CFPB Finalizes Personal Financial Data Rights Rule to Boost Competition, Protect Privacy, and Give Families More Choice in Financial Services
Rule will help lower prices on loans and empower people to more easily fire financial companies that provide bad service
Today, the Consumer Financial Protection Bureau (CFPB) finalized a rule that will give consumers greater rights, privacy, and security over their personal financial data. The rule requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. Consumers will be able to more easily switch to providers with superior rates and services. By fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit, and banking markets.
For more information, read DCUC Expresses Strong Opposition to CFPB's Rule, Section 1033, Citing Risks to Credit Unions and Their Members
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
Today’s rule ensures consumers will be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps, and other financial products. It aims to address market concentration that limits consumer choice over financial products and services. Consumers will be able to access, or authorize a third party to access, data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information, and basic account verification information. Financial providers must make this information available without charging fees.
America’s Credit Unions President/CEO Jim Nussle released this statement following the rule:
“From a few lines of text concerning consumer data portability in Dodd-Frank, the CFPB has spun a weighty rule intended to reengineer financial sector competition. The rule demands that credit unions share, at no cost, information with fintechs and other third parties who receive permission from consumers. In doing so, the CFPB reduces one of the most valuable assets of a financial institution, its data, to a commodity, which will likely put even greater competitive pressure on credit unions to merge. While we appreciate the CFPB’s willingness to exclude the smallest credit unions from the scope of the final rule, consistent with our request for greater relief, our concerns related to risk management, downstream fraud, and the ability to defray the cost of maintaining APIs without charging fees remain present. This rulemaking reinforces the need for CFPB reforms to ensure accountability and oversight – the bureau stepped far outside the lines made by Congress that will ultimately jeopardize consumers’ access to safe financial institutions like credit unions.” – Jim Nussle, President/CEO, America’s Credit Unions
The rule moves the United States closer to having a competitive, safe, secure, and reliable “open banking” system. Today’s rule is part of the CFPB’s efforts to finally activate Section 1033 of the Consumer Financial Protection Act, a dormant legal authority enacted by Congress in 2010. This is the CFPB’s first significant rule to accelerate responsible open banking in the U.S., and the CFPB will be developing additional rules to address more products, services, and use cases. The rules will boost competition by giving people more freedom to switch banks or providers and shop around for the best deal. This increased choice will incentivize financial institutions to offer improved products that help them attract new customers and retain old customers.
Today’s rule also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps move the industry away from “screen scraping,” a still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.
In giving consumers more control over their financial data, the Personal Financial Data Rights final rule will spur greater choice and increase competition by enabling people to:
Fire fintechs and banks that provide lousy service: Consumers will be able to transfer their bank data to another bank, ensuring consumers can keep much of their banking history as they switch to another financial institution. People will not have to pay fees or clear hurdles from companies that make it harder to switch providers.
Shop for better rates on products and credit: Consumers will be able to comparison shop and move to a competitor offering better rates, such as higher interest on deposits or lower interest on loans. It can also help people—including consumers with shorter credit histories, like young people—gain access to credit or obtain credit on better terms, by allowing lenders to make loans using data held by other institutions, such as information on income and expenses.
Make secure payments, including with “pay-by-bank”: The rule ensures consumers are able to securely share payments information, which can help enable what is sometimes referred to as pay-by-bank. Such products enable consumers to pay merchants, peers, and others, as well as move money between their own accounts. The rule will help bring greater competition to payments markets, which have long been an area of anti-competitive practices.
The final rule strengthens protections for consumers’ data by:
Banning bait-and-switch data harvesting: Third parties can only collect, use, or retain data to deliver the product the consumer requested. They cannot secretly collect, use, or retain consumers’ data for their own unrelated business reasons – for example, by offering consumers a loan using consumer data that they also use for targeted advertising. The rule does not prohibit any particular uses of data, but it requires that all use be driven by what is necessary to deliver the product sought by the consumer.
Creating revocation and deletion rights: When a person revokes access, the rule requires that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent express reauthorization. To prevent “dark patterns” from emerging, the process to revoke access must be simple and straightforward.
Compliance with the rule will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule.
In June, the CFPB finalized a rule outlining the qualifications to become a recognized industry standard setting body, which can issue standards that companies can use to help them comply with the CFPB’s Personal Financial Data Rights Rule.
Read the regulatory text of the final Personal Financial Data Rights rule.
Read the notice of the final Personal Financial Data Rights rule.