The CFPB’s Final Rule on Personal Financial Data Rights: What Financial Institutions Should Know

Overview and Summary of Changes

The Consumer Financial Protection Bureau (CFPB) has issued a final rule implementing Section 1033 of the Consumer Financial Protection Act (CFPA), which addresses personal financial data rights.

The final rule mandates that certain financial institutions, principally banks, make the covered data available to consumers and authorized third parties in a standardized electronic format. The CFPB finalized a portion of its rule implementing Section 1033 related to qualifications for standard-setting organizations in June.

Although largely consistent, the final 1033 rule differs from last year’s proposed rule in several important ways. Specifically, the final rule:

• Extended Compliance Dates: Identifies the compliance date for the largest institutions as April 1, 2026, extending the proposed compliance deadline for such institutions by almost one year. (See Compliance Dates below.)Compliance deadlines are staggered thereafter based on asset size or activity levels, with the last set of institutions (small depository institutions) not required to comply until April 1, 2030.
• New Exemption for Community Banks: Exempts depository institutions (including credit unions) that meet the thresholds for being a small depository institution under Small Business Administration regulations (currently, those with $850 million or less in assets) from the obligations that apply to data providers.
• Clarification Regarding Payment Facilitators:Clarifies that, while digital wallet providers are considered data providers subject to the rule, institutions that merely facilitate first-party payments (e.g., an e-commerce website facilitating a payment to itself) are not data providers.
• Standard-Setting Process: Outlines a detailed process for standard-setting bodies to apply for CFPB recognition, which was less explicit in the proposed rule. These changes are in addition to the final rule that the CFPB issued in June relating to qualifications for standard-setting organizations.
• Prohibition Against Evasion: Prohibits data providers from taking actions that they know or should know will render data unusable or otherwise interfere with consumers’ ability to access data.
• Interface Requirements: Mandates both consumer and developer interfaces with detailed performance and security specifications, enhancing the requirements set forth in the proposed rule.
• Third-Party Data Limits: Sets clear limits on third-party data collection, use and retention, including a one-year maximum retention duration, subject to reauthorization. The rule retains the proposed rule’s limits on authorized third parties’ secondary use of data, with the exception of permitting use of the data that is “reasonably necessary to improve the product or service the consumer requested.”

Covered Data

The final rule applies to any “data provider” that controls or possesses any covered data concerning a covered consumer financial product or service. A covered consumer financial product or service includes:

• Regulation E accounts, such as a demand deposit (checking), savings or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family or household purposes (12 C.F.R. § 1005.2(b)).
• Regulation Z credit cards (12 C.F.R. § 1026.2(a)(15)(i)).
• The facilitation of payments from a Regulation E account or Regulation Z credit card (including digital wallets).

A data provider offering such products must readily identify itself publicly and include information regarding its legal name, a link to its website, its legal entity identifier and relevant contact information.

Data to be Provided

The final rule requires data providers to make the following “covered data” available to consumers and authorized third parties:

• Transaction Information: Including historical transaction data for at least 24 months.
• Account Balance
• Payment Information: Data necessary to initiate payments to or from a Regulation E account.
• Terms and Conditions: Applicable fee schedules, interest rates, rewards program terms, overdraft coverage and arbitration agreements.
• Upcoming Bill Information: Details about scheduled payments and upcoming bills.
• Basic Account Verification Information: Name, address, email and phone number associated with the account.

The rule also requires data providers to establish and maintain written policies and procedures addressing the availability of covered data, the accuracy of covered data, data provider interfaces and responding to requests for information and developer interface access.

Protected Data

Data providers are not required to disclose:

• Confidential commercial information.
• Data collected solely to prevent fraud or money laundering.
• Information required to be kept confidential by other laws.
• Data not retrievable in the ordinary course of business.

The rule also includes a discussion of instances when it is permissible to deny a consumer or third-party access to the consumer or developer interface.

Transmission Method

The final rule mandates that data providers establish and maintain both consumer interfaces and developer interfaces to facilitate data access for consumers and authorized third parties, respectively. Key requirements for a developer interface include:

• Standardized and Machine-Readable Format: Data must be provided in a standardized machine-readable format upon request.
• Performance Specifications: Interfaces must meet performance standards, including a minimum 99.5% response rate each month. Such information must be disclosed on the data provider’s website on or before the final day of each month.
• Security Specifications: Data providers must implement robust security measures, including compliance with the Gramm-Leach-Bliley Act or FTC Safeguards Rule.

Third-Party Requirements

To address privacy and data security concerns, the rule identifies several requirements for third parties seeking to access consumer data:

• Express Informed Authorization: Third parties must provide clear and conspicuous disclosures to consumers, including details about the third party, the data to be collected and the purpose of data collection. Third parties are permitted to engage data aggregators to seek a consumer’s authorization.
• Limitations on Data Use: Third parties may only collect, use and retain data necessary to provide the requested product or service. They also must require other third parties to comply with specified obligations regarding covered data. They are prohibited from selling data or using data for targeted advertising or cross-selling.
• Data Use to Improve Products: Notwithstanding the above restrictions, third parties may use data obtained under the rule in ways “that are reasonably necessary to improve the product or service the consumer requested.”
• Policies and Procedures: Third parties must adopt policies and procedures regarding record retention and ensure data accuracy during transmission and access regarding consumer covered data.
• Data Security: Third parties must create an information security program for collecting, using and retaining data that complies with the Gramm-Leach-Bliley Act or FTC Safeguards Rule requirements.
• Revocation Mechanism: Third parties must provide an easy method for consumers to revoke data access authorization.

Standard Setter

The CFPB’s final rule establishes a framework for recognizing standard-setting bodies that will create “consensus standards” for data transmission and security. These rules are in addition to the rules the CFPB finalized this summer relating to qualifications for standard-setting organizations. To gain CFPB recognition, bodies must demonstrate several key attributes:

• Openness: The process must be open to all interested parties, including consumer groups, data providers and relevant trade associations.
• Balance: Decision-making must be balanced across all parties to prevent any single group from dominating.
• Due Process and Appeals: Policies and procedures must be documented and publicly available, with a fair process for resolving conflicts and appeals.
• Consensus: Standards must be developed by general agreement, considering all comments and objections fairly.
• Transparency: Procedures and standards must be transparent and publicly accessible.

Recognition lasts up to five years and is subject to renewal. The CFPB will monitor these bodies to ensure ongoing compliance, with the authority to revoke recognition if necessary. This framework ensures that technical standards are fair, inclusive and support the goals of open banking and consumer protection.

Last month, the CFPB received its first application for open banking standard-setter recognition under Section 1033 of the Dodd-Frank Act. Thus far, the CFPB has received comments from a number of interested parties, including individuals, banks, industry advocates, trade associations and technology companies. The CFPB has not yet acted on the application and, therefore, there are no “consensus standards,” as defined by the rule, to help guide implementation.

Compliance Deadlines

The compliance dates for data providers are staggered based on their size:

• April 1, 2026: For depository institutions with at least $250 billion in total assets and non-depository institutions with at least $10 billion in total receipts in either 2023 or 2024.
• April 1, 2027: For depository institutions with $10 billion to $250 billion in total assets and non-depository institutions that did not generate $10 billion or more in total receipts in both 2023 and 2024.
• April 1, 2028: For depository institutions with $3 billion to $10 billion in total assets.
• April 1, 2029: For depository institutions with $1.5 billion to $3 billion in total assets.
• April 1, 2030: For depository institutions with $850 million to $1.5 billion in total assets.

Depository institutions below the SBA-set size standard (currently, $850 million in assets) do not need to comply with the rule.

Data Provider Challenge

Hours after the CFPB issued the final rule, the Bank Policy Institute, Kentucky Bankers Association and a Kentucky bank filed suit to enjoin the rule in the United States District Court for the Eastern District of Kentucky.

The plaintiffs raised six claims under the Administrative Procedures Act, including that the final rule misinterprets the term “consumer” in the CFPA, unacceptably puts consumer data at risk, impermissibly requires sharing information necessary to initiate a payment, unlawfully delegates decision-making authority to a private actor, includes unreasonable compliance deadlines and bans financial institutions from charging reasonable access fees to third parties or data aggregators to access data. 

The complaint includes a request for the court “to delay the effective date and implementation of the Rule and the Standard-Setter Rule pending the conclusion of this case,” but the plaintiffs have not (as of the date of this alert) moved for preliminary injunctive relief.

What’s Next?

The final rule is set to take effect 60 days after publication in the Federal Register. Financial institutions that are potentially subject to the rule should carefully consider their compliance obligations in light of uncertainty caused by the pending challenge to the rule and the developing standards that will govern compliance.

To learn more about the issues explored above or what impact they may have on your business, please reach out to the authors (John Coleman, Sasha Leonhardt, Sherry-Maria Safchuk) or other members of the Orrick team.

This client alert is intended to provide a general overview of the CFPB’s final rule on personal financial data rights and does not constitute legal advice. For specific legal advice, please contact a qualified attorney.