The Consumer Financial Protection Bureau (CFPB) has finalized the Personal Financial Data Rights Rule (PFDRR) that will give consumers greater rights, privacy, and security over their personal financial data. The rule requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request—for free—allowing consumers to more easily switch to providers with superior rates and services. By fueling competition and consumer choice, the rule is expected to help lower prices on loans and improve customer service across payments, credit, and banking markets.
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
The PFDRR ensures consumers will be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps, and other financial products, and aims to address market concentration that limits consumer choice over financial products and services. Consumers will be able to access their data, such as transaction information, account balance information, information needed to initiate payments, upcoming bill information, and basic account verification information. Financial providers must make this information available without charging fees.
This rule moves the United States closer to having a competitive, safe, secure, and reliable “open banking” system. It’s part of the CFPB’s efforts to finally activate Section 1033 of the Consumer Financial Protection Act, a dormant legal authority enacted by Congress in 2010. This is the CFPB’s first significant rule to accelerate responsible open banking in the U.S., and the CFPB will be developing additional rules to address more products, services, and use cases, which are expected to boost competition by giving people more freedom to switch banks or providers and shop around for the best deal. This increased choice should incentivize financial institutions to offer improved products to attract new customers and retain old customers.
The PFDRR also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third-parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps protect consumers from “screen scraping,” a common but risky practice that involves consumers providing their account passwords to third parties, who use them to access data indiscriminately through online banking portals.
In giving consumers more control over their financial data, the Personal Financial Data Rights rule is expected to spur greater choice and increase competition by enabling people to:
- Fire fintechs and banks that provide lousy service: Consumers will be able to transfer their bank data to another bank, ensuring consumers can keep much of their banking history as they switch financial institutions. Consumers will not have to pay fees or clear hurdles from companies that make it harder to switch providers.
- Shop for better rates on products and credit: Consumers will be able to comparison shop and move to a competitor offering better rates, such as higher interest on deposits or lower interest on loans. It can also help people—including consumers with shorter credit histories, like young people—gain access to credit or obtain credit on better terms, by allowing lenders to make loans using data held by other institutions, such as information on income and expenses.
- Make secure payments, including “pay-by-bank:” The PFDRR ensures consumers will be able to securely share payments information, which can help enable what is sometimes referred to as pay-by-bank. Such products enable consumers to pay merchants, peers, and others, as well as move money between their own accounts. The rule will help bring greater competition to payments markets, which have long been an area of anti-competitive practices.
The PFDRR also strengthens protections for consumers’ data by:
- Banning bait-and-switch data harvesting: Third-parties can only collect, use, or retain data to deliver the product the consumer requested. They cannot secretly collect, use, or retain consumers’ data for their own unrelated business reasons—for example, by offering consumers a loan using consumer data that they also use for targeted advertising. The rule does not prohibit any particular uses of data, but it requires that all use be driven by what is necessary to deliver the product sought by the consumer.
- Creating revocation and deletion rights: When a person revokes access, the rule requires that data access ends immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent express reauthorization. To prevent “dark patterns” from emerging, the process to revoke access must be simple and straightforward.
Compliance with the rule will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size. The largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule.
In June, the CFPB finalized a rule outlining the qualifications to become a recognized industry standard-setting body, which can issue standards that companies can use to help them comply with the CFPB’s Personal Financial Data Rights Rule.