On Oct. 22, 2024, the Consumer Financial Protection Bureau (CFPB) issued a final rule on Personal Financial Data Rights, which changes the way financial institutions hold and distribute customer-generated data. The rule, once effective, will require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including privacy requirements; and provide standards for data access. The rule will have broad impacts on financial institutions and third parties, as detailed in this client alert.
Overview of the Final Rule
The proposed rule stems from Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which provides that subject to a CFPB rulemaking, “a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.” Some stakeholders have argued that the CFPB has gone beyond the statutory directive.
The CFPB released the data sharing Notice of Proposed Rulemaking (NPRM) on Oct. 19, 2023, following a Feb. 1, 2023, Small Business Review Panel (SBREFA) and a 2020 Advanced Notice of Public Rulemaking (ANPRM). This was 13 years after Dodd-Frank.
Covered Entities
The final rule defines “data providers” as any depository institutions and nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. The final rule included payment apps and digital wallets under the “data provider” definition, which it excluded in the proposed rule. The rule also exempts small banks and credit unions that have less than $850 million in total assets. Nondepository institutions of any asset size are covered in the final rule.
Requirements
Within Section 1033.201 of the rule, data providers must provide consumers and authorized third parties with “covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.” Data providers must provide covered data “in an electronic form usable by consumers and authorized third parties” as provided by Section 1033 of the Dodd-Frank Act.
Under Section 1033.311, data providers are prohibited from imposing any fees or charges on a customer or third party when receiving requests for data and/or maintaining required interfaces. Section 1033.321 allows for reasonable denials of consumer or third-party access to an interface due to risk management concerns. The bar for a “reasonable denial … is … directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security, and must be applied in a consistent and non-discriminatory manner.” Covered data providers are also required to maintain separate consumer and developer interfaces. When receiving requests from consumers, data providers must provide covered data when they receive information that can authenticate the consumer’s identity and identify the scope of the requested data.
Third-Party Obligations
Section 1033.421 specifies that third parties are limited in their collection, use and retention of relevant data to what is “reasonably necessary” to provide a product or service to a customer. The proposal outlines that the following activities are not reasonably necessary.
(i) Targeted advertising;
(ii) Cross-selling of other products or services; or
(iii) The sale of covered data.
This provision would impact direct marketing to consumers. Third parties would also be limited to a one-year authorization, as third parties will be required to provide annual authorizations for consumers to allow data access. If a consumer does not provide a new authorization, the third party will:
(i) No longer collect covered data pursuant to the most recent authorization; and
(ii) No longer use or retain covered data that was previously collected pursuant to the most recent authorization unless use or retention of that covered data remains reasonably necessary to provide the consumer’s requested product or service.
Compliance Timeline
The CFPB extended the timeline for compliance compared to the proposed rule, split into five tiers:
- Depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024 must comply by April 1, 2026.
- Depository institution data providers that hold at least $10 billion in total assets but less than $250 billion in total assets and nondepository institution data providers that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024 must comply by April 1, 2027.
- Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets must comply by April 1, 2028.
- Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets must comply by April 1, 2029.
- Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets must comply by April 1, 2030.
Next Steps
Shortly after the final rule was released, a banking trade group filed a lawsuit, arguing that the CFPB “exceeded its statutory authority” by requiring banks to provide customers’ financial information to fintech companies and data aggregators. In addition to legal challenges, the rulemaking could be considered under the Congressional Review Act (CRA) if former President Trump wins in November or could face other obstacles under new CFPB leadership. The CRA enables Congress to issue a joint resolution of disapproval to invalidate a final rule in its entirety. The joint resolution of disapproval must be introduced within the 60-day legislative day lookback period, which the final rule is included in. However, House Financial Services Committee Chairman Patrick McHenry (R-NC) stated that the rulemaking is a “promising step forward” in protecting consumer financial data.
The CFPB issued a final rule on June 5 that outlines the process for industry standard-setting bodies to be recognized by the CFPB under its section 1033 rulemaking. The bureau published its first 1033 standard-setter application in September, and more entities are likely to apply following the release of the final rule.
CFPB Director Rohit Chopra signaled that the CFPB would seek to do more on open banking in his prepared remarks, stating that it would develop “a roadmap for the next set of rules to advance open banking” for other use cases, including “how to reduce costs and complexity in the mortgage market.”
The Brownstein Financial Services and Government Relations teams are ready to assist with compliance and outreach related to this rulemaking.
THIS DOCUMENT IS INTENDED TO PROVIDE YOU WITH GENERAL INFORMATION REGARDING NEW CFPB RULES ON DATA SHARING. THE CONTENTS OF THIS DOCUMENT ARE NOT INTENDED TO PROVIDE SPECIFIC LEGAL ADVICE. IF YOU HAVE ANY QUESTIONS ABOUT THE CONTENTS OF THIS DOCUMENT OR IF YOU NEED LEGAL ADVICE AS TO AN ISSUE, PLEASE CONTACT THE ATTORNEYS LISTED OR YOUR REGULAR BROWNSTEIN HYATT FARBER SCHRECK, LLP ATTORNEY. THIS COMMUNICATION MAY BE CONSIDERED ADVERTISING IN SOME JURISDICTIONS.