CFPB finalizes ‘open banking’ rules for consumer data sharing

The top U.S. watchdog agency for consumer financial protection on Tuesday unveiled long-awaited rules intended to drive a shift toward open banking and spur competition, saying they would allow consumers to control and share their own data when shopping for services.

The new rules also aim to govern relations between the burgeoning world of financial technology companies and the competing interests of traditional banks, industries that immediately criticized the regulations for opposing reasons.

The banking lobby said the rule could jeopardize consumer data security and exceeded the agency’s legal powers. The American Fintech Council (AFC) on the other hand complained the consumer data provisions were too restrictive.

U.S. Consumer Financial Protection Bureau Director Rohit Chopra compared the transition to the rules that now allow mobile phone users to switch providers while keeping the same number, and said the coming change should help bring U.S. payments systems more in line with advances in other developed countries.

He also said the rule incorporates strong privacy protections and consumer choices.

“A company that ingests a consumer’s data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes the consumer doesn’t want,” he said in a speech at a financial technology event held by the Federal Reserve Bank of Philadelphia.

First proposed a year ago, the new regulations were 14 years in the making, having been called for in the 2010 Wall Street reforms enacted following the 2008 financial crisis.

According to the CFPB, as the rules take effect, consumers will be able to transfer their data between banks free of charge and without obstacles. They will also be able to borrow on better terms, for example by allowing lenders to issue loans using data held by other financial institutions, and to make payments directly from their bank accounts rather than by card.

Consumers will also be able to revoke access to their data immediately, according to the CFPB.

Ahead of the announcement, CFPB officials said the agency had made some changes to the version originally proposed in response to concerns from industry and public comment, sparing banks with less than $850 million in assets from having to provide data, for example.

Companies will also have more time than originally proposed to come into compliance. Larger financial technology companies will have until 2026, while the smallest will have until 2030.

Data aggregators, such as Plaid and Akoya, who provide connections among banks and financial tech services, reacted favorably, saying the rule would promote the secure transfer of consumer data. But other trade groups said they were not happy.

Lindsey Johnson, head of the Consumer Bankers Association, said in a statement the CFPB had “contorted” the congressional statute authorizing the rule to enable “thousands of third parties’ to access consumers’ data.”

Ian Maloney, AFC’s head of policy, said however that the final rule improperly barred the “secondary use” of consumer data for cross-selling services and targeted advertising.

—Douglas Gillison, Reuters