On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) announced its long-awaited final rule on “Personal Financial Data Rights” (the Final Rule). The Final Rule implements Section 1033 of the Dodd-Frank Act, which provides consumers the right to access and port their financial information between banks and other financial entities. For an analysis of the proposed rule, please see our analysis here.
The Final Rule aims to spur greater choice and increase competition by requiring “data providers” to make consumer’s financial data accessible to consumers and their authorized third parties through specified consumer and developer interfaces and portable “standardized” formats.
Data providers covered by the Rule include banks, consumer credit lenders (including providers of Buy Now Pay Later or BNPL products that qualify as card issuers under Regulation Z), and payment facilitation companies (e.g., digital wallets). The Rule also outlines the responsibilities and limitations of third parties accessing consumer data, including detailed requirements to provide consumers with disclosures and the opportunity to provide consent, as well as strict limitations on data collection, use, and retention.
The Rule could reshape the consumer finance landscape by making it easier for emerging fintech companies that offer services ranging from payment apps to financial-management tools to gain access to consumer data that has long been tightly held by incumbent financial institutions. A legal challenge against the CFPB in connection with this rulemaking has already been filed in a Kentucky federal court.
Overview of the Final Rule and Key Changes to the Proposed Rule
Rules Applicable to Data Providers: Like the proposal, the Final Rule requires data providers to make consumer data available without fees or charges, through “developer interfaces” (for example, through the use of APIs), and in “standardized” formats.
Key changes in the Final Rule from the proposal with respect to requirements for data providers include the following:
Rules Applicable to Authorized Third Parties and Data Aggregators: As in the proposed Rule, the Final Rule requires authorized third parties to adhere to prescriptive requirements for making disclosures to consumers and securing their consent, strict use limitations, data minimization requirements, data security requirements, and recordkeeping requirements.
The Final Rule changes the proposed Rule’s requirements in a few respects:
Takeaways for Fintech Companies
The Final Rule marks a significant change in the financial services landscape, as well as the regulation of financial data access and privacy. Fintech companies can begin taking steps to strategically align with the new regime and ensure preparedness for compliance with requirements for strong privacy protections.
Next Steps
The Final Rule becomes effective 60 days after publication in the Federal Register. The implementation will be phased over four compliance dates, ranging from larger data providers needing to comply first, starting from April 1, 2026, to smaller ones by April 1, 2030. Wilson Sonsini Goodrich & Rosati routinely helps companies navigate the changing financial regulatory landscape and complex privacy and data security issues. For more information about this alert, please contact Maneesha Mithal, Jess Cheng, Doo Lee, or any member of the firm’s data, privacy, and cybersecurity or fintech and financial services practices.
[1]The Final Rule exempts small depository institutions with fewer than $850 million in assets pursuant to SBA size standard regulations in 13 CFR 121.201.
[2]For purposes of the Final Rule, a first party payment is a transfer initiated by the payee or an agent acting on behalf of the underlying payee, or in other words, a payment that is initiated by the person or entity receiving payment, without involving third-party services or intermediaries.