In June, I wrote about the revived and deliberate process of the Consumer Financial Protection Bureau (CFPB) in developing rules covering the implementation of open banking in the United States. I promised that the Retail Payments Risk Forum would continue to follow developments in open banking, so in this post, I'm providing a small update.
In an October 25 speech
at this year's Money20/20 conference, CFPB director Rohit Chopra delivered a detailed roadmap and timeline for the rulemaking process for open banking. Chopra noted, "While not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service and unleashing more market competition." Concurrent with Chopra's speech, the CFPB issued a 71-page document 
outlining the proposals and possible alternatives to open banking.
As I noted in my earlier post, before the CFPB can formally issue proposed rules, it must convene a panel of federal agencies representing "small entities" (businesses, government agencies, and organizations) to provide recommendations on regulatory alternatives to minimize the burden on impacted small entities. The agencies on the panel are the CFPB, the Small Business Administration's Office of Advocacy, and the Office of Information and Regulatory Affairs in the Office of Management and Budget. The CFPB is also conferring with other federal regulatory agencies and stakeholders.
The feedback from the affected small entities is due by January 25, 2023, and is expected to be published by the end of the first quarter of 2023. Taking into consideration the input received, the CFPB will issue a set of proposed rules covering data sharing later in 2023. There will be a public comment period with the expectation that the final rule will be issued sometime in 2024 with an implementation date.
In the published outline of the proposed rule, the CFPB makes clear that this will be an incremental process as far as the scope of coverage is concerned. The proposed rules will initially cover only Regulation E (deposit transaction accounts) financial institutions, Regulation Z (credit cards) issuers, and non-financial institutions that "issue digital credential storage wallets." These groups are referred to as "covered data providers." The proposed rule also addresses requirements for third-party data processors—those that receive or aggregate data authorized by the consumer. In particular, the CFPB is soliciting feedback on the disclosures that the data provider must offer the consumer and on how the covered data providers will verify that the third party has the authority to obtain the consumer's data.
We will continue to follow and report on the developments relative to the implementation progress of open banking in the United States.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed