On Oct. 22, CFPB issued final rule re data rights, requests and privacy.
CFPB finalized rule to give consumers greater rights, privacy, and security over data.
Required financial institutions, credit card issuers, other financial providers to unlock individual’s personal financial data and transfer to another provider at request for free.
CFPB’s first significant rule to accelerate responsible open banking; BPI critical of rule.
Will be developing additional rules to address more products, services, and use cases.
Required data provider to make covered data about covered financial products and services available in electronic form to consumers and certain authorized third parties.
Data provider includes depository institution (including CU), nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access an account.
Also, institutions that provide other types of payment facilitation products or services.
Final rule does not apply to certain small depository institutions as defined in the rule.
Covered data includes information about transactions, costs, charges, and usage.
Summary of Final Rule
Covered person shall make available to consumer, upon request, information in control or possession of covered person concerning the consumer financial product or service.
That the consumer obtained from such covered person, subject to certain exceptions.
The information must be made available in an electronic form usable by consumers.
Included a number of functional requirements intended to ensure data providers make covered data available reliably, securely, and in a way that promotes competition.
Data must be available to authorized third parties in standard, machine-readable form.
Provider must not unreasonably restrict frequency it receives or responds to requests.
In addition, a provider cannot comply with the requirement to make data available to authorized third parties by allowing the third party to engage in screen scraping.
Final rule prohibited fees or charges related to consumer and third party data access.
Require provider to publicly disclose certain information about itself to facilitate access.
Third party to certify to limit collection, use, retention to what is reasonably necessary.
Also, third parties must certify to have written policies; apply information security program to systems; provide the consumer with a copy of the authorization disclosure.
In addition, must provide consumer with method to revoke third party’s authorization.
Data Aggregator Provisions
Final rule permitted data aggregators to perform authorization procedures described in the final rule on behalf of the third party seeking the consumer’s authorization.
Third party seeking the consumer’s authorization remains responsible for compliance.
Authorization disclosure must include data aggregator’s name, description of services.
Initial Compliance Dates
Data providers must comply with requirements in subparts B and C beginning Apr. 1, 2026; Apr. 1, 2027; Apr. 1, 2028; Apr. 1, 2029; or April 1, 2030, depending on size.
Apr. 1, 2026, for depository institution data providers that hold at least $250 billion.
In addition, Apr. 1, 2026, for nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024.
Apr. 1, 2027, for depository institutions that hold at least $10bn in assets but less than $250bn, nondepository institutions that did not generate $10bn or more in receipts.
Apr. 1, 2028, for depository institutions that hold at least $3bn but less than $10bn.
Apr. 1, 2029, for depository institutions that hold at least $1.5bn but less than $3bn.
Apr. 1, 2030, for depository institutions less than $1.5bn but more than $850 million.
Effectiveness
The final rule is effective 60 days after the date of publication in the federal register.
In Oct. 2024, House issued statement urging Data Privacy Act passage, see #230775.
In Oct. 2024, CFPB issued statement on data privacy rights rule, see #230782.
In Oct. 2024, BPI filed lawsuit against CFPB data privacy final rule, see #230971.
Nov. 2024 CFPB Fed Reg Final Rule
On Nov. 18, 2024, CFPB published final rule in federal register, effective Jan. 17, 2025.
Data providers must comply with requirements in subparts B and C beginning Apr. 1, 2026; Apr. 1, 2027; Apr. 1, 2028; Apr. 1, 2029; or April 1, 2030, depending on size.
