<RULE>
CONSUMER FINANCIAL PROTECTION BUREAU
<CFR>12 CFR Parts 1001 and 1033</CFR>
<DEPDOC>[Docket No. CFPB-2023-0052]</DEPDOC>
<RIN>RIN 3170-AA78</RIN>
<SUBJECT>Required Rulemaking on Personal Financial Data Rights</SUBJECT>
<HD SOURCE="HED">AGENCY:</HD>
Consumer Financial Protection Bureau.
<HD SOURCE="HED">ACTION:</HD>
Final rule.
<SUM>
<HD SOURCE="HED">SUMMARY:</HD>
The Consumer Financial Protection Bureau (CFPB) is issuing a final rule to carry out the personal financial data rights established by the Consumer Financial Protection Act of 2010 (CFPA). The final rule requires banks, credit unions, and other financial service providers to make consumers' data available upon request to consumers and authorized third parties in a secure and reliable manner; defines obligations for third parties accessing consumers' data, including important privacy protections; and promotes fair, open, and inclusive industry standards.
</SUM>
<EFFDATE>
<HD SOURCE="HED">DATES:</HD>
This final rule is effective January 17, 2025.
<E T="03">Compliance dates:</E>
Data providers must comply with the requirements in 12 CFR part 1033, subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, pursuant to the criteria set forth in § 1033.121(c).
</EFFDATE>
<FURINF>
<HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD>
George Karithanom, Regulatory Implementation and Guidance Program Analyst, Office of Regulations, at 202-435-7700 or
<E T="03">https://reginquiries.consumerfinance.gov/.</E>
If you require this document in an alternative electronic format, please contact
<E T="03">CFPB_Accessibility@cfpb.gov.</E>
</FURINF>
<SUPLINF>
<HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD>
<HD SOURCE="HD1">Table of Contents</HD>
<EXTRACT>
<HD SOURCE="HD2">Abbreviations and Acronyms</HD>
<FP SOURCE="FP-2">I. Overview</FP>
<FP SOURCE="FP1-2">A. Summary of the Final Rule</FP>
<FP SOURCE="FP1-2">B. Market Background</FP>
<FP SOURCE="FP-2">II. The Proposal and Other Procedural Background</FP>
<FP SOURCE="FP1-2">A. Outreach</FP>
<FP SOURCE="FP1-2">B. Summary of the Proposed Rule</FP>
<FP SOURCE="FP1-2">C. 2024 Industry Standard-Setting Final Rule</FP>
<FP SOURCE="FP-2">III. Legal Authority</FP>
<FP SOURCE="FP1-2">A. CFPA Section 1033</FP>
<FP SOURCE="FP1-2">B. CFPA Sections 1022(b) and 1024(b)(7)</FP>
<FP SOURCE="FP1-2">C. CFPA Section 1002</FP>
<FP SOURCE="FP-2">IV. Discussion of the Final Rule</FP>
12 CFR part 1033
General Comments Received on the Proposal
<FP SOURCE="FP1-2">A. Subpart A—General</FP>
<FP SOURCE="FP1-2">B. Subpart B—Making Covered Data Available</FP>
<FP SOURCE="FP1-2">C. Subpart C—Data Provider Interfaces; Responding to Requests</FP>
<FP SOURCE="FP1-2">D. Subpart D—Authorized Third Parties</FP>
<FP SOURCE="FP1-2">12 CFR part 1001</FP>
<FP SOURCE="FP-2">V. Effective and Compliance Dates</FP>
<FP SOURCE="FP-2">VI. CFPA Section 1022(b) Analysis</FP>
<FP SOURCE="FP1-2">A. Statement of Need</FP>
<FP SOURCE="FP1-2">B. Data and Evidence</FP>
<FP SOURCE="FP1-2">C. Coverage of the Rule</FP>
<FP SOURCE="FP1-2">D. Baseline for Consideration of Costs and Benefits</FP>
<FP SOURCE="FP1-2">E. Potential Benefits and Costs to Consumers and Covered Persons</FP>
<FP SOURCE="FP1-2">F. Potential Impacts on Insured Depository Institutions and Insured Credit Unions With $10 Billion or Less in Total Assets, as Described in Section 1026</FP>
<FP SOURCE="FP1-2">G. Potential Impacts on Consumers in Rural Areas, as Described in Section 1026</FP>
<FP SOURCE="FP-2">VII. Regulatory Flexibility Act Analysis</FP>
<FP SOURCE="FP1-2">A. Small Business Review Panel</FP>
<FP SOURCE="FP1-2">B. Final Regulatory Flexibility Analysis</FP>
<FP SOURCE="FP-2">VIII. Paperwork Reduction Act</FP>
<FP SOURCE="FP-2">IX. Congressional Review Act</FP>
<FP SOURCE="FP-2">X. Severability</FP>
</EXTRACT>
<HD SOURCE="HD1">Abbreviations and Acronyms</HD>
<EXTRACT>
<FP SOURCE="FP-1">ACH = Automated Clearing House</FP>
<FP SOURCE="FP-1">ANPR = Advance Notice of Proposed Rulemaking</FP>
<FP SOURCE="FP-1">API = Application programming interface</FP>
<FP SOURCE="FP-1">APR = Annual percentage rate</FP>
<FP SOURCE="FP-1">APY = Annual percentage yield</FP>
<FP SOURCE="FP-1">ATO = Account takeover</FP>
<FP SOURCE="FP-1">BLS = U.S. Bureau of Labor Statistics</FP>
<FP SOURCE="FP-1">BNPL = Buy Now Pay Later</FP>
<FP SOURCE="FP-1">EBT = Electronic benefit transfer</FP>
<FP SOURCE="FP-1">FDIC = Federal Deposit Insurance Corporation</FP>
<FP SOURCE="FP-1">FFIEC = Federal Financial Institutions Examination Council</FP>
<FP SOURCE="FP-1">FRFA = Final regulatory flexibility analysis</FP>
<FP SOURCE="FP-1">FTC = Federal Trade Commission</FP>
<FP SOURCE="FP-1">IRFA = Initial regulatory flexibility analysis</FP>
<FP SOURCE="FP-1">LEI = Legal Entity Identifier</FP>
<FP SOURCE="FP-1">MSA = Metropolitan statistical area</FP>
<FP SOURCE="FP-1">NAICS = North American Industry Classification System</FP>
<FP SOURCE="FP-1">NCUA = National Credit Union Administration</FP>
<FP SOURCE="FP-1">NPRM = Notice of Proposed Rulemaking</FP>
<FP SOURCE="FP-1">OCC = Office of the Comptroller of the Currency (U.S. Department of the Treasury)</FP>
<FP SOURCE="FP-1">OFAC = Office of Foreign Assets Control (U.S. Department of the Treasury)</FP>
<FP SOURCE="FP-1">OMB = Office of Management and Budget (Executive Office of the President)</FP>
<FP SOURCE="FP-1">RFI = Request for Information</FP>
<FP SOURCE="FP-1">SBA = U.S. Small Business Administration</FP>
<FP SOURCE="FP-1">SBA Advocacy = U.S. Small Business Administration Office of Advocacy</FP>
<FP SOURCE="FP-1">SNAP = Supplemental Nutrition Assistance Program</FP>
<FP SOURCE="FP-1">SSN = Social Security number</FP>
<FP SOURCE="FP-1">TAN = Tokenized account number</FP>
<FP SOURCE="FP-1">URL = Uniform resource locator</FP>
<FP SOURCE="FP-1">USDA = U.S. Department of Agriculture</FP>
</EXTRACT>
<HD SOURCE="HD1">I. Overview</HD>
<HD SOURCE="HD2">A. Summary of the Final Rule</HD>
When Congress established the Consumer Financial Protection Bureau in the Consumer Financial Protection Act (CFPA), it sought to ensure that markets for consumer financial products and services are fair, transparent, and competitive.
<SU>1</SU>
<FTREF/>
CFPA section 1033 lets consumers take action by giving them a right to access their account information and authorize certain third parties acting on their behalf to access that information. This right enables consumers to evaluate their account relationships and switch providers that are not benefiting them, and allows consumers to authorize third parties to access data on their behalf to provide valuable products and services they request. Increased competition can lead to innovation, attractive rates, quality service, and other benefits.
<FTNT>
<SU>1</SU>
12 U.S.C. 5511(a). The CFPA is title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 1376, 2008 (2010).
</FTNT>
Specifically, CFPA section 1033(a) and (b) provide that, subject to rules prescribed by the CFPB, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, subject to certain exceptions. The information must be made available in an electronic form usable by consumers. In addition, Congress mandated in section 1033(d) that the CFPB prescribe standards to promote the development and use of standardized formats for data made available under section 1033.
This final rule carries out these objectives by empowering consumers to access account data controlled by providers of certain consumer financial products or services in a safe, secure, reliable, and competitive manner. When implemented, consumers will be able to access their own data and authorize third parties to access their data safely and with confidence that the third party is acting on their behalf, which means not collecting, using, or retaining consumer data for the benefit of entities other than the consumer. Consumers and authorized third parties will be able access data securely, ensuring that a baseline set of security standards apply across the market. They also will be able to access data reliably, promoting the accurate and consistent transmission of usable data. Consumer-authorized data access under the final rule also will occur in a manner that promotes competition through standardization and other measures to avoid entrenching incumbent data providers, intermediaries, and third parties that
have commercial interests not always aligned with the interests of consumers and competition generally.
<HD SOURCE="HD2">Coverage</HD>
In general, the final rule requires a “data provider” to make “covered data” about “covered financial products and services” available in electronic form to consumers and to certain “authorized third parties.” For this purpose, an authorized third party is a third party that has complied with the authorization procedures set forth in subpart D of part 1033.
A “data provider” includes depository institutions (including credit unions) and nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. The final rule does not apply to certain small depository institutions as defined in the rule. In general, “covered data” includes information about transactions, costs, charges, and usage. This coverage is intended to prioritize some of the most beneficial use cases for consumers and leverage data providers' existing capabilities. Clarifying the scope of the data access right will also promote consistency in the data made available to consumers, reduce costs of arrangin
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Preview showing 10k of 1233k characters.
Full document text is stored and available for version comparison.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
This text is preserved for citation and comparison. View the official version for the authoritative text.