The Consumer Financial Protection Bureau (CFPB) has finalized the much-anticipated Personal Financial Data Rights Rule, 12 CFR 1033, a sweeping regulation that will have profound implications for data providers in the financial sector, particularly as it relates to how consumer financial data must be shared and protected. For financial institutions, understanding these new requirements will be critical to compliance and minimizing regulatory risk.
Below are a few highlights, and the CFPB’s executive summary and the Final Rule and supplementary discussion provide more detail and additional areas that may be relevant for compliance and business planning.
It’s also worth noting that the new rule is currently facing a legal challenge, as two banking trade associations and a community bank have filed a lawsuit seeking to have the rule set aside in its entirety.
Who Must Comply?
The Final Rule applies primarily to data providers, which include financial institutions such as banks, credit unions, and card issuers, as well as other entities controlling or possessing consumer financial data, including digital wallet providers. Specifically, a “data provider” is a covered person under the Final Rule pursuant to the Consumer Financial Protection Act (as defined in 12 U.S.C. 5481(6)) that is also:
- A financial institution, as defined in Regulation E, 12 CFR 1005.2(i)
- A card issuer, as defined in Regulation Z, 12 CFR 1026.2(a)(7), or
- Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person
Smaller depository institutions that fall below the Small Business Administration (SBA) asset threshold (currently $850 million) are exempt, giving some relief to small community banks and credit unions.
However, larger institutions must prepare for phased compliance, with the first deadline coming as soon as April 1, 2026, for the largest banks and nonbank financial companies.
What Data Must Be Shared?
The rule mandates that covered entities provide consumers—and their authorized third parties—access to specific covered data, which includes:
- Transaction and account balance information (up to 24 months)
- Terms and conditions of the financial product or service
- Payment initiation information (e.g., account numbers)
However, a data provider is not required to make the following available:
- Confidential commercial information
- Information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct
- Information required to be kept confidential by any other provision of law or
- Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information
Consumers can request this data to be shared electronically in a format that is usable and accessible, which in the view of the CFPB opens the door for greater competition and consumer choice in financial services.
Denial of Access: When Is It Permissible?
While the CFPB expects data providers to share consumer data on request, it recognizes the need for some safeguarding against risks like fraud and unauthorized access. The rule permits data providers to deny data access requests under certain conditions, such as when it would conflict with the institution's safety, soundness, or information security obligations. But denials must be based on clear, consistent, and non-discriminatory policies, and the rule encourages alignment with consensus standards for risk management.
Key Dates and Compliance Milestones
The Final Rule takes effect 60 days from publication in the Federal Register. The compliance timeline for financial institutions is phased, based on asset size or total receipts for nonbank institutions.
Source: CFPB, Executive Summary of the Personal Financial Data Rights Rule (Oct. 22, 2024), available at https://files.consumerfinance.gov/f/documents/cfpb_executive-summary-of-the-personal-financial-rights-rule__2024-10.pdf (last visited Oct. 22, 2024).
While the largest depository institutions must comply by April 2026, smaller institutions have until April 2030, with specific thresholds detailed in the rule. Depository institutions must use the average of their call reports from Q3 2023 through Q2 2024 to determine their compliance date. If such a depository institution subsequently holds total assets (based on an average of its four preceding quarterly call report data submissions) that exceed that Small Business Administration size standard, it must comply with the final rule within a reasonable amount of time after exceeding the size standard. A reasonable amount of time shall not exceed five years.
Practical Takeaways for Financial Institutions
- Prepare for phased compliance: Financial institutions should begin assessing their data systems and capabilities to ensure they can respond to consumer data access requests in the mandated format. Early preparation is key for meeting the April 2026 compliance deadline, or future deadlines, as relevant and applicable.
- Update policies and procedures: Institutions must have written policies and procedures that ensure accurate data sharing, track when exceptions apply, and maintain robust records to demonstrate compliance.
- Ensure third-party compliance: When sharing data with authorized third parties, data providers must ensure those third parties comply with security and privacy requirements under the rule.
- Legal Challenge(s) to the Final Rule: Stay tuned to developments in legal challenges to the Final Rule that could result in a court declaring the rule was developed outside of the CFPB’s statutory authority, with the rule being set aside, or other outcomes, at some point before the initial compliance deadlines (or later).
* * * * * *
The Final Rule implements the Consumer Financial Protection Act (CFPA) Section 1033(a) and (b), which provides that, subject to rules prescribed by the CFPB, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, subject to certain exceptions. The information must be made available in an electronic form usable by consumers. In addition, in the CFPA Congress mandated in Section 1033(d) that the CFPB prescribe standards to promote the development and use of standardized formats for data made available under Section 1033.
The Personal Financial Data Rights Rule represents a significant shift toward greater transparency and consumer empowerment in financial services. Institutions subject to the rule have an opportunity to take a proactive approach to compliance and position themselves to mitigate regulatory risks.
Related Articles
CFPB Seeks Information on "Consumer-Permissioned Access" to Financial Data
Consumer Financial Services Outlook 2024
CFPB Requests Information on Data Brokers and Business Practices
CFPB Weighs in on Data Security; Will Firms with Poor Security Be in the Crosshairs?
How to Prepare for and Survive a CFPB Examination
What to Expect When You're Under a CFPB Investigation – Negotiating the Scope of the CID