On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) announced its long-awaited proposed rule regulating “Personal Financial Data Rights” (the proposed rule). The proposed rule implements Section 1033 of the Dodd-Frank Act, which provides consumers the right to access and port their financial information between banks and other financial entities. CFPB Director Rohit Chopra stated that the proposal would accelerate the shift towards open banking and jumpstart competition in the U.S. financial service sector by giving consumers “the power to walk away from bad service” and switch providers.
The proposed rule would apply to two main categories of entities: 1) data providers like banks, consumer credit lenders, and payment facilitation companies (e.g., digital wallets); and 2) authorized third parties who can access financial data from data providers on consumer’s behalf, including data aggregators.
Requirements Applicable to Data Providers. Data providers would be subject to three main requirements:
Authorized Third Parties. Third parties would be subject to the following main requirements, among others.
The CFPB proposes to implement the rule in phases, establishing a staggered effective date starting at six months for the largest banks and firms, and extending to four years for the smallest.
Next Steps
The proposed rule is likely to undergo some revision before being finalized sometime in fall 2024. Interested parties may submit public comments to the CFPB on or before December 29, 2023. We encourage businesses interested in and potentially affected by the CFPB’s proposed rule to submit comments. Wilson Sonsini Goodrich & Rosati routinely advises companies on submitting public comments on proposed rules in the fintech, privacy, and security areas. For more information about this alert, please contact Maneesha Mithal, Libby Weingarten, or any member of the firm’s privacy and cybersecurity or fintech and financial services practices.
Doo Lee contributed to the preparation of this alert.
[1] The CFPB details certain risks associated with the practice of screen-scraping and states that “[t]he CFPB expects that third parties would no longer use screen scraping to access covered financial data once data providers have compliant interfaces for third parties.” Notice of Proposed Rulemaking at 213.