The Next Wave of Open Banking: New Rules on Personal Financial Data Rights

A rapid transformation in consumer finance is being brought about by open banking—a pivotal innovation that allows consumers to give third parties real-time access to their detailed financial data. Open banking has the potential to increase transparency, promote account portability, spur competition, and drive the next wave of innovation in consumer financial services.

Organic Market-Led Growth in the US

Over the last twenty years, open banking technology and use cases in the United States have developed organically, without significant federal or state regulatory intervention. The growth of open banking has been led by data aggregators—middlemen that use technology to extract data from a broad swath of financial institutions and provide it to third parties, which have predominantly been nonbank fintechs but increasingly include banks. Open banking creates opportunities for the companies leveraging this data to offer innovative products and features. But it simultaneously exposes consumers and financial institutions to significant risks, including data security vulnerabilities and unauthorized data use.

At the same time, governments around the world are granting consumers more rights to access their financial data and control how it is used and disclosed. The United Kingdom, the European Union, Singapore, and Australia, among others, have enacted open banking frameworks regulating consumer-permissioned sharing of financial data.

A Turning Point: New Rules Governing Consumers’ Personal Financial Data Rights

In October 2024, the Consumer Financial Protection Bureau (“CFPB”) issued final rules governing Personal Financial Data Rights under Section 1033 of the Dodd-Frank Act. After an eight-year rulemaking journey, the final rules codify consumers’ rights to

1. access their financial data electronically via “consumer interfaces,” such as a website or mobile app; and
2. delegate access to an “authorized third party” that can access data via a “developer interface,” such as an application developer interface (“API”).

The rules also require consumer disclosures and informed consent before a consumer may authorize a third party to access data, and they impose substantive limitations on how such third parties may access, use, and retain data. The rule also creates obligations for data accuracy and security.

While the rules don’t explicitly prohibit third parties from screen scraping—a controversial practice where a third party collects the consumer’s online banking credentials (username and password) to log in as the consumer and extract data from a bank’s website—they require data providers to offer more secure data sharing channels to mitigate risks and improve data sharing efficiency.

Transformative Potential of Open Banking Rails and Data

The transformative potential of open banking in consumer finance is just beginning to be understood. Take credit underwriting as a prominent example. By leveraging real-time, granular transaction data directly from a consumer’s deposit account, lenders can develop accurate assessments of financial health and ability to pay that move beyond the limitations of traditional credit reports, which can be stale and plagued with inaccuracies. Innovative use cases are also enabling better personal financial management and budgeting tools, faster identity verification, and smarter payments. This shift in capabilities has broad implications for expanding financial inclusion and enabling the next generation of personalized financial services. Like self-driving cars enabled by sensors that collect thousands of data points a second, and the powerful computers and systems that analyze and react to these data points to avoid collisions, open banking tools are providing the data points and signals that innovative financial services companies need to create an “autopilot” for the average consumer’s financial life.

Areas of Consensus and Controversy

There are areas of consensus in the final rules that should be celebrated, including requirements for clear and meaningful consumer disclosures and robust data security requirements for all parties handling sensitive financial data. However, controversies persist regarding many policy choices in the final rules. For example, the rules only subject certain financial products to disclosure, including credit cards and deposit accounts, while excluding a host of other financial products, including mortgages, auto loans, and investments. The rules also place significant restrictions on third parties receiving data by requiring that all use and retention be limited to what is “reasonably necessary” to deliver a consumer’s requested product or service—an amorphous standard that could be read to restrict innovative secondary uses. And while screen scraping is viewed critically as a risky and outdated practice, it remains permissible under the rules, placing the burden of managing its consequences on data providers. There are also strategic and technical decisions data providers and third parties must make, from API design to bilateral agreements that properly allocate liability for errors, fraud and data breaches, and risk management protocols. Banks may experience an influx of requests for data from authorized third parties, and their third-party risk management practices will need to adapt to assess the unique risks presented by these third parties.

The CFPB’s final rules also rely on “recognized standard setters” to develop “consensus standards” for data formats and access protocols, which are intended to promote interoperability, making it easy for a third party to obtain and digest similar data from multiple data providers. However, the coexistence of multiple data formatting standards (and proprietary formats from data aggregators) complicates this effort to achieve seamless interoperability.

Lastly, the integration of payment initiation data, such as bank account numbers and routing numbers used for ACH transactions, into open banking frameworks introduces opportunities for “pay by bank” services to challenge existing card networks. But these advancements also raise fraud concerns, requiring innovative solutions such as tokenized account numbers (“TANs”) to enhance security.

The Path Forward

Challenges lie ahead for the sound regulation of open banking in the US. A national banking trade association filed suit to stop the rule from taking effect the day it was finalized, and shifts in the CFPB’s leadership and regulatory priorities could cause the agency to amend the final rules in the near term. Notwithstanding these regulatory controversies and headwinds, the demand for consumer-authorized data sharing is expected to continue growing, driven by market forces and consumer expectations for greater control over their financial data.

Data providers will need to identify and document the “covered data” in their control or possession that is subject to disclosure, design compliant APIs, and establish robust third-party risk management protocols. Third parties accessing data, including fintechs and data aggregators, must evaluate their compliance strategies, consumer-facing experiences, and approaches to managing data use and retention. Questions around liability for errors, means of achieving accuracy and interoperability, and minimum contractual terms for third party access remain critical.

This is a transformative moment for open banking and the consumer financial services industry more broadly. Banks, fintechs, standard-setting organizations, and regulators are being pushed to work together in new ways. Now it is incumbent upon them to find common ground to support innovation, manage the operational and regulatory risks presented, and deliver real value to consumers.