Published Article

Examining How Existing Federal Consumer Privacy Laws Apply to the Open Banking Ecosystem

July 28, 2025

Member Adam Maarec (Washington, DC) authored an article on the application of consumer privacy laws in open banking, which will appear in the October issue of The Review of Banking & Financial Services.

This article examines how existing federal consumer financial privacy laws in the United States, namely the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, apply to the open banking ecosystem, particularly in light of the Consumer Financial Protection Bureau’s recently promulgated Personal Financial Data Rights rulemaking under Section 1033 of the Dodd-Frank Act. While these new rules require data providers and authorized third parties to implement several new consumer protections, they were crafted to work in conjunction with existing privacy laws. The overlap of these new rules with legacy privacy frameworks is examined to demonstrate how they work in tandem and how they will work going forward if the new rules are vacated through pending litigation. In some cases, the new rules introduce stricter limitations on the access, use, retention, and redisclosure of data than existing federal consumer financial privacy laws, raising complex operational questions for entities involved in the open banking ecosystem.

The Consumer Financial Protection Bureau (CFPB) finalized its Personal Financial Data Rights rulemaking (the Final Rule) under Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) in November 2024.¹ But after two national banking trade associations filed suit to block the Final Rule from taking effect, and the CFPB joined the banks in asking the court to vacate its own rules, companies operating in the open banking market are left with uncertainty regarding the rules that apply to their activities.

Companies sharing and accessing customers’ sensitive financial account data need to consider how existing consumer financial protection laws might apply to their open banking activities — with or without the Final Rule. Open banking generally refers to consumer-authorized data sharing. For example, when a consumer authorizes a third party to access and directs their bank to electronically share deposit account or credit card data (in many cases via a data aggregator) what federal consumer financial privacy laws apply?

But First, What Data Is Being Shared in Open Banking Use Cases Today?

Open banking use cases involve access to a wide range of data needed to deliver innovative products and services. In the US today, open banking use cases have developed organically to include a broad scope of financial products and services — consumer deposit accounts, credit cards, mortgages, auto loans, student loans, personal loans, buy-now-pay-later products, investment accounts, and retirement accounts — and involve the sharing of detailed account-level information, such as balances, past debits and credits, identity information regarding the account’s owners, and many other account details that may be available in a typical online banking experience.

Section 1033 of the Dodd-Frank Act generally requires any “information in the control or possession of [a] covered person concerning [a] consumer financial product or service that the consumer obtained from such covered person” to be made available electronically (subject to a few exceptions).² “A consumer financial product or service” is defined in the Dodd-Frank Act to include all of the products listed above, but it does not capture certain accounts that are beyond the CFPB’s jurisdiction, such as investment and retirement accounts.

The Final Rule limits the scope of accounts and data required to be disclosed even further.³ Under the Final Rule, “data providers” are required to make available “covered data” about specific account types, namely deposit accounts and credit cards.⁴ The covered data fields required to be disclosed by the Final Rule include:

• Transaction information: 24 months of transaction details, including amount, date, payment type, pending or authorized status, payee/merchant name, rewards, credits, and fees or finance charges.
• Terms and conditions: agreements evidencing legal obligations, including account opening agreements, pricing information and fee schedules, credit limits, rewards program terms, overdraft coverage status, and arbitration agreement status.
• Upcoming bill information: third-party bill payments scheduled through the data provider, e.g., payments scheduled to a utility company using a bank bill pay service, and any upcoming payments due from the consumer to the data provider, e.g., minimum due on a credit card.
• Account balances: this can include multiple balances, e.g., a credit card may have a cash advance balance, statement balance, and current balance.
• Basic account verification information: name, address, e-mail address, and phone number, and for Reg E and Reg Z accounts directly or indirectly held by the data provider, a truncated account number or other account identifier.
• Information to initiate payments: to or from a Reg E account directly or indirectly held by the data provider, including an ACH account number and routing number.⁵

The CFPB noted that the Final Rule applies contemporaneously with existing federal privacy laws, such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Therefore, data providers should be aware of how data shared in the open banking ecosystem today, and pursuant to the Final Rule in the future should it survive the current legal challenge, will be governed under existing federal privacy laws.

Read the full article.