Steve Boms, Founder and President of Allon Advocacy, shares key insights on the CFPB's new rule, which strengthens data privacy, expands Open Banking, and reshapes bank-fintech ties.
The final rule prioritises privacy protections by requiring third parties to provide consumers with an authorisation disclosure. This disclosure specifies who will access the data, for what purpose, and for how long, and includes clear instructions on how consumers can opt out of data retention or usage at any time.
The rule restricts data usage strictly to the purpose the consumer has consented to, allowing no other secondary uses, except for improving the product or service covered by the initial consent. Additionally, the rule sets a maximum authorisation period of 12 months. If consumers don’t renew their consent, third parties must stop collecting and delete any previously authorised data.
It's a game-changer. While the US has already seen market-driven Open Banking, this rule levels the playing field so all consumers benefit, regardless of their bank. For instance, in payments, it can greatly expand access to Pay-by-Bank options, which offer lower transaction fees than credit or debit cards – savings that ultimately benefit consumers. It also broadens access to affordable credit by enabling cash flow-based underwriting.
Beyond third-party services, this competitive shift may prompt traditional financial institutions to lower fees and offer similar services at reduced costs. Increased competition will also encourage providers, whether banks or third parties, to work harder to earn customer loyalty – a positive outcome for consumers.
In some areas, the CFPB rule aligns fully with existing consumer data protection laws, but in others, it goes further. For example, its broad ban on secondary data usage extends beyond what’s seen in most jurisdictions.
Academic research, for instance, is not an allowed use case, unless consumers give explicit consent for it as the primary purpose, ensuring their data cannot be shared for research that might have unforeseen consequences. Similarly, data cannot be used to develop new products or services, nor for enhancing cash flow or credit models. While preventing 'bait and switch' practices is widely supported, this rule may be somewhat more restrictive than similar regulations elsewhere.
Overall, it compares quite favourably. However, it's important to clarify that this rule focuses solely on Open Banking – not Open Finance. The CFPB has limited its scope to checking, savings, credit card, and digital wallet accounts for now, unlike other markets that have moved faster to include broader account types like mortgages, auto loans, and small business accounts. This is an initial step, but one that aligns well with international frameworks. The resulting benefits are clear: more competition, lower fees, and increased innovation. Notably, the CFPB has emphasised that this rule is just the start, with more rules expected in the coming years, moving gradually toward a fully Open Finance model.
A major banking trade association quickly sued the CFPB, claiming this rule exceeded its statutory authority. This reaction is disappointing, especially since banks have long urged the CFPB to eliminate screen scraping and transition to APIs, which this rule accomplishes for covered accounts. It’s surprising how rapidly the banks were able to review the 600-page rule and file a lawsuit within 12 hours of its finalisation.
The future of bank-fintech relationships is complex; data sharing under Section 1033 is only one aspect. US prudential regulators have requested information on broader bank-fintech arrangements beyond data sharing. Ideally, regulators will clarify that data sharing under Section 1033 isn’t a traditional bank-fintech relationship but simply reflects consumers’ directive to share their data. This will, however, require further guidance from prudential regulators, which I hope to see.
I believe the CFPB's approach to timelines is quite reasonable. This aspect marks one of the most significant changes from last year's proposal to the finalised version. Smaller institutions will need time to implement APIs, and they will depend on their core providers for support. However, as we approach 2024, these institutions effectively have five and a half years to achieve compliance. During this period, the CFPB will recognise one or more standard-setting bodies, so banks won’t have to develop their own APIs; they can utilise the industry-approved technical standards with assistance from their core providers.
Moreover, I see small banks as key beneficiaries of this rule because Open Banking allows them to reach customers outside their traditional geographical areas. In an environment where smaller banks have been increasingly acquired by larger ones, this rule presents an opportunity for them to act not only as data providers but also as data recipients. Rather than viewing this as a challenge, I see it as a chance for small banks to explore innovative ways to enhance their competitiveness.
Steve Boms is the Founder and President of Allon Advocacy, LLC, a fintech and policy consulting firm based in Washington DC. Steve is also the Executive Director of the Financial Data and Technology Association of North America, which represents fintech companies and aggregation platforms. Steve has also been a contributor to the Open Banking/Open Finance Report 2022.
Allon Advocacy, LLC is a financial technology public policy consulting firm based in Washington DC.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now