Noted with Interest: New CFPB Rule Requires Data Providers to Allow Consumers to Authorize Third Parties to Access Their Financial Information
Sign Up for PublicationsThe Consumer Financial Protection Bureau (CFPB) has published its final rule implementing Section 1033 of the Dodd-Frank Act. The rule requires “data providers,” which generally includes banks, credit unions, and credit card issuers, to allow consumers to access their financial information and authorize third parties to access their information. Required Rulemaking on Personal Financial Data Rights, 89 Fed. Reg. 90,838 (Nov. 18, 2024) (to be codified at 12 C.F.R. pts. 1001, 1033).
The Dodd-Frank Act, a sweeping set of financial reforms Congress passed in response to the 2008 financial crisis, also established the Consumer Financial Protection Bureau (CFPB). Title X of Dodd-Frank, known as the Consumer Financial Protection Act, authorized the CFPB to act as an independent consumer protection agency and implement certain sections of Dodd-Frank. See 12 U.S.C. §§ 5491-5492. One such section is Dodd-Frank Act Section 1033, which allows consumers to request certain financial information about themselves from “data providers.” 12 U.S.C. Section 5533. However, § 1033 does not contain many details. It simply states that “a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person.” It then provides examples of this information, which would include information such as transaction history and data usage. It left the details to rules the CFPB might later promulgate. Id.
The CFPB did not touch Section 1033 until October 2023, when it issued a proposed rule implementing the section. Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74,796 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033). After a notice-and-comment period, the agency issued its final rule in November 2024. The rule has two main aspects: (1) requiring “data providers” to provide consumers with access to their financial information, and (2) allowing consumers to authorize third parties to access that information.
The rule defines a “data provider” generally as a financial institution, card issuer, or provider of a consumer financial product or service. In effect, this means that the rule covers banks, credit unions, and credit card issuers but excludes certain lenders (like auto loan lenders) and providers of retirement accounts and other investment products. Personal Financial Data Rights, 89 Fed. Reg. at 90,853-54.
The main obligation for a data provider under this rule is to provide customers and certain third parties with what the rule calls “covered data.” Id. at 90,992. Covered data includes common financial information like certain transaction information, account balance information, and the consumer’s account and routing number. Id. The data provider must provide this data through a consumer interface and a developer interface, and it cannot charge fees for maintaining these databases or for consumer and third party requests to access the data. Id. at 90,992-93. This sole provision, therefore, establishes not only a consumer’s right to his or her data under the regulation but also a third party’s right to access that information.
The rights of third parties under the regulation are novel as Dodd-Frank Section 1033 is limited to directly addressing the rights of consumers. But the regulation seeks both to provide those third parties with rights while also restraining their actions. A third party is anybody other than the consumer or the data provider. Id. at 90,991. To become authorized to act on behalf of a consumer, the third party must fulfill three main requirements. First, it must provide the consumer with an authorization disclosure. Second, the disclosure must include a statement certifying that the third party agrees to the obligations described elsewhere in the regulation. Finally, the third party must obtain the consumer’s express informed consent to access covered data on behalf of the consumer. To satisfy the consent requirement, the third party must have the consumer sign the authorization disclosure electronically or in writing. Id. at 90,996.
In addition to acting on behalf of consumers, the regulation also allows third parties to use “data aggregators” to assist them. Data aggregators work with the third party to access the data. Id. at 90,991. However, the data aggregator itself must obtain the same authorization from the consumer as the third party. Id. at 90,997-98.
Although the regulation benefits authorized third parties by granting them access to consumers’ covered data, it subsequently limits them by imposing affirmative obligations upon them. The main obligation is a limit on collection, use, and retention of the data to what is “reasonably necessary” to provide the consumer with the service he or she requested. Id.
Finally, the rule authorizes “standard-setting bodies” to create “consensus standards” to guide compliance with the regulation. Id. at 90,991-92. To be a standard-setting body, the organization must apply for a certification from the CFPB and meet attributes of openness, balance, due process and appeals, consensus, and transparency. Id. The CFPB began accepting applications for these bodies in the summer of 2024. Id. at 90,861.
The CFPB framework overall creates what is called an “open banking” framework. Open banking is a system where banks allow third parties to access consumer information and interact across financial institutions. For example, a third party could collect all of a consumer’s loan information to provide suggestions on future loans, or an app could provide a consumer access to all of his or her account information in one place. This unilateral creation of a new type of banking system through a single agency’s regulation was a major source of controversy during the initial notice-and-comment period. See, e.g., id. at 90,880.
On the day the CFPB released the final rule, Forcht Bank, N.A., the Kentucky Bankers Association, and the Bank Policy Institute filed a lawsuit challenging the regulation on statutory and constitutional grounds. Complaint, Forcht Bank, N.A. v. CFPB, No. 5:24-cv-00304-DCR (E.D. Ky. Oct. 23, 2024), ECF No. 1. The complaint focuses on this “open banking” concern—in effect, the CFPB is using Dodd-Frank to create a new banking system that Congress never authorized. Id. ¶ 1. The lawsuit also raises constitutional concerns with outsourcing policymaking authority to the standard-setting bodies. The claims are all brought under various provisions of the Administrative Procedure Act. Id. ¶¶ 92-133.
The final rule became effective on January 17, 2025. Personal Financial Data Rights, 89 Fed. Reg. at 90,838. However, compliance dates will depend on the assets of the firm and will range from April 1, 2026, to April 1, 2030. Id. The earliest date applies to depository institutions that hold at least $250 billion in assets and non-depository institutions that generated at least $10 billion in total receipts in either 2023 or 2024. Id. at 90,991. Depository institutions with fewer than $850 million in assets are exempt from the rule. Id. at 90,988.