CFPB finalizes Personal Data Rights Rule

This morning, the CFPB announced it has finalized a rule designed to give consumers greater rights, privacy, and security over their personal financial data. The rule will require financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.

The Bureau said that consumers will be able to more easily switch to providers with superior rates and services, and, by fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit, and banking markets. The rule also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps move the industry away from “screen scraping,” a still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.

Compliance with the rule, which amends 12 CFR Part 1033, will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule.

• Executive Summary of Rule
• Published 11/18/2024 at 89 FR 90838, with an effective date of 1/17/2024.
• Compliance dates: Data providers must comply with the requirements in 12 CFR part 1033, subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, based on the criteria set forth in § 1033.121(c).