The CFPB Aims to Ignite a Rush to Open Banking

On October 19, 2023, the CFPB released its Notice of Proposed Rulemaking (“NPRM”) regarding § 1033 of the Consumer Financial Protection Act, Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The CFPB intends this “open banking” provision to enable consumers to share their financial information more easily, switch financial institutions more easily, and protect consumer financial information more effectively.  Director Chopra claims that doing so will increase competition for consumer financial services, improving customer service and lowering fees.

“Open banking,” sometimes referred to as “open finance,” denotes “the network of entities sharing personal financial data with consumer authorization.”  In broad strokes, the proposed rule requires anyone who retains consumer financial data to share that data only with authorized third parties, and only when the consumer requests it.  (It does not purport to prevent furnishers from sharing financial information with credit reporting agencies, although the CFPB has repeatedly demonstrated its doubts about the efficacy and accuracy of credit reporting.)

Comment on the proposed rule:

“With the right consumer protections in place, a shift toward open and decentralized banking can supercharge competition, improve financial products and services, and discourage junk fees,” said CFPB Director Rohit Chopra.  Director Chopra’s limitation—“with the right consumer protections in place”—shines a light on where the issues will arise.

The rule would give consumers a legal right to share their financial information with designated third parties of their choice without the holder of the information charging any so-called junk fees.  So how can providers assure themselves that the designated third party has “the right consumer protections in place” when the consumer chooses the third party?

Providers may, based on risk management, deny a request to share data with a third party.  But if a provider shares data with the “wrong” third party, who is liable?

Providers will have to develop clear policies and procedures to protect themselves from bad actors.  American Bankers Association President and CEO Rob Nichols argues that these third parties “must be held to the same high standards” and undergo “the same level of supervision related to data security” as providers must.

But as Consumer Bankers Association Senior Vice President Kelvin Chen warned, there must be a mechanism to protect consumers when they choose a bad actor that lacks the resources to make them whole.  Or, as Jim Nussle, President and CEO of Credit Union National Association put it, the proposed rules lack sufficient “safeguards to protect consumers from bad actors.”

As with any new rule, where you stand depends on where you sit.  We encourage all stakeholders to comment, whether on their own or through a trade association, here: