By Patti Murphy
The Consumer Financial Protection Bureau unveiled a personal financial data rights rule set intended to provide consumers with greater control over what organizations can have access to their critical banking information, and to what extent, in furtherance of a trend that has come to be known as "open banking."
The consultancy Deloitte dubbed Europe the "cradle of open banking" in recognition of the fact that, in accordance with government standards, the European Union's Payment Services Directive (PSD2) and the United Kingdom's Open Banking Standard pioneered the notion of secure sharing of consumer financial data between traditional financial institutions and other financial services providers.
But over the years, open banking has been defined differently by different governments and even by providers of different types of financial services. In the United States there has been an obvious lack of coordination and standardization.
In a 2024 report titled Open banking, open possibilities: Unlocking the power of financial data for payments and financial services, Visa stated that "consumer adoption of experiences powered by open banking is nearing ubiquity, with 91 percent of U.S. consumers already benefiting from them." The report points to examples such as theuse of debit and credit cards to make routine bill payments, or ACH transactions to fund investment accounts as examples of open banking.
Mastercard and JPMorgan have collaborated on an ACH-based pay-by-bank solution that uses open banking technology developed by Mastercard. The two began piloting the solution in 2023 with "a small number of U.S. billers and merchants," according to a Mastercard press release. But until now, the United States has had no regulatory guardrails.
The new CFPB rule aims to govern data sharing between all manner of financial services firms, making it easier for consumers to switch providers without incurring costs or risking financial privacy or data security, the consumer watchdog agency said. "The rule moves the United States closer to having a competitive, safe, secure and reliable 'open banking' system," the CFPB said in a statement.
CFPB Director Rohit Chopra, in remarks delivered at the Federal Reserve Bank of Philadelphia, likened the current market to the early years of wireless telephones when consumers had to jump through hoops and get new phone numbers whenever they wanted to change carriers—until the Federal Communications Commission stepped in.
Today, when a consumer has a checking account, credit card or mobile wallet, the provider holds much of their personal information and can make it difficult or costly to port that information accurately over to a competitor, Chopra noted.
"To make our banking and payments market more competitive, it needs to be open and decentralized using a common set of data standards, free of powerful gatekeepers and middlemen that can impose private regulations and extract fees," he said.
The Dodd-Frank Act, which created the CFPB, contains a provision (known as Section 1033) that, according to the CFPB, gave it authority to establish such portability rules. But the agency has been mired in controversy from the get-go, including a legal tussle over its funding, which comes from the Federal Reserve.
The CFPB said compliance with the new rule would be implemented in phases, with the largest firms compelled to comply by April 1, 2026; the smallest firms would have four additional years.
Opponents wasted no time letting their opinions be known about the CFPB's efforts to establish implementing regulations for Section 1033.
The Bank Policy Institute, a bank advocacy group, and the Kentucky Bankers Association filed a lawsuit in U.S. District Court in Kentucky on the day the rule was announced. Coming in at 56 pages, the lawsuit argues that the CFPB overstepped its authority and that the rule jeopardizes consumers' privacy, financial data and account security. The court has been asked to halt implementation.
"Claiming the authority of a provision of the Dodd-Frank Act enacted more than 14 years ago, the bureau now seeks to jettison [a] developing, industry-driven system and replace it with a complicated, costly and fundamentally insecure data-sharing framework," the legal filing states in part.
Chopra balked at the lawsuit. During an appearance at the Money 20/20 conference he said "I haven't read their lawsuit, and I don't think they read the rule," according to a report published by Payments Dive.
Consumer Bankers Association President and CEO Lindsey Johnson said in a statement the "rule severely misses the mark." Johnson described as "inaccurate" CFPB assertions that the rule set is necessary to increase marketplace competition. "Indeed, the consumer credit card and deposit account markets specifically are highly competitive, and the CFPB should not rely on mischaracterizations of the marketplace to justify the necessity of this rulemaking," she said.
Merchants appear to be rallying behind the new CFPB rule, characterizing it as a pathway to avoiding contentious credit and debit card fees.
"Retailers need to pay close attention to developments with open banking and the potential it offers as an alternative to the costly way payments are currently processed," Stephanie Martz, general counsel at the National Retail Federation, said in a statement.
Rehashing the retail industry's ongoing issues over Visa and Mastercard interchange fees, and the impact of those fees on small businesses and the subsequent cost of goods, Martz suggested that open banking "could cut out these middlemen and create competition that would benefit small businesses and consumers alike."
The NRF does have concerns around how open banking will play out in the United States, however. The trade group gave a thumbs down to a proposal by the Financial Data Exchange (FDX) to be the nation's open banking standards setter. The CFPB put out a call for a private sector standards setter in June, along with a set of qualifications it said would need to be met to be assigned the task. To date, FDX has been the only organization to apply.
FDX, a subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), is a standards body made up of financial institutions, financial technology firms, payment networks and other stakeholders in the financial sector. Members include most of the largest banks in the United States and Canada, as well as Visa, Mastercard and Discover, in addition to companies like Amazon.com.
In a comment letter submitted to the CFPB, the NRF took issue with the fact that FDX, in its application, stated that only members may participate in the standards-setting process. "Data standards for an inclusive open banking system should be constructed with input from all interested parties at all levels. Instead, FDX will prioritize the needs of its members," the NRF complained.
The CBA appears to disagree. In a 2023 comment letter to the CFPB it said a financial services industry standards-setting body, such as FDX, would be the "most efficient way to facilitate both innovation and interoperability" for open banking.
The CFPB's notice of its personal financial rights rule is general, leaving the details to a 594 page Federal Register notice. The announcement highlights consumer rights and protections, such as:
But key considerations are absent from the announcement and the rule itself.
"We are supportive of creating a framework for open banking but have some concerns that the final rule does not prohibit screen scraping, nor [does it] lay out a framework for establishing liability in the event of a hack," Scott Talbott, executive vice president at the ETA, said in an email to The Green Sheet. "Policymakers should view open banking holistically – from benefits to defenses."
Screen scraping is a commonly used process for sharing financial information. It involves a third party (for example, a personal finance software tool) obtaining a customer's login credentials in order to "scrape" that user's account information at various service providers. It can be risky, however, as the consumer lacks control over what data is being "scraped," how frequently, or even whether or how long data is retained. As a result, some banks block screen scraping.
The ETA is not alone in expressing concerns about screen scraping. The BPI-KBA lawsuit mentions it as well, as did numerous large banks in comments submitted during the CFPB's consideration of the new rule set.
The CBA has been vocal about the need for strict data security standards associated with rulemaking around consumer financial data rights and assessments of liabilities in the event of data hacks.
"Many nonbank third parties and data aggregators are not subject to the same data security and privacy standards as banks, including normal course of business examinations by a federal agency, which leaves consumer data exposed to potential bad actors when it leaves a regulated and supervised financial institution," the CBA wrote in a 2023 comment letter to CFPB.
Any rules implemented by CFPB "must include a clear liability standard for all parties in the data access ecosystem, and liability for consumer recourse should be imposed on the party that was in control of the consumer's data at the time of the breach or action," CBA added. 
Patti Murphy, self-described payments maven of the fourth estate, is senior editor at the Green Sheet. She also co-hosts the Merchant Sales Podcast, and is president of ProScribes Ink.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
