Decoding the CFPB’s Personal Financial Data Final Rule

^{Read time: 3 mins, 20 secs}

On Oct. 22, the Consumer Financial Protection Bureau issued a final rule to carry out the personal financial data rights established by the Consumer Financial Protection Act of 2010 (i.e., the Dodd-Frank Act). The final rule requires banks, credit unions, and other financial service providers to:

• make consumers’ data available upon request to consumers and authorized third parties in a secure and reliable manner;
• define obligations for third parties accessing consumers’ data, including important privacy protections; and
• promote fair, open, and inclusive industry standards. 

The rule is designed to allow consumers to switch more easily to providers with what they perceive to be better rates and services. The CFPB infers that fueling competition and consumer choice is expected to help lower loan prices and improve customer service across payments, credit, and banking markets.

A depository institution that holds assets at or below the specified Small Business Administration size standard is not required to comply with the final rule as long as its assets remain at or below the SBA size standard, which is currently $850 million. 

A data provider, including financial institutions, must make available to a consumer or authorized third party, upon request, “covered data” in the data provider’s control or possession concerning a “covered consumer financial product or service” that the consumer obtained from the data provider. 

“Covered consumer financial products and services” are 1) an account for purposes of Regulation E, 2) a credit card for purposes of Regulation Z, or 3) the facilitation of payments from a Regulation E account or Regulation Z credit card, excluding products or services that merely facilitate first-party payments. 

Pursuant to the final rule, “covered data” is:

• Transaction information
• Account balance information
• Information to initiate payment to or from a Regulation E account
• Terms and conditions
• Upcoming bill payment information
• Basic account verification information

A data provider will receive requests in electronic form from consumers and authorized third parties and is required to make covered data available electronically. Various requirements exist regarding how a data provider must be able to receive and honor such requests, but a particular technology is not required. 

A third party must provide a statement to a consumer certifying that it will satisfy certain obligations. The duration of data collection pursuant to a given authorization is limited to a maximum of one year. To continue collection, the third party must obtain a new authorization. The authorization can be revoked by the consumer at any time. 

A data provider is required to make covered data available to a consumer when it receives sufficient information to authenticate the consumer's identity and identify the scope of the data requested. 

A data provider is required to make covered data available to a third party when it receives information sufficient to authenticate the identity of the consumer who authorized the third party to access covered data, authenticate the third party’s identity, document that the third party has followed the authorized procedures, and identify the scope of the data requested. The data provider may confirm the scope of a third party’s authorization by asking the consumer to confirm the account(s) the third party may access and the categories of covered data the third party may collect. A data provider may provide a reasonable method for a consumer to revoke a third party’s authorization. 

The final rule prohibits a data provider from imposing any fees or charges on a consumer or an authorized third party in connection with receiving electronic requests or making covered data available.

A data provider is required to make certain information readily identifiable to members of the public and available in both human- and machine-readable formats. This information includes the data provider’s legal name, any assumed name, a link to its website, its LEI, contact information, and documentation sufficient for a third party to electronically access covered data. Additionally, each month, a data provider must disclose to the public certain information about its data interface’s response rate to authorized third parties for covered data in the previous calendar month.

Written policies and procedures that are reasonably designed to achieve the objectives set forth in the final rule are required. 

The final rule is effective 60 days after publication in the Federal Register; however, compliance with the final rule is not required at that time. A depository institution data provider must determine which compliance date applies based on total assets. Compliance dates will be implemented in phases, with larger providers subject to the rule sooner than smaller providers. The largest institutions must comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030.

Questions?

Contact Information Central at [email protected]. 

For more information, see the CFPB’s Personal Financial Data Rights webpage, which includes a link to the final rule, official interpretations, and an executive summary.