.svg)
The US Consumer Financial Protection Bureau (CFPB) has finalised its framework for open banking, known as the Personal Financial Data Rights rule, with firms beginning to come into scope from 2026.
The rule mandates that banks, credit card issuers and other financial institutions need to enable consumers to access and transfer their personal financial data to competing providers at no cost, empowering consumers to more easily switch financial institutions.
This activates Section 1033 of the Consumer Financial Protection Act, a provision that has remained dormant since the act was passed in 2010.
It ensures that consumers will be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps and other financial products, and aims to address market concentration that limits consumer choice over financial products and services.
Via the new framework, US consumers will be able to access or authorise a third party to access data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information and basic account verification information.
Financial providers are obligated to make this information available without charging fees, in a similar model to what has become the norm in jurisdictions such as the UK and EU.
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB director Rohit Chopra in a media statement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
What is the new rule?
The new rule is expected to drive competition and increase consumer mobility across the US banking, payments and credit markets.
Financial institutions will have to prepare for greater transparency and flexibility in handling consumer data, which will enable customers to switch providers more easily.
The rule is intended to ensure a number of outcomes:
- Easier switching: The CFPB says that new rules will enable consumers to “fire fintechs and banks that provide lousy service”, and under the new rule, consumers can easily transfer their financial data to another institution if dissatisfied with the service they receive. This eliminates many of the friction points that have historically made switching providers difficult, as consumers will no longer be locked into services due to high switching costs.
- Competitive pressure on rates and credit products: Consumers will be empowered to shop around for the best offers, such as higher interest rates on deposits or lower loan rates, without the administrative hurdles that previously slowed down switching. Additionally, by leveraging data from other financial institutions, lenders will have new opportunities to extend credit to customers, including those with limited credit histories or younger demographics, allowing for more personalised and competitive lending options.
- More secure payments: The rule also paves the way for enhanced payment methods such as “pay-by-bank”, which allows consumers to securely share payments information directly with providers, reducing reliance on traditional card networks. This represents an opportunity for fintech players to develop alternative payment products.
According to the CFPB, the final rule also helps move the industry away from screen-scraping practices, which the regulator describes as “a still common but risky practice”. Screen scraping typically involves consumers providing their account passwords to third parties which use them to access data indiscriminately through online banking portals.
The rule is also intended to enhance consumer rights by:
- Banning unauthorised data harvesting: Third parties will be able to collect, use or retain data only to deliver the product the consumer requested, and cannot secretly collect, use or retain consumers’ data for their own unrelated business reasons — for example, to offer consumers loans using data that they also use for targeted advertising. The rule does not prohibit any particular uses of data, but it requires that all use be driven by what is necessary to deliver the product sought by the consumer.
- Revocation and deletion rights: When an individual revokes access, the rule requires that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year without express reauthorisation, and to prevent “dark patterns” emerging, the CFPB stipulates that the process to revoke access must be simple and straightforward.
Timeline and deadlines
The timeline for the compliance requirements to become actionable is staggered, with the rule being implemented in phases.
Financial firms will be required to comply based on their size: the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030.
Certain small banks and credit unions, meanwhile, are completely exempt from the rule.
