CFPB Fires the Starting Gun on a New Phase of Open Banking in the US
The CFPB’s publication of the finalized text for the Personal Financial Data Rights rule will set in train a series of activities that will re-shape the open banking landscape in the US and open the door to a wave of product development opportunities for financial institutions.
The forthcoming rule, which will implement Section 1033 of the Dodd-Frank Act of 2010, will create a common framework for open banking that will apply almost universally across the market. Banks, credit unions, credit card issuers, and digital wallet providers will all be required to share information (for no charge) about transactions, balances, and product features with those third parties that customers wish them to.
While the US already has arguably the most sophisticated consumer permissioned data sharing ecosystem in the world, this will bring considerable change to the market. Aggregators and third parties will have access to a common set of data fields from a broad range of data providers covering all consumers, which will support further product development and innovation using these inputs. The ability to offer access to data on products held at all institutions will enable greatly enhanced offerings across everything from account aggregation to credit and risk analysis.
The same is true for banks, many of whom are already exploring how to take advantage of open banking to enhance their own products and services. The ability to consume data from other banks, card issuers, digital wallet providers (such as PayPal, Apple, and Google), and payment apps (a new addition to the draft text published earlier in the year) is a huge opportunity for the industry and one that should support a range of new approaches to delivering deeper engagement, customer retention, and internal efficiency gains (in areas such as payments, customer onboarding, and credit risk).
Indeed, one of the biggest lessons from the development of open banking elsewhere is that the opportunities for incumbent players are arguably greater than for fintechs and challengers. There is no reason to assume that the implementation of Section 1033 will be any different. There is also a commercial dimension. To simply recover the costs of compliance, banks will need to find ways to deliver process efficiencies and/or new revenue generating services using open banking.
The compliance countdown begins
The finalization of the rule will begin a new compliance push across the industry. Another surprise in the final text is that the implementation timeframes are more generous than was suggested in the previous draft. Banks with assets of $250bn+ have a little over 18 months from now to prepare for the April 1 2026 compliance date. The timelines for each subsequent tier will follow on a staged basis, each one year after the one previous, with the smallest institutions due to be compliant by April 1st 2030. That said, there is nothing to prevent banks from moving sooner and many large institutions will already have much of what they need in place already, especially if (as seems likely) FDX emerges as the approved standards body. Once compliance is in place, the attention in the market will quickly shift to developing (or acquiring) the capabilities to support the use of open banking-derived information for product improvement and innovation.
Implementation challenges ahead
Despite the opportunities the new rule represents, there are some areas that will create challenges for the industry. The first is the requirement to renew the customer consent for data access on an annual basis. While the intent behind this is rational (in protecting customer data and reinforcing the principle of data minimization), it will become a point of potential friction and service interruption in the future.
Also worth flagging is that important issues around liability risks for banks have been left unresolved. The potential legal claims for cases of downstream data breaches, fraud, or misuse when data is shared with third parties are top of mind for many institutions, and the issue has already led one industry group to announce a legal challenge to the CFPB as a result.
This is a matter that will require careful handling, not least because any issues over data security could have a material impact on customer trust in open banking. The CFPB has acknowledged these concerns, but notes that it does not see this to be a material issue. This is a clear difference between the experience in most other jurisdictions, in which a central registry of third parties and some form of trust framework has been put in place to reduce these risks. For banks, addressing the challenges of third-party risk management will be something that will need to be considered carefully and is likely to create opportunities for aggregators or other infrastructure providers to address.
In addition, there is work to be done to flesh out the consent management process. In other markets, having a common user experience for these flows has been an advantage in driving up adoption, and may be something the industry looks to deliver in the US. Furthermore, where customers decide to change or remove their authorization for a third party to access data on their behalf, the mechanism for this will also need to be shaped.
The time to innovate starts now
While these are important challenges to be overcome, they are substantially outweighed by the potential commercial benefits for banks. Indeed, while the formal timeline for implementing these changes stretches out from 2026 to 2030, there is nothing to prevent any institution to move more quickly and start delivering value to customers. Regardless of when banks decide to begin this process, Celent would advise all institutions to look beyond the compliance requirements here and consider the ways that open banking data can support a range of improvements to their products and propositions. There will be winners and losers in this space, and investing strategically will give the greatest chance of success.