CFPB Finalizes Rule on Personal Financial Data Rights
The Consumer Financial Protection Bureau (CFPB) recently finalized its Personal Financial Data Rights Rule which it says is designed to give consumers greater privacy, security, and rights over their personal financial data. It will require financial institutions, credit card issues, and other providers to transfer a consumer’s personal financial data at no cost at the individual’s request.
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.” The new rule will allow consumers to more easily switch to providers with better rates and services.
In a summary of the new rule, Financial Regulation News highlighted that third parties cannot use consumers’ personal financial data for purposes that benefit themselves; rather, it can only be used for the purpose requested by the consumer. The Bureau says that the rule helps move the banking industry away from “screen scraping,” where consumers provide their account passwords to third parties that use them to indiscriminately access data.
The rule also ensures consumers can make secure payments with “pay-by-bank,” which allows consumers to pay peers, merchants, and others, as well as move money between their own accounts. It also requires data providers to authenticate consumers prior to sharing financial information, as well as provide written documentation to ensure compliance.
Consumer Finance and Fintech Blog noted that the rule requires providers to make the following data available; transaction details; account balances; information for initiating payments to or from a Regulation E account; available terms and conditions; upcoming bill details; and basic account verification information like name, address, email, and phone number.
Compliance with the rule will be implemented in phases depending on the size of the institution; the largest institutions must comply by April 1, 2026, and the smallest institutions will have to comply by April 1, 2030.