The goal of Consumer Financial Protection Bureaufinal of Rules for data sharing The policy announced on Tuesday (October 22) aims to foster competition and, in turn, innovation in financial services.
but A closer reading of the regulation itself reveals that for banks, compliance with the regulation involves some difficult tasks in the technical and operational scope, as well as liability risks. This difficult work will be carried out over an implementation schedule that will take several years.
This is a work in progress that promises to reshape the interaction between banks, fintechs and consumers, and like all work in progress, there are many things that need to be resolved along the way. There may be.
This rule paves the way for further adoption open banking In the US, it has been expanded to include payment apps. Enforcement of Section 1033 of the Dodd-Frank Act focuses on: data sharing — Specifically, consumer authorization data that banks must share with consumers themselves and authorized third parties.
high level pursuit
Data sharing mechanisms include implementing APIs, and “developer interfaces must be able to make use of the coverage.” data in a standardized, machine-readable format. It also stipulates that “the format must meet this requirement.'' [including] It's about conforming to consensus standards. ”
Flow of setup standard And who sets the standards among banks, third parties, and consumer organizations? still Ongoing. (The current document does not include a final date.)
Data covered includes account details for transaction levels and balances. Data remains portable for consumers. is the owner of We can collect information and transfer your business from one provider to another. The same level of detailed data must serve as the basis for financial institutions and others to personalize products and services, especially in credit, account-to-account payments, and other services.
The final rule requires consumers to be aware of the data they must share and the scope of ownership of that data. PYMNTS Intelligence found that 46% of consumers are “very willing” to use it. open banking Payment for at least one product or service. According to the same study, only 11% did so. It therefore follows that increased awareness will lead to increased acceptance of open banking.
timeline
As is common in the rule-making process, rules become official after 60 days.
For banks, compliance timelines are staggered. 594 pages Notice of Final Rulemaking This compliance states that for data providers, including depository financial institutions (including credit unions), the compliance will begin on April 1 of 2026, 2027, 2028, 2029, or 2030. Providers also include non-depository institutions that hold or issue credit cards, etc. type of account.
The largest institutions with at least $250 billion in assets should follow the earliest schedule. The second timeline tier applies to companies with assets between $10 billion and $250 billion. The third tier is for companies with total assets between $3 billion and $10 billion. Tier 4 is for companies with total assets of $1.5 billion to $3 billion. The final tier is for companies with total assets between $1.5 billion and more than $850 million.
“The compliance period for each tier in the final rule will ensure that data providers of different sizes and resources have adequate time to comply. data providers that are most likely to rely on core providers and other third parties, according to the final rulemaking notice. Providers are divided into additional tiers that are smaller and easier to manage. ” “….of [final tiers]constitutes the smallest custodian data provider by asset size, and the entity most likely to rely on core processors or other third parties to assist with compliance is the largest of the data providers previously required to comply. We can learn from experience, and we can learn from the experience of data providers who should have been compliant. The transition will be smoother than it would otherwise be. ”
Technical and liability concerns
The wording of this rule hints at some concerns and wrinkles that – for lack of a better term – need to be addressed. Despite the benefits for consumers and forward-thinking providers, much needs to happen behind the scenes for open banking to become a full-fledged reality.
Banks have timelines, but the same is not (perhaps not yet) true for third parties you connect with as consumers. permission their data.
“The final rule does not establish an explicit compliance deadline for third parties because it is unnecessary,” the notice of final rulemaking states. “CFPB is providing additional time to the largest data providers. comply This gives third parties and aggregators additional time to prepare rule implementations. Additionally, moving the marketplace away from screen scraping will further incentivize third parties and aggregators to meet the requirements to request appropriate access under the terms of the rules. ”
PYMNTS Intelligence found that 57% of U.S. consumers trust their bank's services. open banking service. These same consumers still have concerns about the security of their data. Data security is not what some would expect, given that data standards are still being developed, third parties are not governed by strict timelines, and responsibilities on the part of banks have not yet been established. It may be less defined than It must be fully established whether those third parties may be compromised.
In the final rulemaking notice, the CFPB stated that during the commentary period, “data providers may unduly assume the burden of managing liability risks posed by non-depository third parties that are not subject to similar regulatory oversight.” “Many data providers have expressed concern that… Commenters stated that the proposal does not take into account the potential for data providers to be exposed to liability-related costs, that third parties have an incentive to manage liability, or that liability is directly caused by third parties. It argued that it had not demonstrated the ability to cover losses and had not guaranteed it. ”
Other data providers (banks) have expressed concern that they may not be able to recover losses associated with those third parties or have certain fraud protection measures in place on payment transactions by their banks.
“The CFPB has determined that the requirements of EFTA and Regulation E or TILA and Regulation Z do not make it appropriate for this rule to impose a blanket approach to allocating liability among commercial entities or safe harbors.” the final rulemaking notice states. …To the extent that there are complex factual or legal questions about the liability of data providers that directly contributed to consumer harm, commenters did not identify specific scenarios, and the CFPB did not address data provider liability in this case. I don't think it's appropriate to do so. Final rules. ”
Banks and credit unions began voicing concerns Tuesday. of Bank Policy Research Institute pointed out the possibility that data May be shared without appropriate safeguards on the spot. Separately, Defense Credit Union Council said credit union You will be sharing data that may expose you to legal troubles related to the handling of that data by third parties. in order The end result would be “complex administrative and financial burdens.”
