.svg)
On October 22, 2024, the US Consumer Financial Protection Bureau (CFPB) finalised its framework for open banking, known as the Personal Financial Data Rights rule, with firms coming into scope from 2026.
It ensures that consumers will be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps and other financial products, and aims to address market concentration that limits consumer choice over financial products and services.
Via the new framework, US consumers will be able to access or authorise a third party to access data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information and basic account verification information.
Financial providers are obligated to make this information available without charging fees, in a similar model to those in use in jurisdictions such as the UK and EU.
Financial firms will be required to comply based on their size. The largest institutions will have to comply by April 1, 2026, while the smallest covered institutions have until April 1, 2030.
Certain small banks and credit unions, meanwhile, are completely exempt from the rule.
The bigger picture
The new rule is expected to drive competition and increase consumer mobility across the US banking, payments and credit markets.
It obligates banks, credit card issuers and other financial institutions to enable consumers to access and transfer their personal financial data to competing providers at no cost, empowering consumers to more easily switch financial institutions.
This activates Section 1033 of the Consumer Financial Protection Act, a provision that has remained dormant since the act was passed in 2010, and financial institutions will have to prepare for greater transparency and flexibility in handling consumer data.
The rule is intended to ensure a number of outcomes:
- Easier switching: The CFPB says that new rules will enable consumers to “fire fintechs and banks that provide lousy service”, and under the new rule, consumers can easily transfer their financial data to another institution if dissatisfied with the service they receive. This eliminates many of the friction points that have historically made switching providers difficult, as consumers will no longer be locked into services due to high switching costs.
- Competitive pressure on rates and credit products: Consumers will be empowered to shop around for the best offers, such as higher interest rates on deposits or lower loan rates, without the administrative hurdles that previously slowed down switching. Additionally, by leveraging data from other financial institutions, lenders will have new opportunities to extend credit to customers, including those with limited credit histories or younger demographics, allowing for more personalised and competitive lending options.
- More secure payments: The rule also paves the way for enhanced payment methods such as “pay-by-bank”, which allows consumers to securely share payments information directly with providers, reducing reliance on traditional card networks. This represents an opportunity for fintech players to develop alternative payment products.
According to the CFPB, the final rule also helps move the industry away from screen scraping, which the regulator describes as “a still common, but risky, practice”. Screen scraping typically involves consumers providing their account passwords to third parties, which use them to access data indiscriminately through online banking portals.
The rule is also intended to enhance consumer rights by:
- Banning unauthorised data harvesting: Third parties will be able to collect, use or retain data only to deliver the product the consumer requested, and cannot secretly collect, use or retain consumers’ data for their own unrelated business reasons — for example, to offer consumers loans using data that they also use for targeted advertising. The rule does not prohibit any particular uses of data, but it requires that all use be driven by what is necessary to deliver the product sought by the consumer.
- Revocation and deletion rights: When an individual revokes access, the rule requires that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year without express reauthorisation, and to prevent “dark patterns,” where consumers are misled into making decisions against their best interests, the CFPB mandates that revoking access must be simple and straightforward.
Why should you care?
The rule has plenty of implications for the US payments ecosystem and beyond, and it is clear the CFPB wants to align with other jurisdictions.
This is also a priority for organisations other than the CFPB. For example, Nellie Liang, under secretary for domestic finance at the US Treasury, called for a regulatory reboot for payments in a recent speech, where she noted that regulation was unhelpful to modern methods and emerging technologies, as it can stifle innovation.
The US falls behind its counterparts here, especially when the progress in payments and banking modernisation made by the UK, EU, Brazil, Singapore and India is taken into account.
The new rule means that fintechs in the US will have the opportunity to innovate in the payment space, developing new services that bypass traditional card networks. This could lead to lower transaction costs and faster, more secure payment methods, providing an edge over traditional banking services offerings to consumers and merchants.
The new rule could also increase competitive pressure on rates and credit products, and at some point during the timeline, banks will be in scope of more stringent data accessibility obligations.
This will put them under pressure to adjust deposit rates and loan terms, which could strain profit margins.
Fintechs will also benefit from access to consumer data from banks, enabling them to create more tailored and competitive financial products, particularly for underserved populations.
This could encourage growth in personal loans, mortgages and alternative credit products.
Traditional card networks also risk losing market share, as the rule supports direct payment solutions such as pay-by-bank. Banks will need to adapt, potentially collaborating with fintechs or creating their own solutions to remain competitive in the evolving payment landscape.
Fintechs also have an opportunity to innovate by developing alternative payment services that bypass traditional card networks, potentially offering lower transaction costs and more secure, faster payments.
All this gives fintechs a competitive advantage that US financial regulation has not offered before. It is perhaps unsurprising that the first lawsuit has already been filed, accusing the CFPB of putting customer safety and bank security at risk.
But, fintechs should take heed. They may have been enabled by the regulators, but open banking has hardly been a run-away success in the EU and the UK.
Friction between the banks and fintechs has meant poor access via application programme interfaces (APIs), and consumers have not rushed towards disruptive payment methods.
Europe still loves cards, and although pay-by-bank has taken off in specific use cases, such as in the UK with paying taxes, that success has not been wholesale. In addition, a lack of effective industry standards and a stalling from regulators on what should happen next have got in the way of more opportunities.
