On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized the Personal Financial Data Rights Rule1 to provide consumers with increased transparency and autonomy over their financial data. The CFPB’s new rule covers entities defined as data providers—generally, entities that control or process information concerning a consumer financial product or service, including banks, credit unions, card issuers, and digital wallet providers. The rule mandates that covered entities provide consumers and their authorized third parties with electronic access to personal financial information upon request. CFPB Director Rohit Chopra expressed, “Too many Americans are stuck with financial products with inadequate rates and service,” and “Today’s action will give people more power to secure better rates and services regarding bank accounts, credit cards, and more.” The earliest compliance deadline is April 1, 2026, which applies to large, covered entities, while the rule sets forth later compliance deadlines for smaller covered entities.
Consumer Data Access and Third-Party Authorization
Under this rule, covered entities must make “covered data” available electronically to consumers for free upon the consumer's request. Covered data includes account balances, 24 months of transaction histories, bill schedules, and contact information. Consumers may also authorize a third party (e.g., a prospective financial service provider) to collect their financial data from their current financial service provider. For example, the rule would require a consumer’s current financial service provider to deliver the requested data to the consumer’s prospective financial service provider. This process enables consumers to shop the financial market competitively for products and services, such as higher deposit rates, lower interest rate offerings, and expanded access to credit by enabling new lenders to offer loans relying on the covered data.
Data Protection
The CFPB aims to prevent unauthorized data usage through restrictions provided in the rule. Following the lead of state privacy laws, the rule provides that authorized third parties may collect, use, and retain covered data only as “reasonably necessary to provide the consumer’s requested product or service.” Notably, the rule prohibits uses of targeted advertising, cross-selling of other products or services, and sale of covered data. Consumers may also review which authorized third parties have access to their data and revoke that access at any time. Upon revocation, authorized third parties must end access to covered data immediately and delete any retained covered data.
To further protect consumers, the rule requires covered entities to implement an information security program to safeguard the interfaces used to transfer the covered data to consumers and authorized third parties. For data providers that are financial institutions, this program must satisfy the applicable regulations promulgated under the Gramm-Leach-Bliley Act. For data providers that are not subject to the Gramm-Leach-Bliley Act, this program must satisfy the requirements of the Federal Trade Commission’s Standards for Safeguarding Customer Information. Additionally, the rule limits the duration of data collection to one year, at which point consumers must reauthorize access, helping to ensure that personal information is kept up-to-date and securely managed. If a consumer revokes authorization or decides not to reauthorize data sharing, third parties must stop using or retaining previously accessed data unless it is essential to fulfill the original service request. Furthermore, the rule provides a record retention obligation for covered entities, which includes a three-year retention period for records that evidence a covered entity’s response to a consumer’s or third party’s request for information or access.
Enhanced Transparency and Interfaces
Under the rule, covered entities must develop and maintain a “consumer interface” and a “developer interface” to receive and respond to requests for covered data. Consumer interfaces enable individuals to access their financial data directly, while developer interfaces enable third-party applications to easily integrate and request data on behalf of consumers. According to the rule, these interfaces must be secure, standardized, and user-friendly. Covered entities must provide the covered data in a machine-readable format that can be retained and transferred into a separate information system of the consumer or the consumer’s authorized third party. This will allow a consumer, for example, to log into the consumer interface provided by bank 1 and request that bank 1 provide bank 2 with access to the consumer’s covered data so that the consumer may receive bank 2’s quote for a particular financial product or service. In this example, bank 1 must then transmit the covered data to bank 2 via the developer interface. A consumer may also use the consumer interface to download the consumer’s covered data to review and scrutinize the consumer’s finances. Notably, the rule has a 99.5 percent uptime requirement for the covered entities’ interfaces, and covered entities are obligated to disclose their actual uptime percentages.
Looking Forward: IT Development and Implementation for Compliance
The CFPB’s rule aims to create an open, consumer-focused financial ecosystem by standardizing financial data access and establishing transparency protocols. Financial service providers and other covered entities should begin creating a planning process for compliance. For most entities, compliance will involve establishing new privacy protocols and security controls, developing and implementing new information technology solutions, and generally updating their written information security programs. Although compliance may require a commitment of considerable resources, the CFPB expects that this rule will encourage competition, reduce costs, and improve services throughout the financial industry.
The rule’s compliance deadline depends on the size of the covered entity. The largest entities will be required to comply by April 1, 2026, and smaller entities will have until April 1, 2030, to comply.
For more information about the CFPB’s Personal Financial Data Rights Rule and compliance guidance, please contact Renato Smith-Bornfreedom, Data Security & Technology Practice Area co-chair, at rsmith@barclaydamon.com; Celine Dorsainvil, associate, at cdorsainvil@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.
112 C.F.R. Parts 1001 and 1033 (2024).