of compliance deadlines for covered data providers based on total asset holdings for depository institutions or total receipts for nondepository institutions.[103] It also sets forth a method for determining compliance dates for depository institutions that do not yet meet the coverage threshold for total asset holdings but cross that threshold at a later date.[104] Compared to the compliance timeline set out in the proposed rule, the final rule extends the time to comply for all tiers of data providers. It also decreases the total asset and receipt thresholds for the first two tiers and breaks the compliance timeline into additional tiers for depository institutions. The final rule clarifies that total assets for a depository institution are determined by averaging the assets reported on its Q3 2023, Q4 2023, Q1 2024, and Q2 2024 call report submissions to its appropriate oversight body, including the FFIEC or NCUA as applicable.[105] For nondepository institutions, the final rule defines total receipts according to the SBA definition, codified in 13 CFR 121.104(a).[106] Data providers must comply with the requirements in Subparts B and C beginning on:
- April 1, 2026 for depository institutions that hold at least $250 billion in total assets and nondepository institutions with at least $10 billion in total receipts in either calendar year 2023 or 2024;
- April 1, 2027 for depository institutions that hold at least $10 billion but less than $250 billion in total assets and nondepository institutions with at least $3 billion but less than $10 billion in total receipts in either calendar year 2023 or 2024;
- April 1, 2028 for depository institutions that hold at least $3 billion but less than $10 billion in total assets;
- April 1, 2029 for depository institutions that hold at least $1.5 billion but less than $3 billion in total assets; and
- April 1, 2030 for depository institution data providers that hold more than $850 million but less than $1.5 billion in total assets.[107]
As discussed above, depository institutions that have less than $850 million in total assets as of the date 60 days after publication of the rule are not covered entities under the rule. However, depository institutions that later cross the total asset threshold for the small business size standard for their industry must comply with the requirements in Subparts B and C within a “reasonable” amount of time after exceeding the size standard, not to exceed five years.[108]
Observations
The final rule is the latest step in a lengthy process that the CFPB has engaged in to develop its policy around section 1033 of the Dodd Frank Act, which became law more than a decade ago. The CFPB released and received comments on a request for information on consumer rights to access financial data in 2016; released principles around data sharing in 2017; and then held a symposium, released a summary of proceedings, and released and received comments on an Advanced Notice of Proposed Rulemaking in 2020.[109] It then issued an outline for the SBREFA process in October 2022, inviting other stakeholders to submit feedback on the outline by January 25, 2023.[110] The CFPB also issued CFPA section 1022(c)(4) market monitoring orders to data aggregators and large data providers to collect information related to personal financial data rights in January 2023.[111] Following a SBREFA panel, the CFPB issued a SBREFA panel report in April 2023 and then this proposed rule in late October 2023 which received over 11,000 comments. CFPB staff also met with staff from a wide variety of boards and agencies before and after issuing the proposal.[112] On June 5, 2024 the CFPB issued a final rule establishing the “minimum attributes” a standard-setting body must have to obtain CFPB recognition for purposes of issuing consensus standards.[113] The Financial Data Exchange and the Digital Governance Standards Institute have each submitted applications for standard setter recognition.[114]
Though the Bureau received comments requesting modifications and clarification from many stakeholders, the final rule retains several controversial elements, including:
- Prohibition on fees for maintaining developer interfaces and responding to requests for covered data;
- Coverage of entities that “facilitate” payments (the Bureau also declined to add an express exclusion for online marketplaces);
- Lack of an unequivocal screen scraping prohibition; and
- Allowance for reasonable data access caps for requests on developer interfaces.
Some notable differences between the proposed rule and the final rule include:
- Exemption for depository institutions that have total assets under $850 million (this exemption replaced an exemption in the proposed rule for depository institutions that did not have a consumer interface by the compliance date);
- Exemption of facilitation of first party payments from covered products or services; and
- Extension of the compliance deadlines for all data providers.
The final rule is one of the CFPB’s most ambitious regulatory initiatives and, once implemented, will alter the dynamics among different types of consumer financial service providers in the years to come. The rule is expected to create significant burdens on covered entities, while also creating commercial opportunities for a number of companies (including some of those same covered entities) to make greater use of consumer-permissioned financial data. As a starting point, banks and nonbanks should undertake a review to determine which of their products and services are covered under the final rule, and they should pay special attention to the “facilitation” prong, whose application may not be clear in certain circumstances. Covered entities will then need to plan the operations and systems changes necessary to comply with the rule. They will also need to build out new compliance procedures and processes, including appropriate methods for evaluating third parties seeking access to consumer data, in a way that limits security and other risks. Third parties that expect to access consumer data will likewise need to adjust their operations and systems, and build compliance procedures, to comply with the requirements of the final rule. Adding to this complexity, the recently filed lawsuit challenging the rule increases the uncertainty around the rule’s timing and ultimate implementation.
* * *
[1] The Notice of Final Rulemaking is available here.
[2] Final Rule § 1033.301(a).
[3] Final Rule §§ 1033.421, 1033.431.
[4] Our client alert discussing the proposed rule is available here.
[5] Preamble to the Final Rule, pp. 64–70; Final Rule § 1033.111(b) and (c).
[6] Final Rule § 1033.111(d).
[7] Preamble to the Final Rule, pp. 5, 13.
[8] CFPB, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking (Oct. 19, 2023), available here.
[9] CFPB, CFPB Finalizes Personal Financial Data Rights Rule to Boost Competition, Protect Privacy, and Give Families More Choice in Financial Services (Oct. 22, 2024), available here.
[10] Preamble to the Final Rule, p. 5.
[11] Preamble to the Final Rule, p. 14.
[12] Bank Policy Institute, Banks Challenge CFPB Rule Jeopardizing Security and Privacy of Consumer Financial Data (Oct. 22, 2024), available here.
[13] Id.
[14] Final Rule § 1033.111(b); 12 CFR 1005.2(b).
[15] Id.
[16] Final Rule § 1033.111(b); 12 CFR 1026.2(a)(15)(i). The preamble states that buy now pay later (BNPL) products “may qualify as card issuers under regulation Z” and that “BNPL providers had sufficient notice of their potential inclusion in the rule because they received notice that the CFPB proposed to cover Regulation Z card issuers and credit cards under CFPA section 1033.” Preamble to the Final Rule, p. 70.
[17] Final Rule § 1033.111(b). However, this excludes “products or services that merely facilitate first party payments–which are defined as “transfer[s] [] initiated by the payee or an agent acting on behalf of the underlying payee.” Id.
[18] Proposed Rule § 1033.11(b).
[19] Proposed Rule § 1033.11(c).
[20] Id.
[21] Preamble to the Final Rule, pp. 61–63.
[22] Preamble to the Final Rule, pp. 62–63.
[23] Final Rule § 1033.111(b); Preamble to the Final Rule, pp. 64–65.
[24] Final Rule § 1033.111(b).
[25] Id.; Preamble to the Final Rule, p. 68.
[26] Preamble to the Final Rule, p. 68.
[27] Id.
[28] Preamble to the Final Rule, pp. 66–67.
[29] Id.
[30] Id.
[31] 12 U.S.C. § 5517(a).
[32] 12 U.S.C. § 5481(15)(A)(vii)(I).
[33] Preamble to the Final Rule, p. 73.
[34] Preamble to the Final Rule, p. 76; Final Rule § 1033.111(d). Additionally, the final rule provides a method for calculating total assets, including for merger or acquisition scenarios. Id. Further, the rule continues to apply to depository institutions which cease to meet the threshold at any point after or on 60 days from the date the rule is published in the Federal Registrar. Id.
[35] Preamble to the Final Rule, p. 72.
[36] Preamble to the Final Rule, pp. 32, 75.
[37] Preamble to the Final Rule, p. 76.
[38] Final Rule § 1033.211(a)–(b).
[39] Final Rule § 1033.211(c). Tokenized account numbers are permitted to the extent they can be used to initiate an ACH transaction and if “not used as a pretext to restrict competitive use of payment initiation information.” Id.
[40] Final Rule § 1033.211(d). Further, the final rule provides that “terms and conditions are limited to data in agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service.” Id.
[41] Final Rule § 1033.211(e).
[42] Final Rule § 1033.211(f). However, truncated account numbers or other identifiers for a Regulation E or Regulation Z accounts must be made available “[i]f the data provider directly or indirectly holds a regulation E or Regulation Z account belonging to the consumer.” Id.
[43] Final Rule § 1033.221(a).
[44] Final Rule § 1033.221(b).
[45] Final Rule § 1033.221(c).
[46] Final Rule § 1033.221(d).
[47] Preamble to the Final Rule, p.117.
[48] Id.
[49] Preamble to the Final Rule, pp.130–31.
[50] Id.
[51] Final Rule § 1033.301(a).
[52] Final Rule § 1033.301(c).
[53] Preamble to the Final Rule, p. 175.
[54] Final Rule § 1033.301(a).
[55] Preamble to the Final Rule, p. 165.
[56] Preamble to the Final Rule, pp. 214–15.
[57] Id.
[58] Final Rule § 1033.301(b).
[59] Id.
[60] Id.
[61] Id.; Final Rule § 1033.311(b).
[62] Final Rule § 1033.311(b).
[63] Id.; Final Rule § 1033.131.
[64] Final Rule § 1033.311(c). The relevant performance specifications include: response rate and time; total amount of scheduled and unscheduled downtime; and the amount of advance notice for scheduled downtime. Id.
[65] Id.
[66] Id.
[67] Id.
[68] Final Rule § 1033.311(d).
[69] Id.
[70] Id.
[71] Preamble to the Final Rule, pp. 208–9.
[72] Final Rule § 1033.311(e).
[73] Preamble to the Final Rule, p. 213.
[74] Final Rule § 1033.321(a). The provision specifically refers to “safety and soundness standards of a prudential regulator, as defined at 12 U.S.C. 5481(24), of the data provider; information security standards required by section 501 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801; or other applicable laws and regulations regarding risk management.” Id.
[75] Final Rule § 1033.321(b).
[76] Final Rule § 1033.321(c).
[77] Final Rule § 1033.321(d). The information the third party must make available include its name, website link, Legal Entity Identifier, and contact information the data-provider can use to inquire about the third-party’s information security and compliance practices. Id.
[78] Final Rule § 1033.331(b).
[79] Final Rule § 1033.331(e).
[80] Final Rule § 1033.201(a).
[81] Final Rule § 1033.331(e).
[82] Id.
[83] Final Rule § 1033.401.
[84] Final Rule § 1033.411.
[85] Final Rule § 1033.421.
[86] Final Rule § 1033.421(g).
[87] Final Rule § 1033.411(a).
[88] Final Rule § 1033.411(b)(6).
[89] Final Rule § 1033.411(b)(4).
[90] Final Rule § 1033.421(c)(4).
[91] Final Rule § 1033.421(a)(2).
[92] Final Rule § 1033.421(b).
[93] Final Rule § 1033.421(i).
[94] Final Rule § 1033.421(h)(1).
[95] Final Rule § 1033.421(h)(2).
[96] Final Rule § 1033.421(i).
[97] Final Rule § 1033.421(e).
[98] Final Rule § 1033.431(a).
[99] Id.
[100] Final Rule § 1033.431(b) and (c).
[101] Final Rule § 1033.431(c)(2).
[102] Final Rule § 1001.2(b).
[103] Final Rule § 1033.121.
[104] Final Rule § 1033.121(c).
[105] Final Rule § 1033.121(a)(1). The SBA defines receipts as “all revenue in whatever form received or accrued from whatever source, including from the sales of products or services, interest, dividends, rents, royalties, fees, or commissions, reduced by returns and allowances.” 13 CFR 121.104(a).
[106] Final Rule § 1033.121(a)(2). The proposed rule referred to “revenue” while the final rule refers to “receipts” as defined by the SBA.
[107] Final Rule § 1033.121(b).
[108] Final Rule § 1033.121(c).
[109] Preamble to the Final Rule, p. 16. See also Preamble to the Proposed Rule, pp. 182–183; CFPB, CFPB Outlines Principles for Consumer-Authorized Financial Data Sharing and Aggregation (Oct. 17, 2023), available here.
[110] Preamble to the Final Rule, p. 16; see also Preamble to the Proposed Rule, p. 24.
[111] Preamble to the Final Rule, p. 16; see also Preamble to the Proposed Rule, p. 25.
[112] Preamble to the Final Rule, p. 17.
[113] CFPB, Required Rulemaking on Personal Financial Data Rights; Industry Standard Setting (June 05, 2024), available here.
[114] See CFPB, Applications for open banking standard setter recognition (Last visited Oct. 28, 2024), https://www.consumerfinance.gov/personal-financial-data-rights/applications-for-open-banking-standard-setter-recognition/.