Community Bank Impact of CFPB “Open Banking” Proposed Rule
In October 2023 the Consumer Financial Protection Bureau (CFPB) proposed a new rule to facilitate “open banking” by requiring banks and other financial institutions to establish and maintain online “interface” portals to allow consumers, “authorized third parties” and “data aggregators” to access consumer account information.
Although CFPB Director Rohit Chopra has indicated that the rule could help small banks “steal the lunch” of larger competitors, those small banks will have to persevere through the rule’s significant threshold costs and burdens before getting a chance to commandeer anyone else’s lunch – or otherwise gaining a competitive advantage.
Purpose of Rule. The CFPB intends that the rule will streamline consumer access and use of account data, allow consumers to compare terms of accounts between providers and use that information to choose the best service providers. The rule intends to allow consumers to share their account information with third parties on secure systems without sharing consumer account credentials, and it effectively prohibits banks from allowing “screen scraping”[i] on the interfaces.
Online Interfaces. The rule will require each covered bank to establish and maintain a “consumer interface” (for customers) and a “developer interface” (for authorized third parties and data aggregators) that allow users to access certain account-related data online upon request in a standardized digital format set by the rule. The rule requires various authentication and cybersecurity protections to be utilized in connection with the interfaces. Developer interfaces must meet specified access and response rate requirements.
Fee Prohibition. The proposed rule will create significant costs for most banks to establish the IT systems and protections and compliance structures mandated by the rule. Despite these costs and the risks banks will incur in providing and maintaining the required interface portals, the CFPB rule prohibits banks (and other covered providers) from charging any fee to consumers, third parties or data aggregators for use of the portals to recoup IT costs and defray cost of related risks.[ii]
Scope of Rule. The rule is applicable to essentially all banks[iii] – exempting only banks that do not offer basic online bank deposit account services (i.e., a “consumer interface”). So, even most of the smallest banks in the U.S. will be required to implement the sophisticated online interface portals required, related cybersecurity protection systems and related legal, regulatory, risk management and corporate governance policies and procedures. Those banks will have to maintain and update those portals, systems, policies and procedures each year – all to the same extent as the biggest Wall Street banks, which already have a predictably big head start.
Types of Accounts Covered. Initially, the rule will only apply to Regulation E accounts (e.g., bank deposit accounts), credit card accounts governed by Regulation Z and facilitation of payment from those accounts. So, for example, the rule as proposed does not cover home loans or car loans. However, the CFPB has clearly indicated that it will consider expanding the rule’s scope after its initial rollout.
Types of Data Covered. The interfaces must provide access to a litany of specified, current account information upon request, including account balances, transaction information, terms and conditions of the account, information to initiate payments, upcoming billing information, account verification information, etc. The information must be provided in the required electronic form.
Access and Authentication Requirements. Before allowing access to account information via an interface, the rule requires banks to authenticate the identity of consumers, third parties and data aggregators and also to verify the authorization of the third parties and aggregators and the scope of that authorization. Access may be denied based on “reasonable” “risk management concerns,” and the bank is required to document the specific reason for those risk management concerns. Banks will be required to properly process a consumer’s termination or extension of third-party access. The rule also includes requirements for the third parties and data aggregators and limits on how they can use the data acquired.
Public Disclosures. The rule requires banks to post on their websites (in prescribed formats) certain information about the bank and its developer interface and a monthly rule-prescribed “quantitative minimum performance specification,” which is a response rate for the bank’s developer interface.
Policies and Procedures/Record Retention. The rule includes significant requirements for written policies and procedures to address compliance with the rule and specific record retention requirements.
Potential Rule Revisions. The rule is not final at this point, and comments are due on the proposed version by Dec. 29, 2023. The rule cannot become final until those comments are processed and a final rule is issued and published. Such final rule could change based on comments received on the proposed rule.
Effective Dates. The required compliance dates for banks in the proposed rule are:
- $500B+ total assets – six months after final rule publication
- $50B to $500B total assets – one year after final rule publication
- $850M to $50B total assets – two-and-a-half years after final rule publication
- Less than $850M total assets – four years after final rule publication
Key Legal and Risk Considerations.
- Cyber Risk Issues. Despite the rule’s focus on cyber risk, it will likely open up new opportunities for hackers and fraudsters to steal consumer financial data and funds. Over the last several years cyber fraud incidents have been skyrocketing, and community banks can expect an additional layer of cyber risk and related costs due to the rule’s mandate of “developer interfaces.” The rule does not include any type of regulatory “hold harmless” provision to protect banks that are forced by the rule to allow third parties to access consumer account data and to incur related risks from hacking, fraud, identify theft, data breaches, etc.
- Shifting Risk by Contract. Banks should consider implementing contractual provisions (e.g., liability limits and indemnification) to shift risk to consumers who authorize other parties to access their accounts and to those third parties. The rule appears to be silent on this issue. Some risks may not be transferable.
- Potential Litigation Risk. The primary enforcement vehicle for the rule against banks will be the CFPB (or other applicable regulatory authority) using exam findings or enforcement actions. However, the obligations under the rule will likely be used to facilitate or bolster private rights of action under state common law, contract law and consumer protection law.
[i] “Screen scraping” usually involves a customer providing account access credentials to a third party to access the customer’s online financial account and extract data from it to be used to offer the customer a service (such as comparisons of pricing and terms among providers or budget/financial analysis) by entering the data into another application.
[ii] Note that banks with $10B+ in total assets are already subject to a related CFPB restriction on fees for customer information access under a recent CFPB Advisory Opinion published at 88 Fed. Reg. 71279.
[iii] The rule also applies to credit unions and certain nondepository institutions. Specifically, it applies to any financial services provider that is a “financial institution” under Regulation E (12 CFR 1005) or a “card issuer” under Regulation Z (12 CFR 1026) or that controls or possesses information and certain account data regarding the types of accounts covered by the rule. The rule refers to all of these entities as “data providers.”