Fintech Focus: The CFPB’s New “Open Banking” Rule: Consumers and Competition Expected to Win Once Policies and Procedures Ironed Out
Publications
October 23, 2023
By: Jeremy M. Creelan, Megan B. Poetzel, Laurel Loomis Rimon, Michael W. Ross
Last week, the Consumer Financial Protection Bureau issued its long-awaited proposed rule to implement Section 1033 of the 2010 Consumer Financial Protection Act, which has come to be known as the “open banking” provision.[1] In a nutshell, the CFPB’s Personal Financial Data Rights rule would require “data providers” –financial institutions, card issuers, digital wallets, and any other consumer-facing entity that holds consumer financial data – to share a consumer’s financial data with authorized third parties at the consumer’s request. CFPB Director Rohit Chopra emphasized in his remarks accompanying the proposed rule that its primary purpose is to foster greater competition in financial services for consumers by empowering consumers to transfer their banking information more easily and securely via API among competing banks or fintechs. In theory, “open banking” promises to reduce fees, improve customer service, and result in more product choices designed to entice consumers to sign up or to remain where they are.
The proposed rule includes these key features:
-
- Timeline and scope of compliance. The Bureau has proposed a gradual phase-in of the rule’s requirements based on the size of the data provider. The largest – at least $500 billion in total assets for depositary institutions and $10 billion in revenue for non-depositary – must comply within six months of the final rule. The smallest depositary institutions (under $850 million) have four years to comply. And data providers that do not directly interface with consumers at all (small credit unions with no online platform, for example) are exempted altogether. Certain providers may have difficulty competing without developing a robust digital interface for consumers.
- Reasonable denial of request to share data. The Bureau’s proposed rule expressly allows data providers to reasonably deny requests by authorized third parties for a consumer’s data based on various factors. One of the most significant factors noted as a reasonable basis for denial is “risk management” concerns related to data security. On this point, the Bureau walks a line recognizing interagency guidance issued recently by federal prudential regulators, highlighting depository institutions' obligation to operate in a safe and sound manner, including the exercise of due diligence and risk management related to third-party relationships. There have been questions raised in the industry about who should bear liability if data is shared with the wrong party with damaging results. What falls within the scope of “risk management” concerns will likely be important in answering this question. Over time, courts and regulators will presumably allocate these risks by developing due diligence standards and regulatory safe harbors to avoid unnecessary barriers to data sharing and the attendant costs to consumers. Data providers will need to protect themselves with sufficiently clear policies and procedures that both conform to the final rule and minimize risks of liability from data breaches caused by bad actors.
- Not all consumer-related data must, or should, be shared. The proposed rule makes clear the types of information that must be shared by data providers – mostly the consumer’s transactional and personal information sufficient for identification – but also exempts from the data sharing requirement certain information. For example, data providers need not share their own algorithms or analyses of credit, or “any information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct.” In the future, these exemptions will likely raise potentially important questions of liability for information that was or was not shared about a consumer’s financial activities.
- Standards for data-sharing interfaces. The proposed rule envisions “fair, open, and inclusive” industry standards being established by a standard-setting body that is itself “fair, open, and inclusive.” The rule identifies the following seven attributes that such an issuer of qualified industry standards must possess: (1) Openness, in developing and revealing its sources, processes, and procedures; (2) Balance, in ensuring that its decision-making is not skewed toward one interest or another; (3) Due Process, in its processes and procedures used to develop standards; (4) Appeals, available to be handled impartially; (5) Consensus, defined as general agreement rather than unanimity, used in developing standards; (6) Transparency, in its processes and procedures used to develop standards; and (7) CFPB Recognition, in the last three years as such an issuer, upon request. This may ultimately be an area without significant controversies, given the near-universal embrace of open banking in at least some form. But the open questions we outlined above regarding liability and policies for reasonable denials of data-sharing requests will render these standards potentially significant.
The CFPB’s proposed rule highlights a number of areas where the Bureau is seeking industry input and comment, and submissions will be accepted through December 29, 2023. Director Chopra noted in prepared remarks announcing the rule that the Bureau anticipates finalizing the rule by the fall of 2024.
The proposed rule includes these key features:
-
- Timeline and scope of compliance. The Bureau has proposed a gradual phase-in of the rule’s requirements based on the size of the data provider. The largest – at least $500 billion in total assets for depositary institutions and $10 billion in revenue for non-depositary – must comply within six months of the final rule. The smallest depositary institutions (under $850 million) have four years to comply. And data providers that do not directly interface with consumers at all (small credit unions with no online platform, for example) are exempted altogether. Certain providers may have difficulty competing without developing a robust digital interface for consumers.
- Reasonable denial of request to share data. The Bureau’s proposed rule expressly allows data providers to reasonably deny requests by authorized third parties for a consumer’s data based on various factors. One of the most significant factors noted as a reasonable basis for denial is “risk management” concerns related to data security. On this point, the Bureau walks a line recognizing interagency guidance issued recently by federal prudential regulators, highlighting depository institutions' obligation to operate in a safe and sound manner, including the exercise of due diligence and risk management related to third-party relationships. There have been questions raised in the industry about who should bear liability if data is shared with the wrong party with damaging results. What falls within the scope of “risk management” concerns will likely be important in answering this question. Over time, courts and regulators will presumably allocate these risks by developing due diligence standards and regulatory safe harbors to avoid unnecessary barriers to data sharing and the attendant costs to consumers. Data providers will need to protect themselves with sufficiently clear policies and procedures that both conform to the final rule and minimize risks of liability from data breaches caused by bad actors.
- Not all consumer-related data must, or should, be shared. The proposed rule makes clear the types of information that must be shared by data providers – mostly the consumer’s transactional and personal information sufficient for identification – but also exempts from the data sharing requirement certain information. For example, data providers need not share their own algorithms or analyses of credit, or “any information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct.” In the future, these exemptions will likely raise potentially important questions of liability for information that was or was not shared about a consumer’s financial activities.
- Standards for data-sharing interfaces. The proposed rule envisions “fair, open, and inclusive” industry standards being established by a standard-setting body that is itself “fair, open, and inclusive.” The rule identifies the following seven attributes that such an issuer of qualified industry standards must possess: (1) Openness, in developing and revealing its sources, processes, and procedures; (2) Balance, in ensuring that its decision-making is not skewed toward one interest or another; (3) Due Process, in its processes and procedures used to develop standards; (4) Appeals, available to be handled impartially; (5) Consensus, defined as general agreement rather than unanimity, used in developing standards; (6) Transparency, in its processes and procedures used to develop standards; and (7) CFPB Recognition, in the last three years as such an issuer, upon request. This may ultimately be an area without significant controversies, given the near-universal embrace of open banking in at least some form. But the open questions we outlined above regarding liability and policies for reasonable denials of data-sharing requests will render these standards potentially significant.
The CFPB’s proposed rule highlights a number of areas where the Bureau is seeking industry input and comment, and submissions will be accepted through December 29, 2023. Director Chopra noted in prepared remarks announcing the rule that the Bureau anticipates finalizing the rule by the fall of 2024.
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
Publications
October 23, 2023
By: Jeremy M. Creelan, Megan B. Poetzel, Laurel Loomis Rimon, Michael W. Ross
Last week, the Consumer Financial Protection Bureau issued its long-awaited proposed rule to implement Section 1033 of the 2010 Consumer Financial Protection Act, which has come to be known as the “open banking” provision.[1] In a nutshell, the CFPB’s Personal Financial Data Rights rule would require “data providers” –financial institutions, card issuers, digital wallets, and any other consumer-facing entity that holds consumer financial data – to share a consumer’s financial data with authorized third parties at the consumer’s request. CFPB Director Rohit Chopra emphasized in his remarks accompanying the proposed rule that its primary purpose is to foster greater competition in financial services for consumers by empowering consumers to transfer their banking information more easily and securely via API among competing banks or fintechs. In theory, “open banking” promises to reduce fees, improve customer service, and result in more product choices designed to entice consumers to sign up or to remain where they are.
The proposed rule includes these key features:
-
- Timeline and scope of compliance. The Bureau has proposed a gradual phase-in of the rule’s requirements based on the size of the data provider. The largest – at least $500 billion in total assets for depositary institutions and $10 billion in revenue for non-depositary – must comply within six months of the final rule. The smallest depositary institutions (under $850 million) have four years to comply. And data providers that do not directly interface with consumers at all (small credit unions with no online platform, for example) are exempted altogether. Certain providers may have difficulty competing without developing a robust digital interface for consumers.
- Reasonable denial of request to share data. The Bureau’s proposed rule expressly allows data providers to reasonably deny requests by authorized third parties for a consumer’s data based on various factors. One of the most significant factors noted as a reasonable basis for denial is “risk management” concerns related to data security. On this point, the Bureau walks a line recognizing interagency guidance issued recently by federal prudential regulators, highlighting depository institutions' obligation to operate in a safe and sound manner, including the exercise of due diligence and risk management related to third-party relationships. There have been questions raised in the industry about who should bear liability if data is shared with the wrong party with damaging results. What falls within the scope of “risk management” concerns will likely be important in answering this question. Over time, courts and regulators will presumably allocate these risks by developing due diligence standards and regulatory safe harbors to avoid unnecessary barriers to data sharing and the attendant costs to consumers. Data providers will need to protect themselves with sufficiently clear policies and procedures that both conform to the final rule and minimize risks of liability from data breaches caused by bad actors.
- Not all consumer-related data must, or should, be shared. The proposed rule makes clear the types of information that must be shared by data providers – mostly the consumer’s transactional and personal information sufficient for identification – but also exempts from the data sharing requirement certain information. For example, data providers need not share their own algorithms or analyses of credit, or “any information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct.” In the future, these exemptions will likely raise potentially important questions of liability for information that was or was not shared about a consumer’s financial activities.
- Standards for data-sharing interfaces. The proposed rule envisions “fair, open, and inclusive” industry standards being established by a standard-setting body that is itself “fair, open, and inclusive.” The rule identifies the following seven attributes that such an issuer of qualified industry standards must possess: (1) Openness, in developing and revealing its sources, processes, and procedures; (2) Balance, in ensuring that its decision-making is not skewed toward one interest or another; (3) Due Process, in its processes and procedures used to develop standards; (4) Appeals, available to be handled impartially; (5) Consensus, defined as general agreement rather than unanimity, used in developing standards; (6) Transparency, in its processes and procedures used to develop standards; and (7) CFPB Recognition, in the last three years as such an issuer, upon request. This may ultimately be an area without significant controversies, given the near-universal embrace of open banking in at least some form. But the open questions we outlined above regarding liability and policies for reasonable denials of data-sharing requests will render these standards potentially significant.
The CFPB’s proposed rule highlights a number of areas where the Bureau is seeking industry input and comment, and submissions will be accepted through December 29, 2023. Director Chopra noted in prepared remarks announcing the rule that the Bureau anticipates finalizing the rule by the fall of 2024.
The proposed rule includes these key features:
-
- Timeline and scope of compliance. The Bureau has proposed a gradual phase-in of the rule’s requirements based on the size of the data provider. The largest – at least $500 billion in total assets for depositary institutions and $10 billion in revenue for non-depositary – must comply within six months of the final rule. The smallest depositary institutions (under $850 million) have four years to comply. And data providers that do not directly interface with consumers at all (small credit unions with no online platform, for example) are exempted altogether. Certain providers may have difficulty competing without developing a robust digital interface for consumers.
- Reasonable denial of request to share data. The Bureau’s proposed rule expressly allows data providers to reasonably deny requests by authorized third parties for a consumer’s data based on various factors. One of the most significant factors noted as a reasonable basis for denial is “risk management” concerns related to data security. On this point, the Bureau walks a line recognizing interagency guidance issued recently by federal prudential regulators, highlighting depository institutions' obligation to operate in a safe and sound manner, including the exercise of due diligence and risk management related to third-party relationships. There have been questions raised in the industry about who should bear liability if data is shared with the wrong party with damaging results. What falls within the scope of “risk management” concerns will likely be important in answering this question. Over time, courts and regulators will presumably allocate these risks by developing due diligence standards and regulatory safe harbors to avoid unnecessary barriers to data sharing and the attendant costs to consumers. Data providers will need to protect themselves with sufficiently clear policies and procedures that both conform to the final rule and minimize risks of liability from data breaches caused by bad actors.
- Not all consumer-related data must, or should, be shared. The proposed rule makes clear the types of information that must be shared by data providers – mostly the consumer’s transactional and personal information sufficient for identification – but also exempts from the data sharing requirement certain information. For example, data providers need not share their own algorithms or analyses of credit, or “any information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct.” In the future, these exemptions will likely raise potentially important questions of liability for information that was or was not shared about a consumer’s financial activities.
- Standards for data-sharing interfaces. The proposed rule envisions “fair, open, and inclusive” industry standards being established by a standard-setting body that is itself “fair, open, and inclusive.” The rule identifies the following seven attributes that such an issuer of qualified industry standards must possess: (1) Openness, in developing and revealing its sources, processes, and procedures; (2) Balance, in ensuring that its decision-making is not skewed toward one interest or another; (3) Due Process, in its processes and procedures used to develop standards; (4) Appeals, available to be handled impartially; (5) Consensus, defined as general agreement rather than unanimity, used in developing standards; (6) Transparency, in its processes and procedures used to develop standards; and (7) CFPB Recognition, in the last three years as such an issuer, upon request. This may ultimately be an area without significant controversies, given the near-universal embrace of open banking in at least some form. But the open questions we outlined above regarding liability and policies for reasonable denials of data-sharing requests will render these standards potentially significant.
The CFPB’s proposed rule highlights a number of areas where the Bureau is seeking industry input and comment, and submissions will be accepted through December 29, 2023. Director Chopra noted in prepared remarks announcing the rule that the Bureau anticipates finalizing the rule by the fall of 2024.
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Publications
In Employee Relations Law Journal: What Happens When ERISA Disability Deadlines Slip
Partner Joseph Torres along with Associates Emma O'Connor and Christopher LeWarne, authored an article for the Employee Relations Law Journal analyzing a significant Fourth Circuit decision with substantial consequences for ERISA disability plan administrators.
June 23, 2026
Event
Jenner & Block Partners to Speak at Council on Governmental Relations Conference
On June 11, Partners Mike Vernick, Katie Wynbrandt, and Betsy Henthorne will speak on a panel at the Council on Governmental Relations (COGR) meeting.
June 11, 2026
Recognition
Jenner & Block's Law Firm Defense Practice Receives Band 1 Nationwide Ranking in 2026 Chambers USA
For the third consecutive year, Jenner & Block's Law Firm and Professional Services Defense Practice has achieved a Nationwide Band 1 ranking in the 2026 edition of Chambers USA.
June 10, 2026