The Consumer Financial Protection Bureau (CFPB) issued its final "open banking" rule under Section 1033 of the Consumer Financial Protection Act, designed to increase consumer control over personal financial data and boost competition in financial services.
The rule requires financial institutions and credit card issuers to allow consumers to transfer their data securely and free of charge, making it easier to explore new financial services and potentially lower loan costs.
“A company that ingests a consumer's data can use the data to provide the product or service the consumer asked for, but not for unrelated purposes.” noted CFPB Director Rohit Chopra.
The rule also allows consumers to revoke data access immediately and mandates standardized data formats to promote consistency across providers.
Banking industry groups, including the Bank Policy Institute and the Kentucky Bankers Association, filed a lawsuit on October 22, arguing that the CFPB overstepped its authority and exposed consumer data to fraud risks. The complaint highlights issues with screen scraping and a perceived lack of oversight for third-party data practices.
The CFPB included a phased compliance timeline, requiring large fintech companies to comply by April 2026, while smaller firms have until April 2030. Institutions with assets under $850 million are exempt, giving smaller banks some flexibility. Third-party providers are prohibited from retaining consumer data beyond a year without reauthorization, and the rule limits "secondary use" of data to consumer-requested services or fraud prevention.
Global data creation, copying, and consumption was 64.2 zettabytes in 2020 and is expected to exceed 180 zettabytes by 2025, according to a Statista report.
According to a 2021 World Economic Forum report, around 1.7 billion people globally remain without access to formal banking, underscoring the role of data portability in expanding access to financial services.