MVA White Collar Defense, Investigations, and Regulatory Advice Blog

On October 22, 2024, the Consumer Financial Protection Bureau (the “CFPB”) finalized its personal financial data rights rule (“The Final 1033 Rule” or the “Final Rule”) that would require data providers to make available to consumers and their authorized third parties certain covered data in the data provider’s control or possession concerning a covered consumer financial product or service. This Final Rule comes a year after the CFPB initially proposed the rule (the “Proposed Rule”) in October of 2023.

Similar to the Proposed Rule, the Final 1033 Rule sets forth obligations for data providers and third parties with respect to certain consumer financial data. Data providers subject to the Final 1033 Rule include Regulation E financial institutions, Regulation Z card issuers and any other person who controls or possesses information concerning covered consumer financial products or services, which include Regulation E accounts, Regulation Z credit cards or the facilitation of payments from either.[1] Third parties include any person other than the consumer or the data provider.  

The key obligations of data providers and third parties, as laid out in the Final Rule, are outlined below.

Additionally, the Final Rule incorporates “consensus standards,” which are to be adopted and maintained by “recognized standard setters,” into its requirements and also details compliance dates for data providers based on their assets or revenue. Such standard-setting bodies and compliance dates are also discussed below.

Data Provider Obligations

• General rule. Data providers must make covered data available to consumers and authorized third parties, upon request.
• Covered data. Covered data required to be provided by data providers includes transaction information, account balance information, information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider,[2] terms and conditions, upcoming bill information, and basic account verification information.[3]
• Exceptions to the general rule. Data providers don’t have to make available any confidential commercial information, any information collected for the sole purpose of preventing fraud or money laundering or detecting or reporting other unlawful conduct, or any information that the data provider can’t retrieve in the ordinary course of its business.
• Prohibition against evasion. Data providers can’t take any action (a) to intentionally evade the requirements of the Final Rule, (b) that they know or should know would likely render covered data unusable or (c) that they know or should know would likely prevent, interfere with, or materially discourage a consumer from accessing covered data.
• Interfaces. Data providers must maintain a consumer interface and a developer interface.
  • Consumer interfaces allow consumers to access their own data.
    • Upon request, covered data (except for payment initiation information, account verification information, and terms and conditions) should be made available in a machine-readable file that the consumer can retain and transfer.
  • Developer interfaces allow authorized third parties to access consumer data.
    • Covered data must be made available in a standardized and machine-readable format via a developer interface, where the format must conform to consensus standards. The performance of the developer’s interface must be commercially reasonable, which means (among other things), that it must meet certain quantitative minimum performance specifications.
• Denying interface access. Data providers can deny access to a consumer or developer interface if granting access would be inconsistent with policies and procedures designed to comply with safety and soundness standards of a prudential regulator, information security standards required by the Gramm-Leach-Bliley Act (the “GLBA”), or other applicable risk management laws and regulations. Denials must be reasonable. Data providers can also deny access to a developer interface if the third party doesn’t provide evidence that its information security practices are adequate or if the third party doesn’t make certain information such as its legal name and Legal Entity Identifier (“LEI”)[4], among others, available.
• Responding to requests. Data providers must make available covered data upon request from a consumer after authenticating the consumer’s identity and identifying the scope of the data requested. When responding to a request from a third party, the data provider must also authenticate the third party’s identity and receive documentation showing the third party’s authorization.
  • Data providers are not required to make covered data available if an exception applies, if the data isn’t in the data provider’s control or possession, if the interface is not available when the data provider receives the request, if the third party doesn’t have the appropriate authorization, or if the data provider doesn’t have enough information to authenticate the request as described above.
  • Data providers cannot allow third parties to access the data provider’s developer interface by using credentials (e.g., usernames and passwords) that a consumer uses to access the consumer interface.
• Information about the data provider. Data providers must make certain information available to the public, including its legal name, a link to its website, its LEI, contact information, documentation for a third party to access and use the developer interface, and a disclosure of the developer interface’s performance.
• Policies and procedures. Data providers must have written policies and procedures in place designed to achieve the objectives of the Final Rule. Such policies and procedures should include creating records of access and request denials, communicating the reason(s) for denial, and ensuring accuracy of data.
• Record retention. Records evidencing data provider actions in response to information or interface access requests must be retained for three years. Records of the requests themselves, records documenting third party authorization, records providing evidence of commercially reasonable performance, written policies and procedures, and any disclosures must also be retained for three years.

Third Party Obligations

• Authorization. Third parties can become authorized third parties
  • seeking access to covered data on behalf of a consumer for the purpose of providing a requested product or service to the consumer,
  • providing the consumer with an authorization disclosure,
  • certifying that the third party agrees to its obligations under the Final Rule, and
  • obtaining the consumer’s express informed consent, via written or electronic signature, to access the covered data on the consumer’s behalf.
• Duration of authorization. Third parties are limited to collecting covered data for a maximum period of one year after the consumer’s most recent authorization.
  • After one year, the third party will need to obtain new authorization.
• Limitation of access. Third parties must limit their collection, use and retention of covered data to what is reasonably needed to provide the product or service requested by the consumer.
  • Targeted advertising, cross-selling of other products or services, and the sale of data are not part of, or reasonably necessary to provide, any other product or service.
• Policies and procedures. Third parties must have written policies and procedures in place to ensure covered data is accurately received and accurately provided to other third parties, if applicable. Policies and procedures must be periodically reviewed and updated as necessary.
• Information security. Third parties must have information security programs in place that satisfy section 501 of the GLBA or, if the third party isn’t subject to the GLBA, the FTC Standards for Safeguarding Customer Information.
• Keeping consumers informed. Third parties should ensure consumers are kept informed, at least by providing the consumer with a copy of the authorization disclosure, providing contact information that allows the consumer to ask questions and receive answers about the third party’s access to the consumer’s covered data, and providing information requested by the consumer (including the categories of data collected and the reason for collection, who covered data was shared with and why, the status of the third party’s authorization, information about revocation, and a copy of any data aggregator certification statements).
• Revocation of authorization. Third parties must provide the consumer with a method to revoke the third party’s authorization that is as easy to access and operate as the method used for the providing the consumer’s initial authorization to the third party. There should be no cost or penalty associated with authorization revocations. The third party must notify the data provider if it receives a revocation request from the consumer.
• Other third parties. If a third party is providing covered data to another third party, the third party must contractually require the other third party to comply with the third-party obligations under the Final Rule.
• Use of data aggregators. Data aggregators may perform the authorization procedures on behalf of the third party seeking authorization, but the third party is responsible for compliance. If a data aggregator is used, the name of the data aggregator must be included in the authorization disclosure, as well as a certification that the data aggregator will comply with the third party obligations under the Final Rule. The certification may be communicated to the consumer separately.
• Record retention. Third parties must retain records evidencing their compliance with the Final Rule, including signed authorization disclosures and any data aggregator certifications, for at least three years after the consumer’s most recent authorization.

Standard Setting Bodies

Recognized standard setters are standard setting bodies that are recognized by the CFPB and may adopt and maintain “consensus standards,” which are incorporated into various provisions of the Final Rule.[5]  Recognition lasts up to five years and is subject to revocation.

Compliance Dates

Compliance dates are determined based on total assets held for a depository institution and total receipts generated by a non-depository institution. The threshold values for the assets and receipts for each compliance date is listed below.[6]

The Final 1033 Rule goes into effect 60 days after it was published in the Federal Register.

[1] Depository institutions that hold total assets equal to or less than the SBA size standard (as determined in accordance with the Final Rule) would not be considered data providers. Note, however, that if a depository institution at any point held total assets greater than the SBA size standard as of or after the effective date of the Final Rule and later holds total assets below that amount, that depository institution would be deemed a data provider.

The Final Rule excludes products and services that “merely facilitate first-party payments” from the definition of covered consumer financial product or service.

[2] Those data providers who don’t hold the underlying Regulation E account, such as a data provider who only facilitates pass-through payments, would not be required to provide information to initiate payment.

[3] Under the Final Rule, basic account information, for those data providers who directly or indirectly hold a Regulation E or Regulation Z account, includes a truncated account number or other identifier.

[4] A Legal Entity Identifier is an alpha-numeric code, based on the ISO 17442 standard developed by the International Organization for Standardization, that provides for unique identification of legal entities. Under the Final Rule, the LEI must be issued by “a utility endorsed by the LEI Regulatory Oversight Committee” or “a utility endorsed or otherwise governed by the Global LEI Foundation.”

[5] The attributes that the CFPB considers in recognizing a standard-setting body pursuant to the Final Rule are largely similar to the considerations set forth in the Proposed Rule.

[6] Note that for depository institutions that don’t meet the SBA size standard threshold in total assets, but later exceed the SBA size standard must comply with the requirements of the Final Rule within a reasonable amount of time after exceeding the size standard, but no more than five years.

[7] As stated in the Final Rule, the current size standard for all relevant NAICS codes is $850 million, which would exclude any depository institution with total assets less than that amount from the definition of data providers and, therefore, from compliance with the Final Rule.