CFPB Issues Final 1033 Personal Financial Data Rights Rule
On October 22nd, the Consumer Financial Protection Bureau (CFPB) finalized its personal financial data rights rule, as required by Section 1033 of the Dodd-Frank Act. The rule requires financial institutions and other data providers to make covered data regarding financial products and services available to consumers and authorized third parties in electronic form.
For purposes of the rule, a financial product or service is defined as a checking, savings, or other asset account held primarily for a personal, family, or household purpose, and credit cards. Covered data includes, but is not limited to:
- Transaction history,
- Balance information, and
- The name, address, e-mail address, and telephone number associated with the financial product or service.
Covered data must be made available in a standardized format upon request. Data may be released to third parties with the consent of the consumer. A third-party may only use the covered data to the extent necessary to provide the consumer with the requested product or service and may not be used to advertise or cross-sell other products and services to the consumer.
The final rule provides for tiered compliance dates as follows:
- April 1, 2026 - FI's with $250 billion or more in assets
- April 1, 2027 - FI's with between $10 billion and $250 billion in assets
- April 1, 2028 - FI's with between $3 billion and $10 billion in assets
- April 1, 2029 - FI's with between $1.5 billion and $3 billion in assets
- April 1, 2030 - FI's with between $850 million and $1.5 billion in assets
Financial institutions with less than $850 million in assets are not subject to the final rule.
You can access the final rule and the CFPB’s executive summary here.
NOTE: Immediately following its release, the Bank Policy Institute and the Kentucky Bankers Association filed a lawsuit in federal court challenging the rule. Among other things, the lawsuit alleges that the CFPB overstepped its authority in promulgating the rule.
