Introduction

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its rulemaking on “Personal Financial Data Rights,” which lays out the agency’s plan to establish new consumer rights and protections with regard to personal financial data.

This Final Rule is part of the agency’s broader mandate to establish an “open banking” system, in which consumers can have greater control over their financial data and easily switch between financial service providers. The CFPB emphasizes this rule as a major step towards expanding ”rights, privacy, and security over [consumers’] personal financial data.” CFPB Director Rohit Chopra emphasized that the rule “will give people more power to get better rates and service on bank accounts, credit cards, and more.”

The Rule arrives after a nearly decade-long rulemaking effort under Dodd-Frank Act Section 1033, which requires that bank and non-bank institutions make account and transaction data available upon request. The proposed regulations were announced in October 2023, and received over 11,000 comments. To date, various trade associations and at least one bank have sued the CFPB on the basis that the Final Rule exceeds the scope of its authority as granted by Dodd-Frank.

This post is designed to provide a breakdown of the Final Rule, its core components, and the differences between the Proposed and Final Rules.

What is covered under the Final Rule?

Data Providers, Authorized Third Parties, and Data Aggregators. The Final Rule imposes obligations on three primary entities: data providers, authorized third parties, and data aggregators.

• Data Providers. Data providers are defined as financial institutions, card issuers, and “any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.” The Final Rule does not extend, however, to smaller institutions such as depository institutions or credit unions which hold assets equal to or less than the Small Business Administration (SBA) size standard. If a small entity later exceeds the SBA thresholds, it will become subject to the rule.

• Authorized Third Parties. Third parties are defined as “any person that is not the consumer to whom the covered data pertains or the data provider that controls or possesses the consumer’s data.” To become authorized, third parties must comply with certain authorization procedures when seeking access to covered data held by a data provider in order “to provide a product or service the customer requested.”

• Data Aggregators. Data aggregators are persons who are “retained by and provide services to the authorized third party to enable access to covered data.” The Final Rule allows data aggregators to carry out the authorization process on behalf of the third party requesting authorization from the consumer.

Covered financial products or services

The Final Rule’s definition of “covered financial products or services” extends to the same products and services contemplated in the Proposed Rule: “Regulation E accounts,” “Regulation Z credit cards,” and “facilitation of payments from a Regulation E account or Regulation Z credit card.” The Final Rule excludes products or services that “merely facilitate first party payments,” such as payments “initiated by loan servicers.”

Covered data

“Covered data” under the Final Rule is defined as “[t]ransaction information, including historical information in the control or possession of the data provider” such as amount, transaction date, payee or merchant name, rewards credits, and fees or finance charges. “Covered data” also extends to consumers’ account balance, “information to initiate payment to or from a Regulation E account,” terms and conditions, “upcoming billing information” such as scheduled third party bill payments, and “basic account verification information.” The Final Rule, like the Proposed Rule, excludes confidential commercial information such as algorithms used to for credit and risk scores, information collected solely for preventing fraud and money laundering, information otherwise kept confidential by law, and information which cannot be obtained in the data provider’s ordinary course of business.

What are covered entities required to do in order to comply with the Final Rule?

Requirements for data providers

• Making covered data available to consumers. Data providers must make covered data available to consumers and their authorized third parties, upon their request and without fees or charges, in an electronic form that is usable by consumers. This Rule also imposes a minimum response rate for requests, and prohibits “screen scraping,” which lets third parties use consumer credentials to enter consumer accounts and access their data. Data providers must also provide information about itself to consumers upon request, and are required to keep a record of when they refused a request from a consumer or a third party.

• Establishing consumer and developer interfaces. The Final Rule requires data providers to establish standardized-format interfaces by which consumers and authorized third parties can request and access covered data. No specific technology is mandated for setting up these interfaces. Further, only the developer interface requires providers to offer files in a machine readable form, not the consumer interface. Covered data must be made available to an authorized party in a “commercially reasonable” manner. The developer interface must have an information security program that satisfies Section 501 of the Gramm-Leach Bliley Act.

Requirements for Authorized Third Parties

• Obtaining authorization. A third party seeking access to a consumer’s covered data on behalf of that consumer to “provide a product or service the consumer requested” must obtain authorization by:

  • a) providing an authorization disclosure which describes its product/service and includes the categories of data that they will access, its retention duration, and method for revoking authorization,

  • b) providing a statement certifying that it will meet the requirements outlined in the Final Rule, and

  • c) obtain the consumer’s “express informed consent” either signed electronically or in writing.

• Limitation on Use and Retention. The Final Rule requires that authorized third parties “limit [their] collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested service.” The rule states that targeted advertising, cross-selling of other products/services, and the sale of covered data are not deemed “reasonably necessary” to provide the product or service. Additionally, a third party must limit its retention of covered data to a maximum of one year following their most recent authorization from the consumer. Third parties must have systems in place to allow the consumer to revoke authorization, and ensure that data is deleted when a) authorization is revoked, b) its retention period has expired, or c) retention is no longer reasonably necessary.

• Maintaining Security and Accuracy of Information. Third parties must secure its systems using an “information security program” that satisfies Section 501 of the GLBA. Third parties must “establish and maintain written policies and procedures” reasonably designed to make sure that covered data they receive and share is accurate.

• Use of Data Aggregators. Third parties can enlist data aggregators to carry out its authorization procedures on the third party’s behalf. Third parties still remain responsible for its compliance with these procedures. The data aggregator must certify to consumers that it agrees to the same conditions of third parties when it comes to accessing consumer data. Additionally, the name of the data aggregator and its services must be disclosed in the authorization disclosure.

By when do financial institutions have to comply?

Data Provider Implementation Deadlines. While the Final Rule technically goes into effect 60 days after publication in the Federal Register, the dates by which data providers must meet compliance requirements are staggered over the next six years. Overall, the larger the firm, the sooner compliance must be met.

• April 1^st, 2026: Deadline for large financial firms that hold at least $250 billion in total assets and nondepository institution providers that generated a minimum of $10 billion in total receipts either in 2023 or 2024.

• April 1^st, 2027: Deadline for depository institution data providers that hold between $10-250 billion or nondepository institutions which generated less than $10 billion in receipts in 2023 or 2024

• April 1^st, 2028: Deadline for depository institution data providers that hold between $3-10 billion in total assets.

• April 1^st, 2029: Deadline for depository institution data providers that hold between $1.5-3 billion in total assets

• April 1^st, 2030: Deadline for depository institution data providers that hold less between $850 million to $1.5 billion in total assets.

If an excluded small institution later crosses the coverage threshold, they must come into compliance “within a reasonable amount of time,” not to exceed five years from when they pass the threshold.

Third Party Implementation Deadlines. There are no compliance dates set for third parties in the Final Rule. However, as of data providers’ compliance dates, third parties will need to be prepared to engage with these entities in compliance with the Final Rule.

How does the Final Rule differ from the Proposed Rule?

• Addressing FCRA Application Concerns. The Proposed Rule did not make clear whether the rule expanded obligations under the Fair Credit Reporting Act (FCRA), which was of concern to entities that would qualify as data aggregators under this Rule. In the Final Rule preamble, the agency writes that the rule “ does not cause data aggregators to incur legal liability under the FCRA that they would not otherwise assume through their ordinary operations,” nor “alter the types of data, parties, or permissible purposes covered by the FCRA.”

• Buy Now, Pay Later (BNPL) Providers. While the Proposed Rule did not include BNPL providers within its construction of “card issuers,” the Final Rule expands its definition to include these providers.

• Clarifying When a Data Provider Can Deny Access. While the Proposed Rule permitted data providers to deny third parties and consumers access to an interface due to general security risks, the Final Rule clarifies by adding several specific scenarios and justifications that expand when data providers can deny access.

• Data Providers May Provide Revocation Methods. The Final Rule adds that a data provider “does not violate” its general obligations“ by providing consumers a “reasonable method to revoke and third party’s authorization to access all of the consumer’s data.”

• Eliminating Specific Performance Requirement. The Proposed Rule stated a quantitative time benchmark (3,500 milliseconds) by which an interface must provide a response to a request. The Final Rule instead requires that a proper response be provided in a “commercially reasonable” time.

• Excluding First Party Payments. The Final Rule explicitly excludes situations where an entity “solely facilitat[es] first party payments,” which is defined as a “transfer initiated by the payee or an agent on behalf of the underlying payee.” The CFPB explains in the Final Rule that first party payments are “distinct from payment facilitation,” and has therefore excluded first party payments “such as a merchant or mortgage loan servicer initiating a payment from the consumer’s account to itself.”

• Modifying Definition of “Data Aggregator.” While the Proposed Rule defined data aggregator as an “entity” to be retained by an authorized third party, the Final Rule tweaks this by defining a data aggregator as a “person,” to ensure that the term applies to situations in which the aggregator is not an entity, such as a natural person.

• Modified Coverage Threshold for Depository Institution Data Providers. While the proposal determined coverage based on mere existence of a consumer interface, the Final Rule instead bases coverage on the total assets held be a depository institution data provider, and extends the timeline for them to comply (as explained below).

• Modified Compliance Timeline. While the Proposed Rule included a six month compliance deadline for depository institution providers that hold at least $500 billion in total assets, the new timeline does not begin until, at earliest, April 2026. The Final Rule also increases the number of tiers for compliance. Additionally, the Final Rule lowered the threshold for the first compliance deadline, now applying to depository institution providers that hold at $250 billion in total assets, as opposed to $500 million.

• Name Requirement in Third Party Authorization Disclosure. The CFPB adopted its proposed disclosure rules, but added that the names listed in the disclosure must be “readily understandable” to the consumer. The CFPB argues that unlike a legal or trade name, this new standard will best enable informed consent.

Next Steps

Ultimately, the Final Rule reflects the CFPB’s continued endeavour to expand consumer rights, interoperability, and standardization within the financial services sector. In June this year, the CFPB issued a rule establishing the criteria for becoming an industry standard setting body -- entities recognized as a standard setting body will be able to issue standards that can aid companies in compliance with this new rule.

The CFPB has a range of pending rules coming down the pike, from its rule on “Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications” to its interagency effort to establish “Financial Data Transparency Act Joint Standards.” It is clear that despite various legal challenges to its authority, and continued judicial scrutiny of agency rulemakings, the CFPB does not intend to slow down its rulemaking agenda and is committed to establishing a broader “open banking” landscape.

Trade associations and a bank in Kentucky brought a complaint to block implementation of this rule on Tuesday, the very same day the rule was announced. While this raises questions about the permissibility of some aspects of the rule, companies should begin contemplating how it can prepare for compliance with this rule’s sweeping new obligations.

For further discussion and advice, please contact our Hogan Lovells attorneys.

Authored by Liz Boison, Mark Brennan, Bret Cohen, Sara Lenet, Katy Milner, Roshni Patel, Jane Chen, and Ryan Campbell.