On Oct. 22, 2024, the Consumer Financial Protection Bureau (CFPB) released their long-awaited final rule on Personal Financial Data Rights. The nearly 600-page final rule requires financial institutions to transfer an individual’s personal financial data to another provider at the consumer’s request for free. This is intended to make it easier for consumers to shop for better rates and services.  

The rule, sometimes referred to as the “1033 Rule” after Section 1033 of the Dodd-Frank Act, provides consumers with the right to access their account information and authorize certain third parties acting on their behalf to access that information. The CFPB intends the final rule to be a step toward an open banking system. 

According to the final rule, a financial institution must make covered data available to authorized third parties in a standardized and machine-readable format and in a commercially reasonable manner, including by meeting a minimum response rate with respect to requests for covered data. A financial institution cannot comply with the requirement to make data available to authorized third parties by allowing the third party to engage in “screen scraping,” an access method that uses consumer credentials to log in to consumer accounts to retrieve data. A financial institution also must publicly disclose certain information about itself to facilitate access to covered data and promote accountability.

One of the issues concerning to financial institutions is the privacy protection implications. The final rule requires personal financial data be used by the financial institution for the purposes requested and authorized by the consumer. Data harvesting is prohibited, meaning third parties cannot collect, use or retain consumers' data for targeted advertising, cross-selling products or any unrelated business reason. The final rule allows consumers to authorize third parties to access data on their behalf to provide products and services they request.

Covered financial institutions will have to develop and implement written policies and procedures related to what covered data is generally made available, how it responds to requests for developer interface access and requests for information, the accuracy of data transmitted through an interface and record retention.

There are staggered compliance dates, depending on the asset size of the financial institution:

• April 1, 2026 - Depository institution data providers that hold at least $250 billion in total assets.
• April 1, 2027 - Depository institutions that hold at least $10 billion in total assets but less than $250 billion in total assets.
• April 1, 2028 - Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets.
• April 1, 2029 - Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets.
• April 1, 2030 - Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets.

Our regulatory compliance specialists continue to stay abreast news related to financial institutions. To learn more about how this may impact your organization, contact us today.