CFPB finalizes Personal Financial Data Rights Rule
On Tuesday, the Consumer Financial Protection Bureau (CFPB) finalized a rule the regulator said will give consumers greater rights, privacy, and security over their personal financial data.
The bureau said the Personal Financial Data Rights Rule requires financial institutions, credit card issuers and other financial providers to “unlock” an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.
The CFPB said the result is consumers will be able to more easily switch to providers with superior rates and services. By fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit and banking markets.
Officials explained the new rule ensures consumers will be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps and other financial products.
They said the rule aims to address market concentration that limits consumer choice over financial products and services. Consumers will be able to access, or authorize a third party to access, data such as transaction information, account balance information, information needed to initiate payments, upcoming bill information and basic account verification information.
“Financial providers must make this information available without charging fees,” the CFPB said in a news release.
“The rule moves the United States closer to having a competitive, safe, secure, and reliable ‘open banking’ system,” the bureau continued. “It also helps move the industry away from ‘screen scraping,’ a still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.”
In giving consumers more control over their financial data, officials said the Personal Financial Data Rights Rule will spur greater choice and increase competition by enabling people to:
—Fire fintechs and banks that provide “lousy” service: Consumers will be able to transfer their bank data to another bank, ensuring consumers can keep much of their banking history as they switch to another financial institution. People will not have to pay fees or clear hurdles from companies that make it harder to switch providers.
—Shop for better rates on products and credit: Consumers will be able to comparison shop and move to a competitor offering better rates, such as higher interest on deposits or lower interest on loans. It can also help people — including consumers with shorter credit histories, like young people — gain access to credit or obtain credit on better terms, by allowing finance companies and other lenders to make loans and credit available by using data held by other institutions, such as information on income and expenses.
—Make secure payments, including with pay by bank: The rule ensures consumers are able to securely share payments information, which can help enable what is sometimes referred to as pay-by-bank. Such products enable consumers to pay merchants, peers, and others, as well as move money between their own accounts. The rule will help bring greater competition to payments markets, which have long been an area of anti-competitive practices.
Furthermore, the CFPB said this final rule strengthens protections for consumers’ data by:
—Banning “bait-and-switch” data harvesting: Third parties can only collect, use, or retain data to deliver the product the consumer requested. The bureau said they cannot secretly collect, use, or retain consumers’ data for their own unrelated business reasons — for example, by offering consumers a loan using consumer data that they also use for targeted advertising. The rule does not prohibit any particular uses of data, but it requires that all use be driven by what is necessary to deliver the product sought by the consumer.
—Creating revocation and deletion rights: When a person revokes access, the rule requires that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent express reauthorization. To prevent “dark patterns” from emerging, the process to revoke access must be simple and straightforward.
The bureau indicated compliance with the rule will be implemented in phases, with larger providers subject to the rule sooner than smaller ones.
Officials explained financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030.
Certain small banks and credit unions are not subject to this rule, according to the CFPB.
“Too many Americans are stuck in financial products with lousy rates and service,” CFPB director Rohit Chopra said in the news release. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
The entire rule can be viewed here.