US banks beg for an extension on the CFPB’s open banking rollout

The news: Major banking associations are asking for more time to comply with the Consumer Financial Protection Bureau’s (CFPB's) new rules around financial institutions (FIs) handling and sharing consumer financial data.

• Section 1033 of the Dodd-Frank Act mandates that consumers have the right to access and share their financial data. Officially dubbed the Personal Financial Data Rights rule when rolled out last October, it’s better known as the open banking rule.
• Open banking will change how consumers access their financial data and what they might use it for. It’s also trying to promote transparency and spur innovation in financial services.

In effect, open banking opens consumer data up to an ecosystem of fintechs and nonfinancial companies.

What’s the impact? According to CCG Catalyst’s Banking Stability and Innovation Study 2023, only 17% of US bank executives surveyed are committed to providing open data access to third parties. Compliance requires them to go beyond making data available to consumers and third parties—they also have to standardize how that data is formatted.

If the CFPB’s rule goes into effect as written, it will

• Enforce open banking for checking, savings, and credit card accounts, prepaid cards, and digital wallets
• Require application programming interfaces (APIs) and a developer interface
• Effectively ban screen scraping and credential sharing
• Clarify the data that a bank must make available

What’s the current deadline? Section 1033 is still a work in progress, but the CFPB is supposed to finalize it in the fall of 2024. After that, the regulator will lay out a timeline for compliance that’s tiered according to FIs’ assets or revenue, ranging from six months to four years.

Is that realistic? Banking trade groups don’t think so. They’re worried that rushing implementation could lead to disruptions in customer service and increased risks to data security.

In a joint letter to the CFPB, the Bank Policy Institute, the Clearing House Association, the Consumer Bankers Association, and the American Bankers Association asked for a two-year extension for the first batch of banks required to comply.

• They argue that FIs need more time to create new systems and processes, as well as for the CFPB to recognize a standard-setting organization to ensure consistency and interoperability.
• They say even sophisticated data providers will need at least two years to update public-facing websites, generate performance metrics, and ensure data is provided in standardized formats.
• Banks will also need to be able to support required data elements that aren’t already shared, such as bill payment data and certain terms and conditions.

There’s no escaping the need for infrastructure modernization: “Can I get my tech stack to handle this?” is the biggest question for many FIs, regardless of what timeline the industry groups manage to attain.

• Achieving compliance with Section 1033 goes beyond a technical challenge—it’s a fundamental transformation of how FIs handle and share financial data.
• Many banks are likely looking at expensive and time-consuming system upgrades to meet the required API performance standards and develop new functionality.

FIs that haven’t implemented open banking APIs and developer centers need to ask how they will comply, who they’ll work with, and what it will cost them.