Personal Financial Data Rights rule would challenge industry to compete for customers, protect consumers from excessive surveillance, and help people walk away from bad service
Today, the Consumer Financial Protection Bureau (CFPB) proposed a rule that would accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data. The proposed Personal Financial Data Rights rule activates a dormant provision of law enacted by Congress more than a decade ago. It would jumpstart competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products. The proposed rule would allow people to break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.
“With the right consumer protections in place, a shift toward open and decentralized banking can supercharge competition, improve financial products and services, and discourage junk fees,” said CFPB Director Rohit Chopra. “Today, we are proposing a rule to give consumers the power to walk away from bad service and choose the financial institutions that offer the best products and prices.”
Currently, people’s access to their financial data is inconsistent from one financial institution to another. Even among companies that do share data at a customer’s request, the terms of the sharing vary greatly. This lack of norms in the market allows incumbents to play games to their own customers’ detriment – including hiding or obscuring important data points like prices. This undercuts the ability of small or upstart institutions to compete with incumbents, even when people want their data shared.
Under the proposed Personal Financial Data Rights rule, people would have the power to share data about their use of checking and prepaid accounts, credit cards, and digital wallets. This would allow them to access competing products and services without worrying that their data might be collected, used, or retained to serve commercial interests over their own. Importantly, people could be certain that their data would be used only for their own preferred purpose—and not for financial institutions or tech companies to surveil and manipulate.
The proposed Personal Financial Data Rights rule would ensure that consumers:
- Get their data free of junk fees: Banks and other providers subject to the rule would have to make personal financial data available, at no charge to consumers or their agents, through dedicated digital interfaces that are safe, secure, and reliable.
- Have a legal right to share their data: People would have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts. This type of data can help firms provide a wide range of products and services, including cash flow-based underwriting that stands to improve pricing and access across credit markets. When these firms offer a desired product or service, people would be able to switch providers more easily. They would also be able to more conveniently manage accounts from multiple providers.
- Can walk away from bad service: Not only would the proposed rule increase competitive forces among financial institutions, it would also enable people to walk away from bad services and products. People can become trapped by providers that hold their data, but this proposal would allow them to more easily shift their data to a competitor offering better or lower priced products and services.
The proposed Personal Financial Data Rights rule would protect the interests of both consumers and financial firms through:
- Robust protections to prevent unchecked surveillance and misuse of data: Companies that people authorize to access data on their behalf would have to agree to certain important conditions. Third parties could not collect, use, or retain data to advance their own commercial interests through actions like targeted or behavioral advertising. Instead, third parties would be obligated to limit themselves to what is reasonably necessary to provide the individual’s requested product.
- Meaningful consumer control: The proposal would also give people the right to revoke access to their data. When a person revokes access, the proposal would require that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent the individual consumer’s reauthorization.
- A move away from risky data collection practices: Many companies currently access consumer data through screen scraping, which often requires people to share their usernames and passwords with third parties. This proposal seeks to move the market away from these risky data collection practices.
- Fair industry standard-setting: Instead of providing detailed technical standards, the rule contains several requirements to ensure industry standards are fair, open, and inclusive. The CFPB intends to assess future standards developed by the private sector under the terms described in the rule.
Under the proposal, the requirements would be implemented in phases, with larger providers being subject to them much sooner than smaller ones. In addition, the many community banks and credit unions that have no digital interface at all with their customers would be exempt from the rule’s requirements.
The proposed rule is the first proposal to implement Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal financial data sharing standards and protections. The CFPB intends to cover additional products and services in future rulemaking.
Read the regulatory text of section 1033 .
Read today’s Notice of Proposed Rulemaking.
Comments must be received on or before December 29, 2023. The CFPB invites comments on any aspect of this proposal, including on other consumer financial products and services that could be covered via subsequent rulemaking.
Consumers can submit complaints about financial products or services by visiting the CFPB’s website or by calling (855) 411-CFPB (2372).
Employees who they believe their company has violated federal consumer financial protection laws are encouraged to send information about what they know to whistleblower@cfpb.gov.