The Consumer Financial Protection Bureau (“CFPB”) issued the final version of the Section 1033 “Open Banking” Rule on October 22, 2024, which will require banks and other providers of financial services to make covered data available to consumers and authorized third parties upon request. The rule is intended to increase consumers’ ability to shop for and transition between financial service providers and to eliminate more rudimentary and less secure methods of obtaining this data, such as screen scraping.
Compliance with the Open Banking Rule will begin on April 1, 2026 for banks over $250 billion, with smaller banks being added every subsequent April 1. Banks over $10 billion will comply in 2027, followed by banks over $3 billion in 2028, banks over $1.5 billion in 2029, and banks over $850 million in 2030. Asset size is determined by averaging assets reported from the third quarter of 2023 to the second quarter of 2024, although the rule provides that financial institutions that are below $850 million will be required to comply “within a reasonable amount of time … not to exceed five years” after crossing the $850 million threshold.
The Rule requires banks and others to share consumer data with the consumer and, at the consumer’s request, with third parties. The data required to be shared includes 24 months’ transaction history, account balances, information to initiate payments (including account numbers and routing numbers), account terms and conditions, bill pay information, and basic account information like the consumer’s contact information.
The rule requires subject banks to maintain consumer and developer interfaces that will make machine-readable files available on request. The interfaces are additionally required to comply with the data security requirements in the Gramm-Leach-Bliley Act (“GLBA”); banks may deny requests for information that present specified data security risks. Much of the detail on how this process will work is unlikely to be truly clear until standard-setting organizations (“SSOs”) are recognized and begin to promulgate standards pursuant to the CFPB’s related rule on recognizing SSOs.
The intention behind the rule is that financial service providers will be able to obtain information about consumers’ accounts with other providers to facilitate transitions, like a consumer moving their deposit accounts from one provider to another. For this reason, banks that are not subject to the rule or banks that have not yet reached their mandatory compliance date will likely still want comply with the requirements for third parties as soon as possible, so that they will be able to assist consumers looking to switch from an institution that is covered by the rule.
Requests for consumer data must be limited to information necessary to provide consumer-requested services; banks may not request additional information to use for things like advertising or marketing. The authorization the bank obtains from the consumer must disclose the names of the parties providing and receiving the information including any data aggregator involved, a description of the requested services, the categories of data to be accessed, a certification statement indicating how the data will be used, the duration of access, and instructions on revoking access.
Certain aspects of the rule – the requirement to share with third parties rather than just the consumer, the scope of the data to be shared, the SSO plan, the compliance dates, the fee prohibition – are currently being challenged in the courts. Compliance Alliance will continue to monitor those cases and provide members with updates on any changes. In the meantime, feel free to reach out to our Hotline with any questions or concerns you have about the requirements for this rule.