CFPB Finalizes Personal Financial Data Rights Rule

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB or the Bureau) issued a final rule to implement Section 1033 of the Consumer Financial Protection Act (CFPA), 12 U.S.C. § 5533, which requires covered financial institutions, known as “data providers” in the final rule, to provide consumers and their authorized third parties, upon request, access to their personal financial information in electronic form and in a standardized format. Adopted largely as proposed, the final rule also establishes criteria for designating a third party as “authorized” to receive financial information on behalf of a consumer, as well as obligations of such third parties with respect to their collection, use, and retention of covered data. These concepts track privacy rights afforded to consumers under U.S. federal laws such as the Privacy Act of 1974, the privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA), and the rapidly-growing number of U.S. state consumer-privacy laws, including the landmark California Consumer Privacy Act (CCPA). Notably, although some of the existing consumer privacy laws contemplate transferring personal data to third parties only at the consumer’s request, the final rule allows third parties to obtain authorization to make the request themselves.

As discussed in our November 2023 Advisory, the CFPB final rule is the latest in a series of agency actions aimed at shifting the financial services industry towards an “open banking” system. According to the adopting release accompanying the CFPB’s final rule, as of 2022, at least 100 million consumers have authorized a third party to access their account data for certain consumer financial products or services offered by a financial institution.

The CFPB’s rule has been pitched as a mechanism to level the playing field and enhance competition between banks and non-traditional financial institutions, but it has already provoked significant opposition from both banks and fintechs, which claim that the rule oversteps the Bureau’s authority and fails to address third-party risks.¹ Additionally, as discussed in greater detail below, immediately upon publication of the final rule, industry trade associations filed a lawsuit seeking to enjoin the CFPB from implementing the regulation. While it is too early to determine whether and to what extent the industry’s resistance will affect the implementation of the final rule, large depository institutions must be prepared to move quickly to come into compliance before the first compliance date of April 1, 2026. And even companies that are not directly covered by the rule should be aware of its implications for their products and services.

Background

Section 1033 of the CFPA provides consumers the right to access certain of their account information in the control or possession of covered financial institutions, subject to rules prescribed by the CFPB. Pursuant to Section 1033, these rules must include a new set of standards to “promote the development and use of standardized formats for information, including through the use of machine readable files.”² In short, as described in further detail below, these standards aim to provide consumers with greater flexibility to choose among financial institutions, theoretically resulting in more favorable service at a lower cost for consumers.

Consumers’ right of access under Section 1033 extends to “information relating to any transaction, series of transactions,” or to a consumer account more generally, such as account “costs, charges[,] and usage data.” However, Section 1033 exempts from that right of access several kinds of information, including the following:

1. Any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors
2. Any information collected by the covered person for the purpose of preventing fraud or money laundering, or detecting, or making any report regarding unlawful or potentially unlawful conduct
3. Any information required to be kept confidential by any other provision of law
4. Any information that the covered person cannot retrieve in the ordinary course of its business with respect to that information³

Entities and Products Covered by the Final Rule

To implement Section 1033 of the CFPA, the final rule requires a “data provider” to make “covered data” about “covered consumer financial products and services” available in electronic form to consumers and their “authorized third parties.” The final rule defines these terms as follows:

• Data Provider means a “covered person” under the CFPA, or an entity that engages in offering or providing a consumer financial product or service, as well as an affiliate of such entity acting as a service provider, that is (1) a financial institution, as defined in Regulation E;⁴ (2) a card issuer, as defined in Regulation Z;⁵ or (3) any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person or entity, such as a digital wallet provider. The final rule exempts certain depository institutions that hold total assets equal to or less than the Small Business Administration (SBA) size standard for the data provider’s appropriate NAICS code, set forth in 13 C.F.R. § 121.201.
• Covered Data includes (a) transaction information, including historical transaction information in the control or possession of the data provider; (b) account balance information; (c) information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider; (d) terms and conditions; (e) upcoming bill information; and (f) basic account verification information, limited to the name, address, email address, and phone number associated with the covered consumer financial product or service.
• Covered Consumer Financial Products and Services includes any “consumer financial product or service,” as defined by the CFPA, that is a Regulation E account,⁶ Regulation Z credit card,⁷ or a service constituting the facilitation of payments from a Regulation E account or Regulation Z credit card, excluding products or services that merely facilitate first party payments, such as transfers initiated by a payee or an agent acting on behalf of an underlying payee.
• Authorized Third Parties are parties that seek access to covered data from a data provider on behalf of a consumer in order to provide the consumer with a requested product or service. Authorized third parties must (a) provide the consumer with an authorization disclosure; (b) provide a statement to the consumer in the authorization disclosure, certifying that the third party agrees to obligations set forth in the final rule; and (c) obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer.

Requirements of the Final Rule

The final rule requires data providers to establish and maintain a “consumer interface” and a “developer interface” through which the data provider may receive requests for covered data related to a covered consumer financial product or service. The final rule refers to a developer interface as the functionality through which a data provider receives requests for covered data and makes such data available, and a consumer interface refers to the functionality with respect to consumer access. This is not dissimilar to certain state consumer privacy laws such as the CCPA, which also contemplate the use of self-service portals that allow consumers to access, view, and receive a portable copy of their personal information.

Furthermore, consistent with consumer privacy laws, the consumer and developer interfaces will need to provide covered data, upon request, in a machine-readable file that could be retained by a consumer or authorized third party and transferred into a separate information system, including by meeting a minimum response rate with respect to requests. The final rule also sets forth additional standardized format, performance, and security requirements for a data provider’s developer interface, and requires written policies and procedures to ensure the proper retention of records. Notably, the final rule prohibits fees or charges for responding to consumer and authorized third party requests for access to “covered data” about “covered consumer financial products and services.”

The final rule also limits an authorized third party’s collection, use, and retention of covered data on behalf of a consumer “to what is reasonably necessary to provide the consumer’s requested product or service.” The rule specifically states that activities such as targeted advertising, cross-selling of other products or services, or the sale of covered data shall not be construed to be part of, or reasonably necessary to provide, a product or service. However, the rule does not limit or prevent third parties from seeking separate authorization for the use of covered data beyond what is permitted by the rule.

Subject to a consumer’s reauthorization, the final rule limits the duration of collection of covered data to one year following consumer authorization. If a consumer refuses to provide new authorization after a period of one year, or the consumer revokes authorization, then the third party may no longer (1) collect covered data or (2) use or retain any covered data that was previously collected under a consumer authorization, unless retention of that covered data remains reasonably necessary to provide the consumer’s requested product or service. These limitations appear designed to ensure consumer privacy protections and to mitigate the risk of future data security incidents involving shared data.

Compliance Dates

A data provider’s compliance date with the final rule is based on the provider’s total assets or total receipts, as applicable. For a depository institution data provider, total assets are determined by averaging the assets reported on its 2023 third quarter, 2023 fourth quarter, 2024 first quarter, and 2024 second quarter call report submissions. For a non-depository institution data provider, total receipts are calculated based on the SBA definition of receipts, which is set forth at 12 C.F.R. § 121.104(a).

In response to public comments, the final rule increases the number of compliance date tiers, redefines the types of depository institutions included in each compliance date tier, and extends the compliance deadlines for all tiers. The initial compliance dates for depository and non-depository institution data providers are as follows:

Source: Consumer Fin. Prot. Bureau, Executive Summary of the Personal Financial Data Rights Rule (Oct. 22, 2024)

Litigation in Response to the Final Rule

Shortly after the announcement of the final rule, a depository institution and two trade associations filed suit in the U.S. District Court for the Eastern District of Kentucky challenging certain aspects of the rulemaking.⁸ The plaintiffs allege that the CFPB not only “overstep[ped] its statutory mandate,” but also “inject[ed] itself into a developing, well-functioning ecosystem that is thriving under private initiatives.” More specifically, the plaintiffs allege that the final rule exceeds the CFPB’s statutory authority by requiring disclosure of a consumer’s financial information to commercial entities that do not qualify as a consumer’s agent, trustee, or representative; substantially increases security risks to consumers; inappropriately outsources authority to set standards for compliance; imposes a timeline for compliance that is arbitrary and irrational; and impermissibly prohibits banks from charging fees to recoup costs associated with complying with the rule.

Takeaways

Although the CFPB has extended the compliance dates of the final rule from what was initially proposed, adherence to the final rule will require a considerable investment of time and resources. Accordingly, covered data providers should not delay in taking steps to have appropriate policies in place, including with respect to consumer and developer interfaces. Covered data providers subject to state consumer privacy laws might consult their internal privacy experts to leverage the work already in place relating to consumer rights of access and data portability, as well as consumer verification processes and procedures.

Covered data providers and third parties alike should also maintain focus on data security, as increased data sharing and transfer activity will increase the risk of potential data security incidents.

To promote the development and use of standardized formats across consumer and developer interfaces, the final rule also provides for CFPB recognition of fair, open, and inclusive standard-setting bodies. Although conformance to the standards offered by CFPB-recognized standard-setting bodies is not generally required for compliance with the final rule, adherence to such standards would provide some “indicia of compliance.” In June 2024, the CFPB outlined the qualifications necessary to become a CFPB-recognized standard-setting body. The CFPB began receiving applications in September 2024; however, the agency has yet to recognize a standard-setting body for the purposes of the final rule.

For more information about how the CFPB’s new Personal Financial Data Rights rule may impact your business, please contact any of the authors of this Advisory or your usual Arnold & Porter contact. The firm’s Financial Services and Privacy, Cybersecurity & Data Strategy teams would be pleased to assist with any questions about the agency’s Personal Financial Data Rights rule, or financial regulation more broadly.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.