What the CFPB’s Rules Mean for Open Banking

The CFPB’s personal financial data-rights rule provides a legal framework to dramatically expand open banking in the United States and spur a host of innovative products. But first, the rule must survive a legal challenge.

Open banking has long been viewed as the next big innovation in payments in the United States. The technology, well-established outside the country, enables consumers to securely share personal financial data across accounts with third parties, such as fintechs and banks. Third parties can then use the data to offer personalized products that are meant to be more relevant to consumers and that generate new revenue streams.

The technology’s promise is intriguing, but until recently there were no formalized rules in the United States governing the gathering of consumer data through open banking, how to secure that data, and how the data can be used. That changed in October when the Consumer Financial Protection Bureau unveiled its personal financial data-rights rule. Now enshrined as Section 1033 of the Consumer Financial Protection Act of 2010, the rule governs the sharing of consumer data through open banking.

The new rule requires financial institutions, credit card issuers, and other financial providers to share data—with a consumer’s consent—through an application programming interface with third parties offering competing products.

The process allows consumers, through a single click within an app, to authorize third-party access to such data as transaction information, account balances, information needed to initiate payments, upcoming bill payments, and basic account-verification data. Financial-service providers are not allowed to charge consumers for sharing their financial data with third parties.

The advantage of enabling access to consumer data through an API is that it reduces the need to write new programming code to enable the task, says Booshan Rengachari, chief executive and founder of Finzly, a fintech specializing in payment apps.

The CFPB’s rule also gives consumers control over what data can be shared, with whom it can be shared, and for what purpose that data can be used. In addition, the rule gives consumers control over data retention by third parties. Once the intended use of the data has been fulfilled, consumers can stipulate it be deleted by the third party.

In essence, what the CFPB’s rule does is transfer control over a consumer’s financial data to the consumer from the financial institution that holds the data. By empowering consumers to grant permission to share their financial data with a third party, the CFPB is betting consumers can more easily compare and switch to financial-services providers offering better rates, products, and services.

“Prior to the CFPB’s rule, consumer data in the banking ecosystem existed inside a walled garden within the financial institution that held it,” says Skyler Nesheim, chief technology officer for Dwolla Inc., a fintech specializing in account-to-account payments. “Open banking is about giving consumers more control over their data. The CFPB rule does that and gives consumers choice over with whom they share that data, which frees up use cases for the data that might otherwise have been shut down.”

Compliance with the rule will be implemented in phases, with the largest financial institutions subject to comply by April 1, 2026, while the smallest financial institutions have until April 1, 2030. Financial institutions with assets of $850 million or less are exempt from the rule.

According to payments experts, use cases the data-privacy rule can help facilitate include pay-by-bank payments, improved product recommendations, and personalized product offers. In the case of offers, a third-party or bank, for example, can send a promotion to a consumer to bundle their depository accounts with them in exchange for a low interest rate on a loan or credit card or a higher rate on a savings account.

“The CFPB rule will allow consumer data to be used to develop and offer consumers more targeted products that can attract new customers or expand existing relationships,” because the third party can make more informed decisions based on a consumer’s data, says Dinesh Krishnan, co-founder and chief executive of banking-software provider Zafin. “This will be a game changer.”

Pay by Bank

One of the most promising benefits of the CFPB’s rule is that it will help clear a path for pay-by-bank transactions and provide merchants a lower-cost alternative payment option to credit and debit cards.

Pay by bank is likely to be a lower-cost alternative to credit and debit cards, as it eliminates swipe fees, which are typically 2% to 4% of the transaction, merchant advocates say. In comparison, fees for pay-by-bank transactions, if they are charged, can be substantially lower.

“Pay-by-bank is free from fees unless banks decide to charge for app use, or an app charges a fee, either on a subscription or on a per-transaction basis,” says Stephanie A. Martz, chief administrative officer and general counsel for the National Retail Federation. “Retailers need to pay close attention to developments with open banking and the potential it offers as an alternative to the costly way payments are currently processed.”

The CFPB’s data-privacy rule is an important step toward making pay by bank more common at checkout, Martz adds.

Currently, the odds favor banks levying a merchant fee for pay-by-bank transactions that is lower than card-swipe fees because pay by bank represents a new revenue stream for them, says Finzly’s Rengachari.

“Pay by bank is a moneymaking opportunity for banks that may cut into Visa and Mastercard volume,” Rengachari says. “Some merchants surcharge [consumers] on card-based transactions, and banks can price pay-by-bank transactions to be a lower cost payment option for which merchants don’t surcharge [which benefits the customer].”

While pay by bank poses a potential threat to the transaction volumes at Visa Inc. and Mastercard Inc., the networks are mounting their own open-banking strategies.

In October, Mastercard introduced Connect Plus, a portal that gives consumers control over where, how, and with whom their financial data is shared. Using a secure Web application, consumers can search for and link their bank accounts, view which third parties have consent to access their data, and grant and revoke consent in real time. Consumers are also notified when a third party’s permission to access account data is expiring or needs additional attention. Mastercard plans to begin rolling out Connect Plus next year.

One trend fueling Mastercard’s push into open banking is that consumers are already linking their financial accounts. A recent Mastercard survey revealed that 76% of respondents globally connect their accounts. Of those respondents, 93% agreed that having control over how their financial data is used is of “paramount” importance, Mastercard says.

“Transparency is the key ingredient to instilling trust in the digital economy,” Jess Turner, executive vice president and global head of open banking and API for Mastercard, said in a statement at the time. “When individuals and small businesses have agency over their financial data—who has it, where it’s going, and how it’s being used—they can make informed decisions, access better opportunities, and have more confidence that their financial data is just that—theirs.”

Impacting Cards

One of the engines behind Mastercard’s open-banking strategy is Finicity Corp., which the card company paid $825 million to acquire in 2020. At the time, the deal was seen as a way for Mastercard to bring its European-based open-banking initiatives to the U.S.

The deal was also viewed as a counterweight to Visa Inc.’s proposed acquisition of data aggregator Plaid Inc. earlier that year. That deal was scrubbed when the U.S. Department of Justice expressed concerns Visa could use Plaid’s banking links to establish control over the U.S. debit business, an allegation Visa disputed.

Five months later, Visa paid $2.15 billion to acquire Tink AB, a Stockholm-based company whose network connects to 3,400 financial institutions throughout Europe. The deal opened the door for Visa to begin participating in open-banking ventures in Europe. In the European Union, banks are required by law to allow customers to provide registered third-party financial service providers access to their financial data.

Now that the CFPB has unveiled its data-privacy rule, open banking is very much on Visa’s radar in the United States. When asked about the potential impact of the CFPB’s rule on Visa’s business during the company’s fiscal 2024 earnings call in October, Visa chief executive Ryan McInerney said the company expects pay-by-bank payments to proliferate as a result, and that there is a lot of “value” Visa can add to those transactions. McInerney did not elaborate.

While many payments experts agree that open banking will help spread pay by bank to the point of sale, they caution the trend won’t immediately take hold. “Pay by bank will impact card transactions, but it will have to evolve over time before it does so,” says Dennis Irwin, chief compliance officer for Alkami Technology Inc., a provider of digital-banking solutions.

Nevertheless, Visa and Mastercard are well-positioned to play in open banking, as the access to consumer data the technology provides will enhance cardholder data the networks already gather and use for product development, Irwin adds.

Aside from paving the way for pay by bank to grow in the U.S., the other key element of the CFPB’s data privacy rule is that it steers third parties and data aggregators away from screen scraping to gather consumer financial data.

Screen scraping is a technique in which third parties seek to verify accounts by copying data displayed on a screen after gaining account access. The CFPB characterizes the practice as “risky,” as it typically involves consumers providing account passwords to third parties, which then use them to access data through online banking portals.

Not having to request a consumer’s user name and password to access data not only greatly enhances data security, it ensures the gathering of the most up-to-date data, says Oz Olivo, vice president of product management for Inrupt Inc., a provider of applications that enhance users’ control over their data.

“With screen scraping, you can get a lot of outdated information,” Olivo says.

 ‘A Lot of Triage’

No sooner had the CFPB released its data-privacy standard than it came under legal attack by the banking industry. The lawsuit, brought by the Bank Policy Institute and the Kentucky Bankers Association, alleges the CFPB overstepped its bounds by issuing a rule that fails to properly safeguard consumer accounts and financial data accessed by third parties, such as fintech and data aggregators, and puts at risk the infrastructure banks have built to support open banking.

The plaintiffs remain mum about the lawsuit, and expectations are that, while it will muddy the waters for open banking in the U.S. somewhat, it will not derail the open-banking train. Indeed, when the European Union launched its open-banking initiative, lawsuits were filed challenging it, says Inrupt’s Olivo. Objections were eventually overcome through negotiations with dissenting parties and a fine-tuning of the law, he adds.

“There is always a lot of triage and negotiations that result when a law like the CFPB’s rule passes, so it is not surprising a lawsuit has been filed,” Olivo says. “But the benefit of the CFPB’s rule is that it gives consumers the right to control their data and creates a one-stop shop for them to manage their data.”

Even with a lawsuit hanging over the future of the CFPB’s rule, fintechs and banks should begin preparing for compliance, some observers advise. “There is still plenty of work to be done when it comes to compliance, even with the uncertainty over the CFPB’s rule created by the lawsuit,” says Fiserv’s Ford. “You don’t want to be kicking the can down the road.”