The Consumer Financial Protection Bureau (CFPB) finalized a rule today that's expected to expand consumers rights, privacy, and security over their personal financial data. The rule requires financial institutions, credit card issuers, and other providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.
The personal financial data that consumers will be able to access, or authorize a third party to access, is transaction information, account balance information, information needed to initiate payments, upcoming bill information, and basic account verification information. Financial providers must make this information available without charging fees.
Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule, the press release stated.
The CFPB believes this rule allows consumers to more easily switch to providers with superior rates and services. By strengthening competition and consumer choice, the rule should help lower prices on loans and improve customer service across payments, credit, and banking markets.
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
The CFPB has been waiting to activate Section 1033 of the Consumer Financial Protection Act, since it was enacted by Congress in 2010. More rules are expected to follow, addressing more products, services, and use cases. Overall, the rules are intended to boost competition by giving people more freedom to switch banks or providers and shop around for the best deal.
Banning The Old Bait-N-Switch
Typically, third parties can only collect, use, or retain data to deliver the product the consumer requested. However, they cannot “secretly collect, use, or retain consumers’ data for their own unrelated business reasons,” the CFPB release stated. “The rule does not prohibit any particular uses of data, but it requires that all use be driven by what is necessary to deliver the product sought by the consumer.”
For example, if a financial institution were to use the consumer data as a lead generator to offer the consumer a mortgage, which is not the product they are looking for, that would be deemed a bait and switch tactic.
Deletion Rights
The final rule also creates revocation and deletion rights. If a person revokes access, the rule requires that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent express reauthorization. “To prevent ‘dark patterns’ from emerging, the process to revoke access must be simple and straightforward,” the release went on to say.
