The Consumer Financial Protection Bureau has finalized its personal financial data-rights rule aimed at governing the sharing of consumer data through open banking.
The new rule, released early Tuesday, will require financial institutions, credit card issuers, and other financial providers to share data at a consumer’s direction with companies offering competing products. As a result, consumers will be able to access, or authorize third-party access to, such data as transaction information, account balances. information needed to initiate payments, upcoming bill payments, and “basic account verification” data. Financial-services providers will be required to make such information available free of charge to consumers.
The CFPB, which proposed the rule in October 2023, says the new rule will fuel “competition and consumer choice, help lower prices on loans, and improve customer service across payments, credit, and banking markets,” increasing consumer choice over financial products and services.
In addition, the regulator says the rule is intended to move the United States closer to having “a competitive, safe, secure, and reliable” open- banking system.
“Too many Americans are stuck in financial products with lousy rates and service,” CFPB Director Rohit Chopra says in a statement. “Today’s action will give people more power to get better rates and service on bank accounts, credit cards, and more.”
Industry reaction to the rule remains largely positive since it was proposed in late 2023. “Overall, [the rule] lays a foundation for a more innovative financial ecosystem,” Stewart Watterson, a strategic advisor for Datos Insights, says by email. “We see this as a financial-services game changer.”
The new rule also establishes privacy protections for consumers by requiring that personal financial data can only be used for the purposes requested by the consumer. Third parties are prohibited from using consumer data against a consumer’s wishes for other purposes.
The rule also helps move the financial-services industry away from screen scraping, a technique in which third parties seek to verify accounts by copying data displayed on a screen after gaining account access. The CFPB characterizes the practice as “risky” as it typically involves consumers providing account passwords to third parties which then use them to access data through online banking portals.
Other consumer protections afforded by the rule include limiting third parties to the collection and retention of data to deliver the product the consumer requested and ending data access by a third party immediately upon request by the consumer.
For consumers, the new rule empowers them with enhanced data control, fostering competition and innovation in financial services, Watterson adds. “It facilitates easier provider switching, improves decision-making, strengthens privacy protections, and may reduce fees while expanding credit access and payment options,” he says.
Nevertheless, financial-services providers face some compliance challenges, Watterson adds. These include development of application programming interfaces, data security, third-party risk management, and compliance costs.
“[Financial services providers] must also navigate competitive pressures, consumer education, operational changes, and standardization challenges while balancing innovation and customer-experience improvements,” Watterson adds.
The CFPB plans to phase in compliance, starting with large providers. The largest financial-services providers have until April 1, 2030 to comply. Certain small banks and credit unions are not subject to the rule.
The CFPB says it plans to develop additional rules to address more products, services, and use cases.