The Consumer Financial Protection Bureau finalized its open banking rule, also known as the Personal Financial Data Rights Rule, to give consumers greater rights, privacy, and security over their personal financial data. The largest institutions will have to comply by April 01, 2026 and the smallest covered institutions will have until April 01, 2030, while certain small banks and credit unions are not subject to this rule.
The rule requires financial institutions, credit card issuers, and certain other financial institutions to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. With this, consumers will be able to access, or authorize a third party to access, data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information, and basic account verification information. Thus, the rule is expected to help lower prices on loans by empowering consumers to more easily switch to providers with superior rates and services. The rule also establishes strong privacy protections, ensuring that third parties cannot use consumer data for other purposes that benefit the third party and helps move the industry away from “screen scraping.” Screen scraping is a still common but risky practice that typically involves consumers providing their account passwords to third parties that use this information to access data indiscriminately through online banking portals.
This is the first significant rule from CFPB to accelerate responsible open banking in the US, though CFPB will be developing additional rules to address more products, services, and use cases. Under this rule, the size of the covered entity determines when it must comply with the new regulations:
Depository institutions with at least USD 250 billion in assets and non-depository institutions with at least USD 10 billion in revenue must comply by April 01, 2026.
Depository institutions with between USD 10 billion and USD 250 billion in assets, along with the remaining non-depository institutions, must comply by April 01, 2027.
Depository institutions with between USD 3 billion and USD 10 billion in assets and between USD 1.5 billion and USD 3 billion in assets must comply by April 01, 2028 and April 01, 2029, respectively.
The rest of the covered depository institutions must comply by April 01, 2030.
The rule has garnered mixed response from market participants and is mired in controversy, soon after its issuance. Certain market participants have legally challenged the rule and are seeking to halt it while fintech industry is not positive on the restrictions on secondary use of consumer data. Yet, certain other market entities are applauding this initiative as well.
Related links
LEARN MORE
Find out how we can help
Moody’s brings together data, experience, and best practice capabilities, with our specialized and agile intelligence.