/>iOn October 22, the CFPB announced the finalization of its Personal Financial Data Rights Rule under Section 1033 of the Dodd-Frank Act. The rule aims to bring the U.S. closer to an “open banking” framework by making it easier for consumers to switch between financial institutions.
The final rule broadens the scope of coverage from the proposed version to include consumer data not only from bank accounts and credit cards but also from mobile wallets and payment apps. It mandates that covered financial institutions develop APIs that enable consumers to access their data and share it with authorized third parties. Additionally, the rule enforces strict limits on third-party data use and requires an easy, clear process for consumers to revoke third-party access to their data.
The rule designates entities holding covered consumer data as “data providers” and requires them to make specific data elements accessible to consumers and certain third parties. Per the rule, data providers are:
- Financial institutions as defined in Regulation E, 12 C.F.R. § 1005.2(i);
- Card issuers as defined under Regulation Z, 12 C.F.R. § 1026.2(a)(7); and,
- Any other entity controlling or possessing information on a consumer financial product or service obtained by the consumer.
Data providers must make the following covered data available: (i) transaction details; (ii) account balances; (iii) information for initiating payments to or from a Regulation E account; (iv) available terms and conditions; (v) upcoming bill details; and (vi) basic account verification information, such as name, address, email, phone number, and, if applicable, account identifier.
The rule requires data providers to authenticate consumers before sharing requested information and honor data requests from third parties as authorized by the consumer. They must also offer a way for consumers to revoke third-party data access and keep records of any denied data requests. Data providers need written policies to ensure compliance and must retain records for three years. While data providers can use vendors to meet compliance tasks, they cannot transfer their legal responsibilities to them. The CFPB also clarified that the rule does not alter existing liability provisions under EFTA and TILA for unauthorized transactions.
By the compliance deadline, data providers must implement developer and consumer interfaces for data access, with developer interfaces required to provide machine-readable data formats for authorized third parties. The rule will take effect 60 days after its publication in the Federal Register, with phased compliance dates from 2026 to 2030, depending on the size of the financial institution.
Putting It Into Practice: The finalized rule is the culmination of several years of work (see our previous post on this rulemaking here, here, and here) in the area of consumer data rights. However, as quickly as the rule was released, it was promptly challenged under the Administrative Procedures Act by trade groups in the Sixth Circuit. With compliance dates on the horizon, we will keep you apprised of the challenge and how it impacts its implementation.
