The Open Banking Rule
On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized a rule interpreting and expanding on Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Open Banking Rule or Rule). Under the Rule, financial institutions, credit card issuers, and other financial providers (Data Providers) are required to provide Covered Data upon request from a Consumer or an Authorized Third Party (ATP).
“Covered Data” includes a lengthy list of categories of information, including transaction information, account balance information, account terms and conditions, upcoming bill information, and basic verification information. Covered Data excludes, certain types of confidential, sensitive, or difficult to retrieve information (e.g., confidential commercial information, information gathered for fraud prevention, AML compliance, etc.). Further, to facilitate access to Covered Data, the Data Provider is required to establish and maintain “Consumer” and “Developer” interfaces that (a) allow the Covered Data to be accessed in a standardized, machine-readable format; (b) authenticates the requestor; (c) validates the request; (d) performs at a “commercially reasonable” level; and (e) complies with the GLBA Safeguards Rule, among other requirements.
Scoping Covered Data and Avoiding Over- and Under-Disclosure
Identifying the universe of Covered Data under the Rule—especially where the scope of that data may vary based on different product and service offerings—presents the first and most obvious challenge. It requires the Data Provider to clearly define and control what information must – and must not – be made available to Consumers and ATPs.
Risks of not inventorying pertinent data correctly include:
- Insufficient information to satisfy the Rule’s requirements;
- Providing too much information that includes confidential information or information subject to other legal requirements; and
- Providing information outside the scope of the request or services that the Consumer is using.
To combat the risks of over- and under-identification, Data Providers must first identify the universe of data elements they possess and eliminate the data elements under an exception. Getting comfortable with the application of the exceptions to certain categories of data and use cases will require cross-functional collaboration across business units. It may also require coordination with other industry stakeholders to reach consensus interpretations as the industry begins to better understand the scope of the Rule.
Additionally, Data Providers will need to map the types of possible requests and determine the Covered Data that aligns with each product and service offering. If the Data Provider has several types of consumers using different products or services, a request from one type of Consumer may have a very different scope from another type of Consumer.
Finally, when a request is received, Data Providers will require a process to confirm the scope of requested data. Obtaining this confirmation from a Consumer may minimize data transferred to ATPs to only what is necessary (thereby mitigating potential cybersecurity and privacy risks) and confirm that Consumers understand and approve of what is being transferred.
Data Accuracy, Related Recordkeeping, and Retention Challenges
Data Providers’ scoping and identification of Covered Data may have consequences for their existing data accuracy and retention practices. These challenges should be anticipated and addressed at the outset to ensure internal risk mitigation and contractual obligations on vendors.
Ensuring that accurate, up-to-date information is made available is a requirement under the Rule. Given the labyrinth of data sources scattered across any organization, it is critical for organizations to ensure that their data management practices are current. Organizations will need to (1) define relevant systems of record for purposes of the Rule, (2) consolidate and collate the identified records into a comprehensive, cohesive form, and (3) verify that the result is, and remains, accurate across all related data sources (including other data reported to the consumer and financial regulators). In addition to the retention requirements specified under the Rule, organizations will need to make sure that records are maintained evidencing the source systems and processes for ensuring accuracy. Data consolidation projects of this scope come with a significant risk of creating inaccurate or discrepant records, and organizations must ensure they have processes in place to manage those risks.
Inevitably, challenges will arise, particularly when working with information systems not necessarily designed to nimbly extract accurate subsets of data, and organizations should prepare to show their work and compliance efforts to protect against later scrutiny from regulators, class action litigants, and shareholders.
Cybersecurity Challenges Related to Authenticating Consumers and Authorized Third Parties
The requirement to authenticate a consumer’s identity before producing Covered Data to an ATP is fraught with risk considerations.
The Rule permits identity-verifying information may be provided through ATPs, and this magnifies the importance of good third-party risk management and auditing ATPs compliance and security practices. Organizations may not be able to rely traditional methods of detecting fraudulent account inquiries with an ATP intervenor. Organizations should consider what methods are available to detect unauthorized requests based on stolen (but real) credentials, particularly when presented by an ATP. Alternatively, ATPs may present an increased prevalence of deepfake attacks and other technology-enhanced social engineering threats. Identifying the fakes will require Data Providers (and their vendors) to develop reliable solutions and technology enhancements that strike a balance between limiting the risk of fraud and limiting obstacles to consumer data access. These solutions may require a combination of industry consensus and dialogue with regulators.
Managing Uncertainty Regarding Authorized Third-Party Compliance Audits
Compliance with Authorization Procedures Described in the Rule
The Rule places the onus on Data Providers to confirm that an ATP has followed required Consumer authorization procedures before providing the requested Covered Data. The authorization requirements include:
- Providing the Consumer with an authorization disclosure that meets specific content requirements of the Rule; and
- The Consumer signing (electronically or in writing), the authorization disclosure.
Because the Rule does not provide details on how to conduct the authorization audit by a Data Provider of an ATP, there is a risk that Data Providers could invest in building a process that is later deemed insufficient or overly burdensome by regulators.
To develop a defensible authorization process, Data Providers should leverage existing processes for confirming a Consumer’s signature is valid – this can be through a third-party vendor or by directly verifying with the Consumer. They should also seek to confirm a vendor’s compliance with applicable law and obtain relevant contractual assurances regarding recordkeeping and other aspects of compliance by the vendor.
Denial Based on Information Security Practices
Notably, the Rule does not require a Data Provider to deny a Covered Data request if the ATP does not have adequate security procedures, but it does permit such denials. This creates several potential risks for Data Providers:
- Data Providers must balance obligations under the Rule with existing obligations from their prudential regulators with respect to third party data disclosure;
- Because the Rule does not provide details on security audits, Data Providers could create a process that is later deemed insufficient or overly burdensome; and
- Because the Rule does not require a contract between the Data Provider and ATP, Data Providers may not be able to obtain appropriate contractual representations on the ATPs security compliance.
To protect against these risks, Data Providers should leverage existing processes. For example, Data Providers should utilize existing security questionnaires and document request processes for vendors that access sensitive consumer data. Likewise, records management systems used to record vendor audits may be used to document audits of ATPs submitting the Covered Data requests. As always, careful records should be kept by the Data Provider and relevant recordkeeping should be expressly covered in vendor agreements to demonstrate compliance.
Effect of the Change in Administration and Key Measures to Prepare for the Future of Open Banking
There is substantial uncertainty around the future of the Rule considering the recent change of presidential administration. Importantly, the current Rule remains legally binding. Furthermore, there has long been bipartisan support for advancing the aims of Section 1033. Regardless of any potential changes to this Rule’s administration, Data Providers should be preparing for a world where a version of open banking regulation is the norm.
In sum, Data Providers can and should be taking practical steps to prepare and limit potential risk:
- Inventorying Covered Data and developing a consensus about exceptions;
- Ensuring accurate record management processes for verifying data accuracy;
- Proactively cooperating with industry groups and regulators to reach consensus interpretations and to cooperate around potential gaps in the Rule;
- Revisiting vendor diligence practices and procedures to ensure adequate protection against the potential technical and compliance pitfalls of vendor-managed solutions; and
- Carefully documenting compliance efforts to “show your work” in the event of a potential inquiry or dispute.
Reprinted with permission from the March 3, 2025 edition of the New York Law Journal © 2025 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.
