On October 22, the CFPB issued a final rule on personal financial data rights under 12 C.F.R. Part 1033, mandating that financial institutions, credit card issuers and other financial providers make covered data available to consumers and third parties in a standardized format. The rule would give consumers greater choice over their financial data, promote competition, and improve consumer financial management. As previously covered by InfoBytes, this rule relates to the set of rules the CFPB finalized in June to move the consumer finance industry towards “open banking” standards.

The CFPB’s final rule faced opposition during the comment period. Many data providers expressed concerns about the costs and burdens of compliance. They argued the rule would disadvantage smaller entities and questioned the CFPB’s authority to implement such extensive requirements. Conversely, consumer advocates and third parties generally supported the rule, emphasizing the benefits of increased data access and competition.

In general, the rule would establish a regulated mechanism for third parties to access consumer financial data. Subpart A defined the rule’s coverage, set tiered compliance dates, defined terms, and set criteria for recognized standard setters. Subpart B outlined data providers’ obligations, such as making covered data available to consumers or authorized third parties upon request.  Subpart C required data providers to establish and maintain an interface for data requests, and such interface must provide consumer data in a standardized, machine-readable format. The rule would also prohibit data providers from charging fees on these requests. Subpart D specified the obligations of third parties accessing covered data on behalf of consumers.

The final rule would apply to any “data provider” that controls or possesses covered data concerning a covered consumer financial product or service. Covered consumer financial product or service includes Regulation E accounts (demand deposit accounts, savings accounts, or other consumer asset accounts established primarily for personal, family or household purposes), Regulation Z credit cards (which may include BNPL providers), and the facilitation of payments from a Regulation E account or Regulation Z credit card (including a digital wallet provider), with some exceptions.

These data providers must make available consumers’ transaction information, account balance, payment information, terms and conditions, upcoming bill information, and basic account verification information via the specified interface. In addition, the rule would require third parties to obtain express information authorization, limit the use of consumer data, implement information security programs, and create a revocation mechanism. To address data privacy and security concerns, the rule would also establish a framework for recognizing standard-setting bodies that will create qualified industry standards for data transmission and security.

Dates to comply with the requirements in subparts B and C for making certain types of data available and how that will happen for different types of data providers vary and the deadlines range from April 1, 2026, to April 1, 2030. The deadlines depend on the size and type of the institution and are as follows:

• April 1, 2026 — for depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024.
• April 1, 2027 — for data providers that are depository institutions that hold at least $10 billion in total assets but less than $250 billion in total assets or nondepository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and calendar year 2024.
• April 1, 2028 — for depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets.
• April 1, 2029 — for depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets.
• April 1, 2030 — for depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets.
• The rule will not apply to smaller depository institutions with total assets below $850 million.

The rule will become effective 60 days after its publication in the Federal Register.