Opening a Can of Worms: CFPB Releases the 1033 Open-Banking Rule
The Consumer Financial Protection Bureau (āCFPBā) issued the final version of the Section 1033 āOpen Bankingā Rule on October 22, 2024, which will require banks and other providers of financial services to make covered data available to consumers and authorized third parties upon request. The rule is intended to increase consumersā ability to shop for and transition between financial service providers and to eliminate more rudimentary and less secure methods of obtaining this data, such as screen scraping.
Compliance with the Open Banking Rule will begin on April 1, 2026 for banks over $250 billion, with smaller banks being added every subsequent April 1. Banks over $10 billion will comply in 2027, followed by banks over $3 billion in 2028, banks over $1.5 billion in 2029, and banks over $850 million in 2030. Asset size is determined by averaging assets reported from the third quarter of 2023 to the second quarter of 2024, although the rule provides that financial institutions that are below $850 million will be required to comply āwithin a reasonable amount of time ā¦ not to exceed five yearsā after crossing the $850 million threshold.
The Rule requires banks and others to share consumer data with the consumer and, at the consumerās request, with third parties. The data required to be shared includes 24 monthsā transaction history, account balances, information to initiate payments (including account numbers and routing numbers), account terms and conditions, bill pay information, and basic account information like the consumerās contact information.
The rule requires subject banks to maintain consumer and developer interfaces that will make machine-readable files available on request. The interfaces are additionally required to comply with the data security requirements in the Gramm-Leach-Bliley Act (āGLBAā); banks may deny requests for information that present specified data security risks. Much of the detail on how this process will work is unlikely to be truly clear until standard-setting organizations (āSSOsā) are recognized and begin to promulgate standards pursuant to the CFPBās related rule on recognizing SSOs.
The intention behind the rule is that financial service providers will be able to obtain information about consumersā accounts with other providers to facilitate transitions, like a consumer moving their deposit accounts from one provider to another. For this reason, banks that are not subject to the rule or banks that have not yet reached their mandatory compliance date will likely still want comply with the requirements for third parties as soon as possible, so that they will be able to assist consumers looking to switch from an institution that is covered by the rule.
Requests for consumer data must be limited to information necessary to provide consumer-requested services; banks may not request additional information to use for things like advertising or marketing. The authorization the bank obtains from the consumer must disclose the names of the parties providing and receiving the information including any data aggregator involved, a description of the requested services, the categories of data to be accessed, a certification statement indicating how the data will be used, the duration of access, and instructions on revoking access.
Certain aspects of the rule ā the requirement to share with third parties rather than just the consumer, the scope of the data to be shared, the SSO plan, the compliance dates, the fee prohibition – are currently being challenged in the courts. Compliance Alliance will continue to monitor those cases and provide members with updates on any changes. In the meantime, feel free to reach out to our Hotline with any questions or concerns you have about the requirements for this rule.
Long-Term Delays and Short-Term Loans: Getting Ready for the āPayday Lending Ruleā
In light of the final decision in Consumer Financial Protection Bureau v. Community Financial Services Association of America (CFPB v. CFSA), the CFPB has announced that the āPayday Lending Ruleā will go into effect on March 30, 2025. The Payday Lending Rule was initially set to become effective in 2019, but an injunction issued in the CFPB v. CFSA case delayed the rule until the case was finally resolved in June of 2024.
The payday lending rule will apply to short-term consumer loans with terms under 45 days, loans with balloon payments, and loans with a leveraged payment mechanism and an APR over 36%, but there are exceptions, including purchase money loans, certain mortgage loans, credit card accounts, student loans, and overdraft lines of credit. Loans that meet certain āalternative loanā criteria may also be exempt. There are also exemptions for lenders that make less than 2,500 covered loans per year and do not derive more than 10% of receipts from covered loans.
For loans that are covered by the rule, however, there are restrictions on how payments may be taken. If a bank has made two unsuccessful attempts at payment transfers, additional attempts would be considered an unfair and abusive practice unless the bank obtains a new authorization from the consumer. This restriction applies to all payment methods, so it would include redepositing a check, charging a debit card, or initiating an ACH transfer. If the payment is being pulled from an account at the bank, additional transfer attempts would not violate the rule as long as the bank does not charge the consumer a fee for insufficient funds and the bank does not close the account due to a negative balance that results from the payment.
There are also notices that the bank must provide to the consumer under the Rule:
- First payment withdrawal notice. The bank must notify the consumer prior to initiating the first payment withdrawal from a consumerās account.
- Unusual payment withdrawal notice. The bank must notify the consumer before initiating a payment in an unusual amount, on an unusual date, through an unusual payment channel, or for the purpose of re-initiating a returned transfer.
- Consumer rights notice. The bank must notify the consumer of certain rights after the bank has initiated two consecutive failed payment transfers.
In advance of the new effective date, institutions will want to make sure they have determined the extent to which it may apply to loan products that they offer, update procedures to ensure compliance, and ensure that the bank is prepared to send required notices to consumers.
As always, the advisors on the Compliance Hotline are available to answer any questions you have about these requirements.
Climate-Related Risk Management: More Than A BCP
As many of our members begin to work on recovering ā and assisting the communities they service in recovering – from two recent intense hurricanes to hit the United States, it seems timely to take a look at the climate-related risks that banks are currently facing. A recent bulletin from the Federal Housing Finance Agency (FHFA) provides guidance to Federal Home Loan Banks (FHLBanks) on how they should prepare for future natural disasters from a risk management perspective. While this guidance is limited to FHLBanks, it may also serve as a useful starting point for other banks looking to ensure that they are effectively managing climate-related risks.
Under the FHFA guidance, the bankās board, in fulfilling its obligation to ensure safe and sound operations, should oversee the management of climate-related risks. This should include incorporating climate risk into the three lines of defense to ensure that appropriate responsibilities are delegated to business lines and audit, in addition to risk management. It will also require the board to be aware of relevant risks, laws and regulations, metrics, disclosure and reporting requirements, and pertinent risk management activities, to ensure that the boardās decision making is well-informed.
Risk assessments will be the starting point for effective climate-related risk management. The FHFA guidance lists five example risks in a non-exhaustive list:
- Credit risk: climate change may materially alter collateral values; extreme weather events may affect consumersā creditworthiness to the extent that they may suffer physical harms or be required to relocate.
- Liquidity risk: cash inflows and outflows may be affected by climate events.
- Market risk: climate change may lead to sudden shifts in real estate markets.
- Operational risk: climate events may lead to business disruptions for banks, third parties, and other business partners.
- Legal and Compliance risk: climate-related risks are identified as a fair lending concern for FHLBanks
These risks should be incorporated into the bankās overall risk framework and risk appetite, which will in turn be used to shape existing policies and procedures and inform the bankās overall strategy and business objectives. Ongoing risk mitigation and monitoring should be aligned with the risk appetite and based on relevant metrics and data.
The metrics and data that are relevant and available may change over time, so it is also important that banks continue to enhance the collection and maintenance of this information in order to quantify exposures and assess the effectiveness of any mitigation measures taken. The risk management process should endeavor to identify and close any gaps in the available data to improve the accuracy of the bankās methods and modeling. The FHFA encourages banks to use this data to improved climate-related scenario analyses, which it describes as an important approach for identifying, measuring, and managing climate-related financial risk.
Hurricanes are, of course, at top of mind in the aftermath of Helene and Milton, which serve as a reminder that disaster preparedness is essential for banks in terms of ensuring physical safety and serving their communities during times of greatest need. The FHFA guidance focuses on a different type of disaster preparedness that includes responding to sudden, catastrophic events and also long-term planning to manage the cumulative risks presented by changes in the climate.
AML Act Implementation: FinCENās Proposed AML/CFT Rule
On July 3, 2024, FinCEN issued a Notice of Proposed Rulemaking (āNPRMā) on Anti-Money Laundering and Countering the Financing of Terrorism (āAML/CFTā) Programs. The primary focus of the proposed rule is to ensure that AML/CFT programs are risk-based and appropriately tailored to each financial institution. The most significant change the NPRM contains is the requirement for banks to establish a robust risk assessment process.
The proposed rule would require banks to identify, evaluate, and document AML/CFT risk. Under the rule as proposed, banksā risk assessment processes should consist of several components:
(1) A risk assessment process that serves as the basis for the financial institution’s AML/CFT program: A bankās risk identification should be based on the AML/CFT Priorities, the bankās activities, products, services, distribution channels, customers, intermediaries, and geographic locations, and the bankās filed AFL/CFT reports, such as CTRs and SARs.
The NPRM defines ādistribution channelsā as āthe methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means.ā As FinCEN noted recently in a report on check fraud, bad actors often prefer to engage with banks through non-face-to-face distribution channels.
The program would have to be updated periodically and, specifically, when a bankās material risks change. The purpose of the requirement is to focus the bankās attention and resources in a way that is consistent with the institutionās risk profile. The NPRM does not require that banks adhere to a specific methodology or format for the risk assessment.
(2) Reasonable management and mitigation of risks through internal policies, procedures, and controls: Banks may not need to make any changes to meet this requirement, as they generally do already have policies, procedures, and controls in place to mitigate AML/CFT risks. The guidance in the NPRM does focus, however, on ensuring that the policies, procedures, and controls reflect the conclusions of the bankās risk assessment. Demonstrating that the bank is adjusting its policies, procedures, and controls in response to the findings in its risk assessments will likely be an important part of AML/CFT compliance.
(3) A qualified AML/CFT officer: The term āBSA Officerā will be updated to āAML/CFT Officer,ā but it does not appear that there will be substantive changes to this requirement.
(4) An ongoing employee training program: Banks should be able to demonstrate that the training provided, like policies and procedures, reflects the risks identified in the bankās risk assessments.
(5) Independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party: Although the NPRM adds a formal requirement that the personnel doing independent testing be āqualified,ā this will hopefully not require significant changes to banksā existing independent testing. If they are not already doing so, however, banks may want to make sure to document the qualifications of personnel performing independent testing.
(6) Other requirements depending on the type of financial institution, such as CDD requirements: The NPRM notes that CDD requirements may change as a result of upcoming changes to beneficial ownership requirements. See our recent newsletter on the status of the CTA implementation for more information on that.
Docs or It Didnāt Happen: CFPB Circular on Overdraft Opt-Ins
On September 17, the CFPB issued a circular highlighting the expectation that banks retain evidence of consumersā election to participate in overdraft services, and more specifically, overdraft fees, covered by Regulation E.
Under Regulation E, a financial institution must obtain the consumerās consent, i.e., opt-in, before charging an overdraft fee on an ATM or one-time debit card transaction. In other words, Reg E requires the consumerās affirmative consent to impose overdraft fees and does not allow passive consent or enrollment by default that would require the consumer to affirmatively opt-out.
The CFPB Circular adds to this requirement by stating that the burden is on the bank to demonstrate that the consumer has opted in. In other words, if the bank does not have evidence of the consumerās election, the consumer may not be charged overdraft fees. The circular lists three types of evidence that would be considered adequate:
- A signed or initialed paper form
- A recording of a phone call in which the consumer opts into overdraft services
- A secure, unalterable, and dated electronic signature
One item notably absent from this list is a record maintained by bank staff during the normal course of business. In some instances, communications with consumers may be documented in the form of call notes; where an institution has a robust procedure for audit and review to ensure that call notes are reliable and accurate, they may suffice to demonstrate the content of a telephone conversation. It appears, however, that these types of records would not be sufficient to demonstrate consumer opt-in to overdrafts, based on the CFPBās Circular at least. Banks that do not keep call recordings indefinitely or may not have them adequately linked to the appropriate file will therefore want to obtain wet ink or electronic signatures for overdraft consent.
The circular also mentions the CFPBās concern regarding UDAAPs in overdraft disclosures. Citing their recent action against TD Bank, the Bureau indicated that inaccurate descriptions of overdraft services may raise UDAAP concerns. The TD Bank settlement focused on whether the consumer was sufficiently informed that overdraft services were optional and that there was a cost associated with the services.
Because regulators have focused heavily on overdraft issues in recent years, banks may want to take a close look at both their overdraft opt-in forms and any scripts or training given to staff that offer overdraft services to consumers, with a focus on confirming that consumers are informed that there is a cost for overdraft services and also that participation in overdrafts is optional. Banks looking to avoid Reg E issues will therefore want to ensure that they are retaining evidence of both the disclosures provided to the consumer regarding Reg E overdraft services as well as the consumerās affirmation election for the services.
As always, the advisors on the Compliance Hotline are available to answer any questions you have about these requirements. You may also submit your Reg E disclosures to our Review Team for specific feedback on potential concerns.