Alert

October 24, 2024

CFPB Finalizes Personal Financial Data Rights Rule

On October 22, 2024, the Consumer Financial Protection Bureau finalized the Personal Financial Data Rights Rule to implement Section 1033 of the Dodd-Frank Act. The Bureau proposed the rule in October 2023 to move toward an "open banking" system.

Section 1033 of the Dodd-Frank Act provides that covered data providers must make available to a consumer, upon request, data in the control or possession of the data provider concerning the consumer financial product or service that the consumer obtained. The final rule implements this provision, providing specificity to the scope of data providers subject to the rule, the data that must be provided to consumers upon request, the interfaces through which data is to be made available, and how third parties may access such information through the consumer's access right.

The final rule keeps the proposed rule largely intact, but it does make notable changes, including:

• exempting from the rule depository institutions that hold total assets equal to or less than the Small Business Administration size standard according to the applicable NAICS code;
• clarifying that products and services that merely facilitate first party payments from a Regulation E account or Regulation Z credit card, which is one initiated by the payee or a payee's agent like a loan servicer, are not subject to the rule;
• providing that guardians, trustees, custodians, or similar natural persons may effectuate consumer rights;
• adding a prohibition against evasion for data providers with respect to the obligation to make covered data available;
• adding a requirement to make available to consumers a truncated account number or other account identifier;
• specifying that covered data includes payment initiation information directly or indirectly held by the data provider, such as an account and routing number that could be used to initiate an Automated Clearing House transaction;
• permitting use of tokenized account numbers for payment initiation information;
• adding detail to the content required to be included in third-party authorization disclosures; and
• allowing authorized third parties to retain and use previously-collected data as reasonably necessary to improve the consumer-requested product or service despite any revocation request.

The rule will be effective 60 days after publication in the Federal Register. The rule provides for compliance deadlines for data providers on a date beginning April 1, 2026, and extending to April 1, 2030, depending on the institution's size.