The Consumer Financial Protection Bureau’s (CFPB) new open banking rule requires that financial institutions, including credit unions with assets over $850 million, allow consumers to share their financial data with authorized third-party providers. This rule, which emphasizes consumer choice and data access, mandates that consumers can permit third parties to access their financial information, provided they give informed consent. Credit unions will need to release up to 24 months of transaction data, account balances, terms, and other essential account information when requested by members. However, certain sensitive data, like fraud prevention methods and proprietary credit scoring algorithms, are excluded from these sharing requirements.
The rule does not prohibit screen scraping but suggests that more secure alternatives are preferred, with the CFPB warning it may take action against third parties that do not adopt safer methods. Larger institutions are expected to comply by April 1, 2026, while smaller ones have until 2030. The rule has faced some criticism and a legal challenge for lack of regulatory oversight on third-party data protection, but it underscores the CFPB’s focus on enhancing data access and transparency for consumers.