On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) marked a significant milestone in the shift towards open banking in the United States with the finalization of its rulemaking on Personal Financial Data Rights. As we discussed in our Legal Update on the October 2023 proposed rule, the final rule provides the long-awaited implementation of Section 1033 of the Dodd-Frank Act, enacted in 2010, and establishes a comprehensive regulatory framework to provide consumers—and their authorized third parties—with rights to receive structured, consistent and timely access to consumers’ personal financial data held by financial institutions and other financial services providers.

The 594-page final rule is intended to allow consumers to access and share data held by banks, credit unions, credit card issuers, digital wallets, payment apps and other financial service providers, with the goal of improving customer choice and increasing competition, while strengthening consumer protections by imposing limitations on authorized third parties’ collection, use and retention of consumers’ data. Financial institutions subject to the final rule could face a variety of compliance, operational and technical challenges as they build out the infrastructure necessary to comply with the final rule. For the largest financial institutions, which include depository institutions with total assets in excess of $250 billion and non-depository institutions that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024, compliance is required by April 1, 2026, with compliance by smaller covered institutions required in phases beginning April 1, 2027, through April 1, 2030.

The controversial rule has already spurred litigation, with the Bank Policy Institute and Kentucky Bankers Association filing a lawsuit to invalidate the final rule. The lawsuit, filed in federal district court in Kentucky on the same day the final rule was issued asserts that the CFPB overstepped its statutory authority and finalized a rule that jeopardizes consumers’ privacy, financial data and account security.

Mayer Brown is preparing an in-depth analysis of the final rule, its impacts on covered financial institutions, data aggregators, and other participants in the financial data ecosystem, and the prospects for the pending litigation. Stay tuned for a detailed Legal Update, a webinar discussing the final rule and more.