In response to the 2007-2008 financial crisis in the U.S., Congress passed the Consumer Financial Protection Act (CFPA) in 2010 , seeking to prevent similar crises in the future while building accountability within the financial industry that didn’t previously exist. Section 10121 of the CFPA established the Consumer Financial Protection Bureau (CFPB), which is now the primary U.S. agency that implements and enforces federal consumer financial law.

Another section of the CFPA, Section 1033, began to address an issue that was becoming more and more exigent: access to and the use of digital personal financial data: 

“a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, subject to certain exceptions. The information must be made available in an electronic form usable by consumers…

“the CFPB, by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information…”

In plain terms, Section 1033 said that people have a legal right to not only access the data a bank or financial institution acquires and stores about them; they also have a right to digitally access that information in a way they can understand it and can share with third parties (this is essentially what open banking is). In addition, Section 1033 stated that the CFPB would put forth specific criteria or standards financial institutions would need to follow in order to accomplish giving access to and sharing data. 

While it’s been over 14 years since the CFPA was passed, there hasn’t been any actual regulation for Section 1033 until very recently. But with open banking becoming more and more prevalent, last October the CFPB finally proposed a rule that will specifically and comprehensively implement Section 1033. After several months of accepting comments and then reviewing and revising, the Personal Financial Data Rights rule was finalized in June 2024, and in July the CFPB started accepting applications from institutions seeking to be recognized by the CFPB as an early “standard-setting body” already following the requirements of the rule. On October 22, the CFPB announced their final rule that will go into effect as soon as it’s published in the Code of Federal Regulations.

Let’s take a closer look at the rule to see what it’s all about and what things institutions will be required to implement moving forward. 

Who does the rule apply to?

Most of the regulations apply to “data providers,” which are 1) financial institutions, 2) card issuers, and 3) “any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person” (that includes digital wallet providers). 

The final section of the rule also addresses authorized third parties, which are entities that might have a legitimate reason to request consumer-permissioned data from a data provider.

What does the rule say?

The heart of 1033 is a mandate that all data providers be able to provide the most current data they have about a customer, to that customer, in a format that the customer or third parties can readily use. This “covered data” could include any/all of the following:

• transaction data
• account balance information
• information to initiate a payment between the data provider and another source
• terms and conditions of the data provider product or service
• upcoming bill information
• basic account verification information

Additionally, the rule requires that data providers must have both a consumer and developer interface where requests for data can be made and responded to, by means of both human-readable and machine-readable formats, without any fees required of the consumer.

Lastly, the rule addresses third party authorization and the ways they can request access to consumer-permissioned data from data providers.

What is the deadline for data providers to comply?

The rule lays out a 5-tier compliance schedule for data providers based on their assets: the more money an entity holds and manages, the more quickly they’ll be required to comply with the regulations of the rule.

April 1, 2026 = depository institution data providers that hold at least $250 billion in total assets + nondepository institution data providers that generated at least $10 billion in total receipts in either 2023 or 2024

April 1, 2027 = depository institutions that hold between $10 and $250 billion in total assets + nondepository institutions that generated less than $10 billion in both 2023 and 2024

April 1, 2028 = depository data providers that hold $3 to $10 billion in total assets

April 1, 2029 = data providers that hold $1.5 to $3 billion in total assets

April 1, 2030 = providers that hold $850 million to $1.5 billion in total assets

What does this mean?

A year ago when it was proposed, the CFPB stated that the rule intended to “accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data.” So while the rule focuses almost entirely on regulating data providers, the outcomes are entirely focused on benefiting consumers. That makes sense since it’s coming from the CFPB, which was formed by Congress to “ensure that markets for consumer financial products and services are fair, transparent, and competitive.” The CFPB intends that this rule will make it easier for consumers to shop around when it comes to financial services and quickly switch between data providers if they think it’s in their best interests. The rule additionally makes data privacy a priority as data providers will now be limited to sharing their customer’s data only with people the customer wants it to be shared with. 

What has been the response?

With all the focus on consumer benefits, banks haven’t necessarily been in favor of the rule. This summer, The Bank Policy Institute, The Clearing House Association, The American Bankers Association, and The Consumer Bankers Association wrote a joint letter to Rohit Chopra, the CFPB’s director, asking for a meeting “to discuss in greater detail the scope of work that implementation will require even for the largest, most sophisticated data providers to help ensure a mutual understanding of the work and time that will be required to comply with a final rule.” While more fintech-centric data providers will be able to implement these regulations relatively easily, many traditional banks have a lot of infrastructure work to do to make the rule’s requirements possible.

And then the very day the final rule was released, the CFPB was sued in the U.S. District Court for the Eastern District of Kentucky by The Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank for “overstepping its authority and asserting the rule would put consumers and the banking system at risk.” With this lawsuit pending, and the potential for other lawsuits coming, there’s a chance the rule may be further delayed from being published in the Code of Federal Regulations. 

Conclusion

The Personal Financial Data Rights rule has a lot of implications for financial institutions, tech companies, and consumers. As a tech company, we're looking forward to seeing how these regulations will help to expand open banking in the United States over the next few years. 

If you’re launching a new product in the fintech space and are unsure about how these new regulations affect you, we would love to help. Email us at hello@pentadatainc.com or contact us here to get the conversation started.