On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) announced its long-awaited final rule on “Personal Financial Data Rights” (the Final Rule). The Final Rule implements Section 1033 of the Dodd-Frank Act, which provides consumers the right to access and port their financial information between banks and other financial entities. For an analysis of the proposed rule, please see our analysis here.
The Final Rule aims to spur greater choice and increase competition by requiring “data providers” to make consumer’s financial data accessible to consumers and their authorized third parties through specified consumer and developer interfaces and portable “standardized” formats.
Data providers covered by the Rule include banks, consumer credit lenders (including providers of Buy Now Pay Later or BNPL products that qualify as card issuers under Regulation Z), and payment facilitation companies (e.g., digital wallets). The Rule also outlines the responsibilities and limitations of third parties accessing consumer data, including detailed requirements to provide consumers with disclosures and the opportunity to provide consent, as well as strict limitations on data collection, use, and retention.
The Rule could reshape the consumer finance landscape by making it easier for emerging fintech companies that offer services ranging from payment apps to financial-management tools to gain access to consumer data that has long been tightly held by incumbent financial institutions. A legal challenge against the CFPB in connection with this rulemaking has already been filed in a Kentucky federal court.
Overview of the Final Rule and Key Changes to the Proposed Rule
Rules Applicable to Data Providers: Like the proposal, the Final Rule requires data providers to make consumer data available without fees or charges, through “developer interfaces” (for example, through the use of APIs), and in “standardized” formats.
Key changes in the Final Rule from the proposal with respect to requirements for data providers include the following:
- New limitations and exemptions from the definition of “Data Provider”: The Final Rule exempts small depository institutions.1 In addition, products and services that merely facilitate “first party payments,” such as payments initiated by loan servicers, are exempt.2 While the Final Rule continues to define “Data Provider” to include “pass-through payment providers,” which are providers of digital wallets that can facilitate payments from a consumer’s account with a financial institution, the obligation to disclose payment initiation information (e.g., account and routing numbers) is more limited in the Final Rule and does not apply to pass-through payment providers.
- Clarification of justifications for denying access: Consistent with the proposal, the Final Rule generally requires data providers to provide interface access to consumers and their authorized third parties and also provides for instances where data providers may block access. The Final Rule includes changes to the proposal that the CFPB intends to clarify the operation of the regulatory framework, reduce the risk of unjustified denials, and reduce the burden on data providers of assessing third party risks. Under the Final Rule, a data provider does not violate the general obligation to provide interface access if granting such access would be inconsistent with written policies and procedures reasonably designed to comply with prudential safety and soundness standards, information security standards, or applicable laws and regulations regarding risk management; moreover, the denial must be “reasonable.” A denial is “reasonable” if it is directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security. The denial must be applied in a consistent and nondiscriminatory manner. Data providers must also keep records evidencing compliance with these rules.
- Anti-circumvention provision: The Final Rule includes an explicit prohibition against data provider conduct that would evade the objectives of the statute, including taking any action that the data provider knows or should know is likely to render the covered data unusable or that the data provider “knows or should know is likely to prevent, interfere with, or materially discourage” a consumer or authorized third party from accessing the covered data. For example, according to the Final Rule, a data provider that knowingly uses a slow communication method unfamiliar to the consumer to confirm a third-party authorization request, which causes delays in the third party’s access to covered data, would be a violation of this provision.
Rules Applicable to Authorized Third Parties and Data Aggregators: As in the proposed Rule, the Final Rule requires authorized third parties to adhere to prescriptive requirements for making disclosures to consumers and securing their consent, strict use limitations, data minimization requirements, data security requirements, and recordkeeping requirements.
The Final Rule changes the proposed Rule’s requirements in a few respects:
- Additional disclosure: The Final Rule includes a new disclosure requirement to secure a consumer’s authorization: Among other disclosures, authorized third parties must now include a brief description of the expected data collection duration and a statement that the collection won’t exceed one year after the consumer’s latest reauthorization. To continue collection, the third party must obtain a new authorization from the consumer no later than the anniversary of the most recent authorization.
- More prescriptive certification requirements for data aggregators: The Final Rule requires third parties and data aggregators certify to the consumer that they will adhere to the Final Rule’s requirements. The Final Rule notably expands on the certification requirement for data aggregators by mandating that a data aggregator provide its certification in a clear, conspicuous, and easily understandable manner, and separately from the third party’s authorization disclosure.
- Product improvement as an additional example of permitted uses: Generally, the Final Rule permits authorized third parties and data aggregators to only collect, use, and retain consumer’s data as “reasonably necessary” for providing the requested product or service. The Final Rule now explicitly provides that “uses that are reasonably necessary to improve the product or service the consumer requested” fall within this permitted use.
Takeaways for Fintech Companies
The Final Rule marks a significant change in the financial services landscape, as well as the regulation of financial data access and privacy. Fintech companies can begin taking steps to strategically align with the new regime and ensure preparedness for compliance with requirements for strong privacy protections.
- Proactive Modifications: Fintech companies should proactively modify their current data practices in order to leverage this new open banking regime. More specifically, entities operating on behalf of consumers will want to shore up their authorization procedures for accessing covered data on behalf of consumers. This means carefully evaluating your consumer authorization procedures to ensure they comply with the Final Rule’s detailed disclosure, consent, and certification mandates. For consent, this would also involve establishing clear organizational policies and procedures for when to recognize, how to accept, and how to verify consumer consents and access revocations.
- Consent Revocation and Reauthorization: Companies will also need to provide an easy mechanism for consumers to revoke access authorization at any time, as well as a means to communicate that revocation to relevant data providers and data aggregators. Companies will need to establish a process for annual reauthorization of access.
- Data Collection, Use, Retention Limits: Authorized third parties and data aggregators will also need to implement robust limits on data collection, use, and retention, including data minimization, restrictions on secondary use, and a maximum data retention period of one year after the consumer’s most recent authorization.
- Screen Scraping Considerations: Consistent with its prior position disfavoring screen scraping, the CFPB states that “[a] core objective of the final rule is to transition the market away from using screen scraping to access covered data,” noting “[the developer interface requirement] supports this goal by preventing data providers from relying on a third party’s use of consumer credentials to access the developer interface.” The CFPB states that it “expects that parties will move away from screen scraping.” Businesses that rely on screen scraping to power their products and services may wish to evaluate other options for their long-term operations.
Next Steps
The Final Rule becomes effective 60 days after publication in the Federal Register. The implementation will be phased over four compliance dates, ranging from larger data providers needing to comply first, starting from April 1, 2026, to smaller ones by April 1, 2030. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate the changing financial regulatory landscape and complex privacy and data security issues. For more information about this alert, please contact Maneesha Mithal, Jess Cheng, Doo Lee, or any member of the firm’s data, privacy, and cybersecurity or fintech and financial services practices.
[1]The Final Rule exempts small depository institutions with fewer than $850 million in assets pursuant to SBA size standard regulations in 13 CFR 121.201.
[2]For purposes of the Final Rule, a first party payment is a transfer initiated by the payee or an agent acting on behalf of the underlying payee, or in other words, a payment that is initiated by the person or entity receiving payment, without involving third-party services or intermediaries.