Yesterday, the Consumer Financial Protection Bureau (CFPB or Bureau) issued its final rule on personal financial data rights, purportedly aimed at enhancing consumer control over their financial data and promoting competition in the financial services industry. According to the Bureau’s press release, “[t]he rule requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free… help[ing] lower prices on loans and improve customer service across payments, credit, and banking markets.” Later that same day, a complaint was filed challenging the Bureau’s authority.

Last year, we discussed the CFPB’s notice of proposed rulemaking under Section 1033 of the Consumer Financial Protection Act of 2010. The proposed rule aimed to require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ accounts. It also sought to establish obligations for third parties accessing a consumer’s data and provide basic standards for data access.

Under the final rule, consumers will have the right to:

  • Access their financial data and authorize third parties to access this data on their behalf.
  • Revoke access to their data immediately, ensuring that third parties cease data collection and use upon revocation.
  • Benefit from standardized and machine-readable data formats, promoting consistency and reliability in data transmission.

According to the CFPB, these provisions allow consumers to switch financial service providers more easily and take advantage of better products and services. However, the increased regulatory requirements may lead to higher costs for financial institutions, which could be passed on to consumers in the form of higher fees or reduced service offerings.

Key Expansions in the Final Rule:

The final rule includes several notable additions:

  • Extended Compliance Deadlines: The CFPB has delayed the timeline for compliance by 10 months and provided a tiered compliance schedule, giving larger financial technology companies until April 1, 2026 to comply, while the smallest entities have until April 1, 2030. Additionally, depository institutions with assets of $850 million or less are exempt from the rule’s requirements, while nondepository entities of all sizes must comply. According to the CFPB, this phased approach allows for a smoother transition and gives companies adequate time to implement the necessary changes.
  • Data Access and Use: The final rule provides third parties with limited ability to engage in secondary uses of consumer-permissioned data, such as to improve the consumer requested product or service or for fraud detection and prevent. However, entities are prohibited from maintaining access to consumer data for more than one year without express reauthorization.

Liability and Third-Party Risk Management:

One of the main topics discussed in the public comments submitted on the proposed rule was the allocation of liability concerning third-party risk management and information security. In the final rule, the CFPB decided it would not be appropriate for the rule to impose a comprehensive approach to assigning liability among commercial entities or safe harbors from the requirements of Electronic Fund Transfer Act (EFTA) and Regulation E or Truth in Lending Act and Regulation Z. “Although this rule facilitates sharing of payment initiation information with third parties so that they can initiate electronic payments, the rule does not require account write access or otherwise require payment initiation. Applicable payment authorization requirements continue to separately apply. As noted in the proposal, consumers have a statutory right under EFTA to resolve errors through their financial institution, while private network rules, contracts, and other laws address which payment market participant is ultimately liable for unauthorized transfers and other payment errors.”

The final rule does require third parties to limit their collection, use, and retention of consumer data to what is reasonably necessary to provide the requested product or service. They must also implement robust information security programs that comply with the Gramm-Leach-Bliley Act Safeguards Rule.

Industry Reactions:

The final rule has thus far elicited mixed reactions from industry stakeholders. Data aggregators have reacted favorably, highlighting the rule’s potential to promote secure data transfers. However, traditional banking institutions have expressed concerns about the rule’s impact on data security and the potential for increased regulatory burdens.

Notably, the same day the final rule was released, Forcht Bank, N.A, Kentucky Bankers Association, and Bank Policy Institute filed a complaint for declaratory and injunctive relief asserting that the CFPB overstepped its statutory authority and finalized a rule that “jeopardizes consumers’ privacy, financial data, and account security.” Specifically, the lawsuit alleges that the final rule: requires no oversight of third parties using bank customer data; increases the likelihood of fraud and scams by failing to address weak safeguarding practices; allows screen scraping and other “unsafe practices” to persist; fails to hold third parties accountable; allows third parties to profit from systems built and maintained by banks; and imposes an unreasonable implementation timeline.

Next Steps:

Banks, credit unions, and other financial service providers should be assessing to what extent they must comply as data providers under the final rule. Similarly, other entities should be assessing to what extent there may be opportunities to access the financial data that will soon become available to the marketplace, and if appropriate, begin implementing the internal processes that will be necessary to obtain consumer authorization as authorized third parties while implementing appropriate protections for such financial data. Each of these parties should also be preparing to conform any such compliance processes with any forthcoming data standards once the CFPB recognizes a standard setting body.