League InfoSight Highlight: Personal Financial Data Rights Rule is FINAL

By Glory LeDu, CEO, League InfoSight & CU Risk Intelligence

We’ve been anxiously awaiting the arrival of this rule, and we knew it would be a doozy! While the exemption may not be broad enough, the final rule does exempt credit unions with assets “at or below the specified Small Business Administration size standard,” which is currently set at $850 million.

The final rule applies to covered “data providers” that control or possess covered data concerning a covered financial product or service obtained by the consumer from the provider (credit union). A “covered consumer financial product or service” is one or more of the following:

• An account for purposes of Regulation E;
• A credit card for purposes of Regulation Z; or
• The facilitation of payments from a Regulation E or Regulation Z credit card, excluding products or services that merely facilitate first party payments.

The final rule requires the credit union to make certain data available to both a consumer and a third party (upon request) in an electronic form. That would include:

• Transaction information
• Account balance information
• Terms and conditions (account opening agreement, amendments, pricing information, etc.)
• Upcoming bill payment information
• Basic account verification information

The final rule also requires credit unions to have the capacity to receive requests electronically and provide the data in electronic form in response to consumer and third-party requests but does not require any particular type of technology. Access can only be granted once the credit union receives enough information to authenticate the identity of the consumer and the scope of the data requested. For third-party access, the authentication needs to include the consumer’s identity, documentation confirming the third party’s access to the covered data, authentication of the third party’s identity, and documentation that the third party has followed the authorization procedures set forth in the final rule and has identified the scope of the data requested.

The final rule requires that the credit union maintain written policies and procedures to comply with the final rule and requirements. As we get closer to the effective date, League InfoSight resources will be created and made available to help credit unions comply with these requirements.

Compliance dates for this final rule is dependent upon on asset size:

• Credit unions between $850 million and $1.5 billion: April 1, 2030
• Credit unions between $1.5 billion and $3 billion: April 1, 2029
• Credit unions between $3 billion and $10 billion: April 1, 2028
• Credit unions over $10 billion in assets, but less than $250 billion: April 1, 2027

Credit unions are encouraged to review the available resources, including:

• CFPB Executive Summary
• CFPB Final Rule – Personal Financial Data Right