Community Bank Impact of CFPB “Open Banking” Proposed Rule

November 9, 2023 Advisory

In October 2023 the Consumer Financial Protection Bureau (CFPB) proposed a new rule to facilitate “open banking” by requiring banks and other financial institutions to establish and maintain online “interface” portals to allow consumers, “authorized third parties” and “data aggregators” to access consumer account information.

Although CFPB Director Rohit Chopra has indicated that the rule could help small banks “steal the lunch” of larger competitors, those small banks will have to persevere through the rule’s significant threshold costs and burdens before getting a chance to commandeer anyone else’s lunch – or otherwise gaining a competitive advantage.

Purpose of Rule. The CFPB intends that the rule will streamline consumer access and use of account data, allow consumers to compare terms of accounts between providers and use that information to choose the best service providers. The rule intends to allow consumers to share their account information with third parties on secure systems without sharing consumer account credentials, and it effectively prohibits banks from allowing “screen scraping”[i] on the interfaces.

Online Interfaces. The rule will require each covered bank to establish and maintain a “consumer interface” (for customers) and a “developer interface” (for authorized third parties and data aggregators) that allow users to access certain account-related data online upon request in a standardized digital format set by the rule. The rule requires various authentication and cybersecurity protections to be utilized in connection with the interfaces. Developer interfaces must meet specified access and response rate requirements.

Fee Prohibition. The proposed rule will create significant costs for most banks to establish the IT systems and protections and compliance structures mandated by the rule. Despite these costs and the risks banks will incur in providing and maintaining the required interface portals, the CFPB rule prohibits banks (and other covered providers) from charging any fee to consumers, third parties or data aggregators for use of the portals to recoup IT costs and defray cost of related risks.[ii]

Scope of Rule. The rule is applicable to essentially all banks[iii] – exempting only banks that do not offer basic online bank deposit account services (i.e., a “consumer interface”). So, even most of the smallest banks in the U.S. will be required to implement the sophisticated online interface portals required, related cybersecurity protection systems and related legal, regulatory, risk management and corporate governance policies and procedures. Those banks will have to maintain and update those portals, systems, policies and procedures each year – all to the same extent as the biggest Wall Street banks, which already have a predictably big head start. 

Types of Accounts Covered. Initially, the rule will only apply to Regulation E accounts (e.g., bank deposit accounts), credit card accounts governed by Regulation Z and facilitation of payment from those accounts. So, for example, the rule as proposed does not cover home loans or car loans. However, the CFPB has clearly indicated that it will consider expanding the rule’s scope after its initial rollout.

Types of Data Covered. The interfaces must provide access to a litany of specified, current account information upon request, including account balances, transaction information, terms and conditions of the account, information to initiate payments, upcoming billing information, account verification information, etc. The information must be provided in the required electronic form.

Access and Authentication Requirements. Before allowing access to account information via an interface, the rule requires banks to authenticate the identity of consumers, third parties and data aggregators and also to verify the authorization of the third parties and aggregators and the scope of that authorization. Access may be denied based on “reasonable” “risk management concerns,” and the bank is required to document the specific reason for those risk management concerns. Banks will be required to properly process a consumer’s termination or extension of third-party access. The rule also includes requirements for the third parties and data aggregators and limits on how they can use the data acquired.

Public Disclosures. The rule requires banks to post on their websites (in prescribed formats) certain information about the bank and its developer interface and a monthly rule-prescribed “quantitative minimum performance specification,” which is a response rate for the bank’s developer interface.

Policies and Procedures/Record Retention. The rule includes significant requirements for written policies and procedures to address compliance with the rule and specific record retention requirements.

Potential Rule Revisions. The rule is not final at this point, and comments are due on the proposed version by Dec. 29, 2023. The rule cannot become final until those comments are processed and a final rule is issued and published. Such final rule could change based on comments received on the proposed rule.

Effective Dates. The required compliance dates for banks in the proposed rule are:

  • $500B+ total assets – six months after final rule publication
  • $50B to $500B total assets – one year after final rule publication
  • $850M to $50B total assets – two-and-a-half years after final rule publication
  • Less than $850M total assets – four years after final rule publication

Key Legal and Risk Considerations.

  • Cyber Risk Issues. Despite the rule’s focus on cyber risk, it will likely open up new opportunities for hackers and fraudsters to steal consumer financial data and funds. Over the last several years cyber fraud incidents have been skyrocketing, and community banks can expect an additional layer of cyber risk and related costs due to the rule’s mandate of “developer interfaces.” The rule does not include any type of regulatory “hold harmless” provision to protect banks that are forced by the rule to allow third parties to access consumer account data and to incur related risks from hacking, fraud, identify theft, data breaches, etc.
  • Shifting Risk by Contract. Banks should consider implementing contractual provisions (e.g., liability limits and indemnification) to shift risk to consumers who authorize other parties to access their accounts and to those third parties. The rule appears to be silent on this issue. Some risks may not be transferable.
  • Potential Litigation Risk. The primary enforcement vehicle for the rule against banks will be the CFPB (or other applicable regulatory authority) using exam findings or enforcement actions. However, the obligations under the rule will likely be used to facilitate or bolster private rights of action under state common law, contract law and consumer protection law.

[i] “Screen scraping” usually involves a customer providing account access credentials to a third party to access the customer’s online financial account and extract data from it to be used to offer the customer a service (such as comparisons of pricing and terms among providers or budget/financial analysis) by entering the data into another application.

[ii] Note that banks with $10B+ in total assets are already subject to a related CFPB restriction on fees for customer information access under a recent CFPB Advisory Opinion published at 88 Fed. Reg. 71279.

[iii] The rule also applies to credit unions and certain nondepository institutions. Specifically, it applies to any financial services provider that is a “financial institution” under Regulation E (12 CFR 1005) or a “card issuer” under Regulation Z (12 CFR 1026) or that controls or possesses information and certain account data regarding the types of accounts covered by the rule. The rule refers to all of these entities as “data providers.”

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware