The Consumer Financial Protection Bureau (CFPB) has finalized a rule that lays the groundwork for open banking in the U.S. financial system. But this rule has sparked mixed reactions within the industry, reflecting both enthusiasm and concerns.
Announced on Tuesday, the new rule mandates that financial providers — including banks and credit card issuers — share personal financial data for free with their peers when customers request it. The goal is to empower consumers to switch providers more easily by enabling them to transfer data on bank accounts, credit cards, mobile wallets and payment apps, among other things.
“Too many Americans are stuck in financial products with lousy rates and service,” CFPB Director Rohit Chopra said in a statement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
In the mortgage space, lenders and servicers are not required to make data available when acting in that capacity. Under the final rule, “first-party ” payments, including those initiated by a loan servicer, are not covered. However, if these companies want to use consumer-permissioned data (for example, to facilitate underwriting), they would be subject to the third-party portions of the rule.
During a speech at the Federal Reserve Bank of Philadelphia on Tuesday, Chopra said that the CFPB will develop a roadmap for the next set of rules to advance open banking, including mortgages.
“This first rule covers a wide range of accounts for payments and transactions. We are considering a number of other use cases, such as how to reduce costs and complexity in the mortgage market.”
The CFPB is activating Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, a 14-year-old rule, to start open banking in the U.S. Additional rules will follow to cover more products, services and use cases, according to the CFPB.
One of the rule’s main provisions addresses privacy protection. The CFPB requires that the data be used only for the purposes requested by the consumer, and access cannot exceed one year without explicit reauthorization. When requested by the customer, data access must be ended immediately.
The rule also targets risky practices like “screen scraping,” when customers share their passwords with third parties who use them to access data indiscriminately on online banking portals. It also targets “bait-and-switch data harvesting,” where data is used under false pretenses, such as offering loans using targeted advertising data.
The largest financial institutions — banks holding at least $250 billion in total assets and nondepository institutions generating at least $10 billion in 2023 or 2024 — must comply with the rules by April 1, 2026.
Meanwhile, smaller institutions — providers that hold more than $850 million and less than $1.5 billion in assets — have until April 1, 2030. Small banks and credit unions are not subject to this rule.
Industry reactions
Some stakeholders, especially fintech companies and consumer advocacy groups, have welcomed the rule as a catalyst for financial inclusion. But traditional financial institutions have expressed concerns about data security, privacy risks and the potential cost of compliance.
Following the announcement, Consumer Bankers Association (CBA) president and CEO Lindsey Johnson said that the CFPB “exceeds its statutory authority” by “enabling thousands of third parties to access consumers’ data.” She also objected to the argument that this rule is needed to increase competition.
“Many CBA members support an open-banking framework. Nevertheless, even if the Bureau has the statutory authority to utilize this rulemaking to introduce an open banking framework, this final rule severely misses the mark as it failed to incorporate much of the critical feedback provided by industry through the comment period,” Johnson said.
“This has created an even less durable final rule that does not reflect market, technological, and practical realities.”
Eric Lapin, president of FormFree, a fintech company that helps mortgage lenders verify borrowers’ ability to pay, welcomed the rule. He said the “stage is set for a more data-driven lending environment.”
“Consumers now control their financial data, sharing it securely with third parties. Lenders get real-time, permissioned data like transactions and balances, making mortgage decisions smarter and more accurate,” Lapin said.