In October 2023, the Consumer Financial Protection Bureau (CFPB) proposed a new rule to facilitate “open banking” by requiring banks and other financial institutions to establish and maintain online “interface” portals to allow consumers, “authorized third parties” and “data aggregators” to access consumer account information.1 Although CFPB Director Rohit Chopra has indicated that the rule could help small banks “steal the lunch” of larger competitors,2 those small banks will have to persevere through the rule’s significant threshold costs and burdens before getting a chance to commandeer anyone else’s lunch — or otherwise gaining a competitive advantage. Purpose of Rule The CFPB intends that the rule will streamline consumer access and use of account data, allow consumers to compare terms of accounts between providers and use that information to choose the best service providers. The rule intends to allow consumers to share their account information with third parties on secure systems without sharing consumer account credentials, and it effectively prohibits banks from allowing “screen scraping” on the interfaces by disallowing third-party use of consumer credentials for access.3 Online Interfaces The rule will require each covered bank to establish and maintain a “consumer interface” (for customers) and a “developer interface” (for authorized third parties and data aggregators) that allow users to access certain account-related data online upon request in a standardized digital format set by the rule. The rule requires various authentication and cybersecurity protections to be utilized in connection with the interfaces. Developer interfaces must meet specified access and response rate requirements. Fee Prohibition The proposed rule will create significant costs for most banks to establish the IT systems and protections and compliance structures mandated by the rule. Despite these costs and the risks banks will incur in providing and maintaining the required interface portals, the CFPB rule prohibits banks (and other covered providers) from charging any fee to consumers, third parties or data aggregators for use of the portals to recoup IT costs and defray cost of related risks.4 Scope of Rule The rule is applicable to essentially all banks5 — exempting only banks that do not offer basic online bank deposit account services (i.e., a consumer interface). So, even most of the smallest banks in the U.S. will be required to implement the sophisticated online interface portals required, related cybersecurity protection systems and related legal, regulatory, risk management and corporate governance policies and procedures. Those banks will have to maintain and update those portals, systems, policies and procedures each year — all to the same extent as the biggest Wall Street banks, which already have a predictably big head start. Types of Accounts Covered Initially, the rule will only apply to Regulation E accounts (e.g., bank deposit accounts), credit card accounts governed by Regulation Z and facilitation of payment from those accounts. So, for example, the rule as proposed does not cover home loans or car loans. However, the CFPB has clearly indicated that it will consider expanding the rule’s scope after its initial rollout. Types of Data Covered The interfaces must provide access to a litany of specified, current account information upon request, including account balances, transaction information, terms and conditions of the account, information to initiate payments, upcoming billing information, account verification information, etc. The information must be provided in the required electronic form. Access and Authentication Requirements Before allowing access to account information via an interface, the rule requires banks to authenticate the identity of consumers, third parties and data aggregators and also to verify the authorization of COMMUNITY BANK IMPACT OF CFPB “OPEN BANKING” PROPOSED RULE By Gregory D. Omer, Armstrong Teasdale, LLP 32 | The Show-Me Banker Magazine
RkJQdWJsaXNoZXIy MTg3NDExNQ==