Alston & Bird Consumer Finance Blog

Banking Regulatory Agencies

Financial Services / Investment Funds Advisory | FinCEN Delays Enforcement of Investment Adviser AML/CFT Rule

By ,

Executive Summary
2 Minute Read

Our Financial Services and Investment Funds Teams examine the delay by the Financial Crimes Enforcement Network (FinCEN) of the effective date for the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) program requirements by two years.

  • The postponement aims to ease compliance costs, reduce uncertainty, and allow for further review of the rule
  • The rule would have included investment advisers in the list of “financial institutions” under the Bank Secrecy Act and required them to implement comprehensive AML/CFT programs
  • FinCEN will provide interim exemptive relief while reviewing the rule’s substance

_________________________________________

The Financial Crimes Enforcement Network (FinCEN) has postponed the effective date of its final rule establishing the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers Rule. The effective date, previously set for January 1, 2026, is now anticipated to be January 1, 2028.

The so-called “IA AML Rule” would have brought certain investment advisers within the definition of “financial institution” under the Bank Secrecy Act (BSA) and imposed comprehensive AML/CFT program obligations. FinCEN cited several reasons for the deferral, including:

  • Easing potential compliance costs for the industry.
  • Reducing regulatory uncertainty.
  • Allowing FinCEN to undertake a broader review of the rule’s substance and scope.
  • Ensuring the rule is “effectively tailored to the diverse business models and risk profiles” within the investment adviser sector.

FinCEN also indicated its intent to collaborate with the Securities and Exchange Commission (SEC) to revisit the previously proposed rule on customer identification program (CIP) requirements for investment advisers.

What This Means for Advisers

While this postponement provides a two-year reprieve from the compliance obligations of the IA AML Rule, it’s important to understand what these obligations would have entailed. Had the rule become effective in 2026, advisers would generally have been required to:

  • Develop and implement a written, risk-based AML/CFT program.
  • Designate an AML compliance officer.
  • Conduct ongoing training for relevant personnel.
  • Perform independent testing of their AML programs.
  • File suspicious activity reports with FinCEN about suspicious transactions.
  • If the associated CIP rule were finalized, implement customer identification and verification procedures for their clients.

FinCEN intends to revisit the rule’s substance through a future rulemaking process and will provide interim exemptive relief to formally delay the effective date. Firms should continue to monitor FinCEN and SEC announcements for further developments on these AML/CFT and CIP requirements.

_____________________________________________

Originally published July 28, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our Investment Funds team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Financial Services / White Collar, Government & Internal Investigations Advisory | Financial Institutions Permitted to Use Third Parties to Collect Customers’ Taxpayer Identification Numbers for Identity Verification

By ,

Executive Summary
9 Minute Read

Our Financial Services and White Collar, Government & Internal Investigations Teams examine the Financial Crimes Enforcement Network’s new customer identification program (CIP) exemption that allows banks and credit unions to use third parties to collect customers’ taxpayer identification numbers (TINs).

  • Reflects the view that using third-party sources allows institutions to reasonably accommodate customers’ privacy and data security concerns about submitting TINs electronically
  • Mirrors the flexibility available under existing CIP rules for credit card account opening
  • Continues to require written, risk-based CIP procedures that enable institutions to form a reasonable belief that they know the true identify of each customer

___________________________________________

On June 27, 2025, U.S. federal bank and credit union regulators issued an order, with the concurrence of the Financial Crimes Enforcement Network (FinCEN), granting an exemption from customer identification program (CIP) rules. Under the order, U.S. banks and credit unions are relieved from the requirement to collect taxpayer identification numbers (TINs) (e.g., Social Security numbers (SSNs)), employer identification numbers (EINs), and individual taxpayer identification numbers (ITINs)) directly from customers at account opening. News releases by the Office of the Comptroller of the Currency (OCC) and other agencies generally touted the order as a reasonable exercise of regulatory flexibility that addresses customer privacy concerns without increasing fraud, money laundering, or bank safety and soundness risk.

Under CIP rules applicable since 2001, banks have generally been required to collect TINs in addition to names and other identifying information about customers seeking to open accounts.

Significantly, except in the case of credit card accounts, the account-opening institution has been required to obtain this information from the customer. The institution must then apply CIP procedures intended to use this information to verify the customer’s identity, which can include both documentary methods (such as comparison against the customer’s driver’s license or similar government-issued identification) and nondocumentary methods (such as comparison against information obtained from a consumer reporting agency (CRA)).

When the agencies and FinCEN jointly issued final CIP rules in 2003, they acknowledged industry concerns that the requirement to obtain this information from customers directly imposed an undue hardship on institutions in opening credit card accounts. Credit card issuers indicated that new customers were reluctant to provide their TIN information over the telephone and were typically not asked to do so in person. The regulators determined then that allowing banks to continue to rely on third-party sources, such as CRAs, for some of this information would be consistent with existing practices, which had, according to the regulators, “produced an efficient and effective means of extending credit with little risk that the lender does not know the identity of the borrower.”

The USA PATRIOT Act provisions implemented by the CIP rules (statutory authority that is part of what is generally referred to as the Bank Secrecy Act (BSA)) do not prescribe either the minimum information that banks must collect for verifying customer identities or the source of that information. The AML Act of 2020 specifically requires the agencies and FinCEN to review BSA regulations such as the CIP rules for those that may be outdated or that do not otherwise promote risk-based anti-money laundering compliance programs.

In 2024, FinCEN issued a request for information (RFI) soliciting feedback on the potential risks and benefits of permitting banks to obtain TINs from third-party sources instead of from customers as part of their CIP. Within both the RFI and the order, the regulators noted that significant technological changes had occurred within financial services since the CIP rules’ adoption in 2003, both in the ways that customers access such services and in how institutions deliver them. These changes reflect, among other things, innovations in available identity verification methods and tools.

As part of the RFI, the regulators also noted the increasing prevalence of bank partnerships with nonbanks and that these nonbank partners may not be directly subject to CIP or similar compliance requirements. This difference has both compliance and competitive implications for banks. The regulators also acknowledged the need, within the constraints of the existing BSA provisions that the CIP rules implement and other applicable law, to balance CIP requirements intended to prevent and detect fraud, money laundering, and other illegal activity, on the one hand, with bank burdens and customer privacy concerns implicated by account opening processes on the other. At this time FinCEN specifically requested public comment on allowing a bank to obtain partial TIN information from its customer (such as the last four digits of their SSN) and the customer’s full TIN from a third-party service provider.

The Order

The order provides an exemption from the CIP rule requirement for banks subject to the jurisdiction of the agencies (and certain bank subsidiaries) to obtain full TINs directly from the customer prior to opening an account.

The order permits banks, for all account types, to instead use an alternative collection method to obtain TIN information from a third-party source (such as a CRA), provided that the bank otherwise complies with CIP rules, which require written procedures that (1) enable the bank to obtain TIN information before opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) permit the bank to form a reasonable belief that it knows the true identity of each customer. The agencies stress that reliance on the exemption is optional; banks are not required to begin using an alternative TIN collection method. The order was effective immediately upon its publication, making the exemption it describes available immediately as well.

Basis for the Exemption

In issuing the order, the agencies relied on existing CIP rule authority allowing the bank regulators—with FinCEN’s concurrence—to exempt any entity subject to their supervision or type of account they may open from the rules’ requirements.

Ultimately, the agencies concluded that the risks associated with relaxing the CIP rules to permit banks to obtain TINs from third parties as described in the order did not outweigh the associated benefits. In particular, the agencies relied on (1) evidence of wide availability of alternative TIN collection methods; (2) an increase in electronic and other non-face-to-face account opening; and (3) the success of the existing credit card exemption. They also cited BSA legislative history for the proposition that these rules should not impose requirements that are burdensome, prohibitively expensive, or impractical.

While the agencies acknowledged fraud and identity theft risks associated with non-face-to-face account opening, they concluded that unauthorized TIN information exposure—from data breaches not specifically attributable to account opening or even to banks—has diminished the importance of the specific method of TIN collection used by banks for identity verification purposes. According to the agencies, this exposure has also contributed to consumer hesitancy to provide TINs at account opening. In light of this hesitancy and the increasing availability of alternative identity verification resources (including those using email address, geolocation, and internet protocol (IP) address location information), the agencies determined that the order provided meaningful regulatory relief consistent with safe and sound banking practices.

Risks Related to the Exemption and Other Considerations

The primary risk the agencies focused on within the order is that this exemption may result in weaker account opening processes and therefore increases in identity theft, fraud, and other illegal activity that the CIP rules are intended to prevent. In this regard, the agencies took care to reinforce not only that reliance on the exemption is optional but also that, to take advantage of it, institutions must still support their practices as part of a CIP program that reflects the bank’s assessment of the relevant risks and includes procedures enabling the bank to form a reasonable belief that it knows the true identity of each customer. The agencies asserted that the resulting banking practices will not be contrary to generally accepted standards of prudent banking operation or give rise to abnormal risk of loss or damage to an institution or its shareholders.

Public comments cited by the agencies also raised a concern that smaller institutions may not have the resources to implement third-party TIN collection methods or may be forced to increase fees or take other steps that negatively impact their customers or prospective customers (including the “unbanked”) to do so. The agencies did not specifically address this concern other than by reinforcing that implementation of these alternative methods is optional. Being an order pursuant to existing rules, the agencies did not have to consider these concerns in the same way that they would have had to as part of regulation changes.

The agencies also did not address concerns raised by commenters about the intersection of CIP rule requirements and Internal Revenue Service (IRS) backup withholding requirements. Banks relying on the order to collect TINs from third-party sources may need to align these procedures with procedures used to satisfy these withholding rules. Under these requirements, banks are generally required to implement backup withholding on customer accounts for which the bank is a payer of income (such as interest) for IRS purposes if the customer fails to either furnish accurate TIN information to the bank or fails to certify, under penalties of perjury, that the TIN information furnished to the bank is correct.

Banks frequently satisfy these requirements by collecting a Form W-9 (or substitute W-9 in accordance with IRS rules) from their customers. While backup withholding requirements are distinct considerations and are not implicated by all account types, many banks have streamlined their account opening requirements to satisfy both sets of requirements concurrently (and to streamline future account opening processes, such as a customer’s opening of a non-interest-bearing account and subsequent addition of an interest-bearing account). Similarly, broker-dealers and certain other entities subject to CIP rule requirements are not subject to the order, and institutions deploying joint account opening processes (such as within an affiliate or referral program structure) will need to ensure that reliance on the order does not result in compliance gaps or poor customer experience outcomes.

Banks will also need to consider how reliance on the order could impact sanctions compliance (for example, to the extent that sanctions screening is conducted based on customer-provided information before the completion of CIP identity verification); compliance with other BSA rules (such as legal entity customer beneficial ownership rules or the so-called Travel Rule, under which separate TIN collection requirements apply that are arguably not impacted by the order); and compliance with the federal Fair Credit Reporting Act and similar state laws that may apply to various third-party identity verification services used to do so.

Finally, the order also may compel banks and their program managers or other fintech partners to put a finer point on who is considered the bank’s CIP “customer” for BSA purposes for a particular program or product and what information is required about them under their anti-money laundering programs and partnership terms. As noted in the RFI, CIP standards among these entities may vary, and the order may allow them to better align onboarding practices and deliver a better overall customer experience.

Originally published July 24, 2025.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our White Collar, Government & Internal Investigations team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

Federal Banking Agencies Announce Intent to Rescind 2023 Community Reinvestment Act Final Rule and Return to Prior Framework

By , ,

What Happened?

The Federal Deposit Insurance Corporation (“FDIC”), Board of Governors of the Federal Reserve System (“Federal Reserve”) and the Office of the Comptroller of the Currency (“OCC”), (collectively, “federal banking agencies”) announced their intent to rescind the 2023 Community Reinvestment Act Final Rule (“Final Rule”) and to reinstate the CRA framework that existed prior to the 2023 CRA Final Rule.

Community Reinvestment Act (“CRA”)

The CRA was enacted in 1977 to address systemic inequities in access to credit in response to concerns that banks were engaging in redlining to deny credit to customers in low-income, minority areas. The CRA requires federal bank regulators to evaluate a financial institution’s record of meeting the credit needs of a given community, with separate evaluations for each area where the bank maintains a branch office, taking a particular focus on low- and moderate- income (“LMI) communities.

Given changes in technology and financial products since the CRA’s enactment, there have been several failed attempts over the past 30 years to revise and modernize CRA regulations. Before the 2023 CRA Final Rule, the last significant interagency revision to the regulations occurred in 1995.

Why Does it Matter?

Criticisms of the Final Rule

The federal banking agencies’ stated purpose for the Final Rule was to modernize CRA to address technological innovations and new product offerings in banking. However, many within the industry asserted that the Final Rule was contrary to the plain language of the CRA and congressional intent. The Final Rule fundamentally altered the determination of a bank’s assessment area, requiring inclusion of areas where the bank does not maintain any physical presence. The Final Rule set forth new tests, applicable to different banks based on asset size. Application and “scoring” under these tests was complicated and difficult to apply. Additionally, the Final Rule sought to evaluate banks’ deposit practices in addition to lending and investment activities.

Industry participants and trade groups asserted that the Final Rule would drastically and unnecessarily increase the regulatory burden placed on banks. The Final Rule could require banks to use deposits gathered from their local communities to make loans in places potentially thousands of miles away. The formulaic approach to scoring could result in decision-making divorced from the actual convenience and needs of a bank’s community. Banks also argued that the unnecessarily complex evaluation could force banks to close branches or reduce product offerings.

In March 2024, after a number of prominent bank trade groups sued to block the new rule, a Texas judge blocked the Final Rule, finding that the rule surpassed its statutory authority. The court found that the regulators exceeded their authority by expanding the lending test to evaluate banks in geographic areas where they did not maintain physical branches. Moreover, the court rejected the agencies contention that “credit needs” could be construed more broadly to include deposit products. The Final Rule has been on hold since the court’s ruling, and the federal banking agencies’ notice of intent to rescind the Final Rule puts an end to the Final Rule from a practical perspective.

Return to Prior Framework

In light of this litigation and the change in Presidential administration, the federal banking agencies decided to rescind the 2023 CRA Final Rule and return to the 1995 framework that existed prior to the Final Rule. Once the federal banking agencies formally rescind the Final Rule, Banks will not be required to comply with the more stringent and complex tests that the Final Rule would have required. However, it is important to note that the problems that the Final Rule sought to address still remain. The old framework still struggles to address the innovations and changes in the banking industry, including internet and mobile banking.

What Do I Need to Do?

Covered financial institutions should monitor further developments and confirm that the federal banking agencies do formally rescind the Final Rule. Banks should also evaluate their compliance with the existing CRA framework and keep abreast of new efforts to modernize CRA regulations moving forward. Alston & Bird’s Financial Services Group is actively monitoring these developments and is able to assist with any compliance concerns regarding these anticipated changes.

Financial Services Advisory | The (Bay) State of the Model Money Transmission Modernization Act

By ,

Executive Summary
7 Minute Read

Massachusetts has joined the growing list of states that have at least partially adopted the Model Money Transmission Modernization Act. Our Financial Services Group examines the model act, how the Bay State has adopted it, and the implications for money transmitters.

  • The Massachusetts act applies to any entity that transfers money within the United States
  • The act only applies to consumer transactions, a major difference from the national model
  • Requirements of the act take effect January 1, 2026

________________________________________________

Massachusetts is the first state of 2025 to sign its version of the Model Money Transmission Modernization Act into law. The model act is a set of nationwide standards for the supervision and regulation of money transmitters created by state and industry experts and approved by the Conference of State Bank Supervisors (CSBS) in 2021. Since then, 25 states have enacted legislation to adopt, in whole or in part, a version of the model act.

Both the governor and state commissioner of banks emphasized the need to protect consumers and pointed to the widespread use of peer-to-peer payment applications as an important reason for adopting the new law. While regulation of businesses offering peer-to-peer payment services may have been a goal, the new law is far more comprehensive than the current framework, which addresses cross-border money transmissions and the sale of checks or money orders.

Scope of the New Massachusetts Act

Historically, Massachusetts has only required entities engaging in the business of selling, issuing, or registering checks or engaging in foreign money transmission activities, such as facilitating cross-border transactions, to obtain licenses. The new law repeals the prior law and replaces it with a statutory framework influenced by the model act. The new law applies to any entity that provides transfers of money between individuals or entities within the United States if it does not otherwise qualify for an exemption.

Specifically, the new law regulates the following activities as “money transmission”: (1) the sale or issuance of payment instruments to a person in Massachusetts; (2) the sale or issuance of stored value to a person in Massachusetts; or (3) the receipt of money for transmission from a person in Massachusetts.

In addition to expanding the scope, the new law incorporates key provisions from the model act, including express exemptions for operators of payment systems providing processing, clearing, or settlement services and for entities acting as agents of payees in accordance with statutory requirements.

Comparison to Model Act

While closely modeled on the model act, the new law does differ from the model act in a few notable ways.

Expressly for consumer purposes only

The definition of “money transmission” in the new law refers to the provision of such services to individuals and corporate entities. At the same time, the definition is expressly limited to “transactions engaged in by a person for personal, family or household purposes.” This addition limits the scope of the new law to consumer purposes. In contrast, the model act does not specify the purpose of the transactions, implying that it applies to both consumer and commercial transactions.

Silent on payroll processing services

The new law did not adopt the model act’s explicit inclusion of “payroll processing services” in its definition of money transmission. However, it did not expressly exempt payroll services, as is the case in other states, such as California.

The Division of Banks has posted select opinions interpreting the current law, including one as recently as November 2024, providing guidance on the licensing requirements for payroll and employee benefit services. The division concluded the services provided by the payroll service provider were not licensable under the state’s laws on cross-border money transmissions because none of the services involved the “transfer of money to foreign countries,” although certain other check services were licensable under the state’s laws on the sale of checks or money orders.

In reaching this conclusion, the deputy commissioner of banks and general counsel cautioned that “legislation has been filed that would overhaul the licensing and regulation of money transmission and would include domestic money transmission within the licensure requirement.”

Although Massachusetts may interpret payroll processing services as falling under the category of commercial services exempted by the limitations on money transmission set forth in the new law, recent guidance has focused on the presence of foreign transmission activity as the determining factor in resolving the question of whether licensure is required.

Does not adopt virtual currency provisions

The new law did not adopt the virtual currency provisions of the model act. Opinions posted on the division’s website clarify that entities involved in virtual currency transactions, such as exchanges or kiosks, may not require a foreign transmittal agency license if their activities do not involve transmitting funds to foreign countries.

The division often concluded that these entities’ activities did not involve transmitting funds to foreign countries, which was the primary driver for requiring such a license. The division’s conclusions are based on the specific facts presented in each case, and different facts may lead to different outcomes. As Massachusetts begins regulating domestic transactions, it remains unclear whether the new law will be interpreted to apply to virtual currency transactions.

Impact on Current Licensees

Licenses obtained under the current law will remain in effect, but renewals for the year 2026 and after will need to be filed in accordance with the new law.

Existing licensees will need to comply with the requirements in the new law, including maintaining a surety bond, permissible investments, and meeting the tangible net worth requirements.

Effective Date

New laws take effect in Massachusetts 90 days after the governor signs the law, unless the new law is an emergency law or pertains to certain matters excluded under the Massachusetts Constitution, making the effective date of the new law April 1, 2025. The new law states that the majority of its requirements will take effect January 1, 2026. Persons engaged in money transmission in Massachusetts that are required under the new law to obtain licensure must file an application for licensure by June 1, 2026 and may continue their activities while their application is pending until the application has been approved, withdrawn, or denied.

Model Act Adoption Landscape

Many states have adopted the model act either wholly or in part since the CSBS approved the model act in 2021. These states include:

  • Arizona
  • Arkansas
  • California
  • Connecticut
  • Georgia
  • Hawaii
  • Illinois
  • Indiana
  • Iowa
  • Kansas
  • Maine
  • Maryland
  • Massachusetts
  • Minnesota
  • Missouri
  • Nevada
  • New Hampshire
  • North Dakota
  • South Carolina
  • South Dakota
  • Tennessee
  • Texas
  • Vermont
  • West Virginia
  • Wisconsin

States’ Partial Adoptions of the Model Act

The model act regulates money transmission by establishing licensing, financial security, and reporting requirements and includes exemptions for certain entity types. While the goal of the model act was harmonization in the money transmission industry, states have not uniformly adopted the model act, with some choosing to adopt only certain provisions and others choosing to exempt activities the model act defines as licensable.

One exemption that has seen inconsistent adoption is that of payroll processing services, with some states expressly exempting payroll processors, other states choosing to be silent on whether payroll processing services constitute money transmission, and a third approach, such as that taken in Iowa, where the state adopted an “agent of the payor” exemption that applies to payroll processing.

Additionally, the model act provides an option for states to impose uniform licensing and disclosure requirements on virtual currency business activity. Only a few states, including Maine and Minnesota, have opted to include the model act’s virtual currency provisions. Other states are continuing to regulate virtual currency activity either through new licensing regimes or through regulatory interpretations of their money transmission laws.

Despite improved alignment between the states, companies engaging or seeking to engage in money transmission activities must continue managing compliance individually for each state.

2025 Adoptions of the Model Act

Massachusetts is the latest state to regulate domestic money transmission. Nearly half the states that have adopted at least part of the model act did so in 2024. We anticipate momentum in adoption of the model act will continue this year. Some states, including Alaska, Idaho, and Virginia, have pending legislation to address whether the state will also adopt a form of the model act later in the year.

We further note that while states are continuing to consider adopting the model act, Kansas, South Carolina, and Wisconsin each have new money transmission laws based on the model act that went into effect January 1, 2025.

Originally published January 22, 2025.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team.

Financial Services Advisory: CFPB Finalizes Open Banking Rule on Consumer Financial Data Rights

By , ,

Executive Summary
8 Minute Read

Our Financial Services Group unpacks the Consumer Financial Protection Bureau’s final rule on consumer financial data rights under Section 1033 of the Dodd–Frank Act.

  • The rule requires “data providers” to provide consumers and authorized third parties, upon request, with access to certain consumer financial data
  • “Data providers” include Regulation E banks and credit unions, Regulation Z card issuers, payment facilitators, and digital-wallet providers
  • Compliance deadlines are staggered based on institution size, with an exclusion for financial institutions with less than $850 million in assets

_______________________________________________________________

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its rule on personal financial data rights under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act. Known as the “open banking rule,” it permits consumers to access, control, and share their financial data with authorized third parties. The rule creates a significant shift in control over consumer data in the United States, and it is intended to provide consumers with greater control over financial data, foster competition, and stimulate innovation across the financial services industry. The rule applies broadly to banks, credit unions, and nonbank financial institutions, all of which must make consumer financial data available upon authorized request.

Key Provisions

The rule requires a “data provider” to make available, without charge, “covered data” about consumer financial products and services to consumers and certain “authorized third parties,” in electronic form, upon request by the consumer. The rule requires the provision of such data in standardized, machine-readable formats to promote consistency between financial institutions and third parties. The CFPB will name standard-setting bodies to develop consensus standards to assess compliance with the rule.

Who is a “data provider”?

The CFPB has said its definition of “data provider” will continue to evolve, but it has prioritized financial institutions and card issuers. The rule defines a “data provider” as:

  • A financial institution – that is, a bank or credit union – as defined in Regulation E, 12 CFR 1005.2(i), excluding those with less than $850 million in assets.
  • A card issuer as defined in Regulation Z, 12 CFR 1026.2(a)(7), including buy now/pay later providers.
  • Any other person that “controls or possesses information concerning a covered consumer financial product or service that the consumer obtained” from that person, including providers offering payment facilitation products and services such as digital-wallet providers.

What is “covered data”?

The rule defines “covered data” as essential consumer financial information, including:

  • At least 24 months of transaction information in the control or possession of the data provider.
  • Account balance information.
  • Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider, including an account and routing number that can be used to initiate an Automated Clearing House transaction.
  • Terms and conditions, or agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, including pricing information such as APRs and other pricing terms.
  • Upcoming bill payment information.
  • Basic information needed for account verification, limited to name, address, email address, and phone number associated with the covered consumer financial product or service.

Data providers will not have to provide confidential commercial information, including proprietary algorithms that might be used to derive credit or risk scores and information that is used solely for the purpose of fraud detection, money laundering, or other unlawful behavior.

Who is an “authorized third party”?

Fintech apps and data aggregators that offer services to consumers using their data are included as third parties. Authorized sharing with these entities must be based on informed consent that is to be renewed annually.

  • A “third party” means any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.
  • To access a consumer’s data, the third party must (1) provide the consumer with an authorization disclosure containing key terms of the data access; (2) provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to obligations set forth in the final rule; and (3) obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • Third parties are limited in the collection, use, and retention of covered data to what is “reasonably necessary” to provide a product or service to a customer. Use of the data for targeted advertising, cross-selling of other products or services, or the sale of covered data are prohibited.

Stakeholder Perspectives and Compliance Considerations

Reactions to the final rule have been split. Consumer advocates have voiced support for the rule and the empowerment of consumers to control how and where their data can be used, as well as the ability to switch banks more easily. Just hours after the final rule was released, however, the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, a community bank in Kentucky, filed a joint lawsuit in the Eastern District of Kentucky requesting injunctive relief. The plaintiffs allege that the CFPB overstepped its statutory authority (in that Section 1033 relates to a consumer’s right to access their own information and does not speak to access by authorized third parties) and will expose banks to unreasonable liability risk. Forcing banks to share customers’ sensitive financial information while handcuffing banks from managing the risks of doing so, they allege, will increase fraud and the misuse of customer data.

Some of this concern stems from the allocation of responsibility for data security and accountability in the rule. It allows that data providers can deny access to data, but only if the denial is (1) directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and (2) applied in a consistent and nondiscriminatory manner. Data providers must keep a record of when a consumer or third-party request is refused. In the event of a security breach, data providers must notify affected consumers and the CFPB promptly. Notably, the rule requires data providers to verify that third parties uphold data privacy and security standards, but it places limited regulatory obligations on third parties themselves, leaving accountability for data security largely with the data providers. Data providers argue that the rule essentially forces them to subsidize third-party access to consumer data without sharing the cost burden.

During the rule comment period, a range on commentators raised concerns about potential overlaps and compliance complexities with other existing consumer financial laws, and the CFPB has attempted to address those issues in the final rule. Many comments focused on the need for clarity on how the rule interacts with laws such as the Electronic Fund Transfer Act (EFTA), Fair Credit Reporting Act (FCRA), and Gramm–Leach–Bliley Act (GLBA).

  • In comments before the final rule, data providers requested that the CFPB extend the Regulation E error resolution requirements to third parties such as data aggregators. The CFPB reasoned, however, that consumers should address these concerns with their primary financial institution, in line with statutory error resolution rights under the EFTA. Furthermore, data providers and third parties that are Regulation E financial institutions will continue to have error resolution obligations in the event of data breaches.
  • During the comment period to the final rule, there was concern that it would expand FCRA compliance. In the final rule, the CFPB clarified that data providers sharing information at the consumer’s request “does not cause data aggregators to incur legal liability under the FCRA that they would not otherwise assume through their ordinary operations” and would not “alter the types of data, parties, or permissible purposes covered by the FCRA.”
  • Some commentors asked how the rule’s data limitations align with GLBA permissions. The CFPB states Section 1033’s data sharing requirements coexist with GLBA but do not override or replace its mandates, maintaining distinct protections under each law.

Compliance Tiers and Timeline

The rule provides compliance deadlines that are staggered based on institution size:

  • First Tier: Depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024 must comply by April 1, 2026.
  • Second Tier: Depository institution data providers that hold at least $10 billion in total assets but less than $250 billion in total assets and nondepository institution data providers that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024 must comply by April 1, 2027.
  • Third Tier: Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets must comply by April 1, 2028.
  • Fourth Tier: Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets must comply by April 1, 2029.
  • Fifth Tier: Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets must comply by April 1, 2030.

Conclusion: Prioritizing Readiness

The CFPB’s Section 1033 rule represents a transformative shift in the U.S. financial regulatory landscape, centering consumer control over data rights and driving the industry to an open banking model. Fintech advocates view it as an essential step towards consumer empowerment, while banks and credit unions warn of risks to data security and have liability concerns. Even as the CFPB begins assessing applications for standard-setting bodies, legal and compliance teams from institutions and fintech companies alike should begin to look ahead, with a focus on data security, potential contractual updates with third parties, and regulatory alignment.

Originally published November 22, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.