Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Consumer Financial Protection Bureau Unveils Proposals for Financial Data Rights Rule

Last week, the Consumer Financial Protection Bureau (“CFPB”) took a significant step forward in enhancing consumer control over private financial data when it launched a rulemaking process under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Section 1033”). Section 1033 requires the CFPB to implement a rule to allow consumers to access their financial information. Currently, there is no duty under Section 1033 to maintain or keep any information about a consumer. The CFPB has yet to adopt a rule relating to data access, despite its authority to do so.

A data rights rule would not only require financial institutions to share information with consumers, but also empower consumers to more easily switch banks due to poor service. One of the CFPB’s goals in rulemaking is to “create a marketplace where companies would need to improve their offerings to keep their customers.” Proposals being considered include: how and when covered data providers would need to make consumer information available; authorized third party collection, use, and retention of consumer information; and record retention obligations and the implementation period for a final rule. Here are some high-level details from the CFPB’s proposals.

Scope and Applicability of Coverage

The CFPB is considering various proposals to implement Section 1033, including which entities would be required to comply and what information a rule would apply to. “Covered data providers” in this outline include: (1) financial institutions, and (2) card issuers. A “financial institution” in this context means “a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services[.]” A “card issuer” in this context means “a person that issues a credit card or that person’s agent with respect to the card.” “Covered accounts” in this outline include: (1) asset accounts, and (2) credit card accounts. These terms align with existing regulatory definitions.  

There are six categories of information that the proposals consider making available in connection with covered accounts:

  1. Periodic statement information for settled transactions and deposits;
  2. Information regarding prior transactions and deposits that have not yet settled;
  3. Other information about prior transactions not typically shown on periodic statements or portals;
  4. Online banking transactions that the consumer has set up but that have not yet occurred;
  5. Account identity information; and
  6. Other information such as agency consumer reports, covered data provider fees, bonuses and rewards, and security breaches.

Third Party Relationships

Third parties with authorization to access consumer financial information would also have obligations under the proposals. The CFPB has suggested in its outline the need for feedback on who is responsible for catering to those obligations. Whether it be the data recipient, data aggregator, or both, the consumer information accessed by third parties must be protected. 

Collection, use, and retention of consumer financial information are among the considerations set forth in the CFPB proposals. When a consumer gives authorization to a third party to access its information, when and how does a consumer revoke that access? What if a consumer wants to put limitations on the authorization of third parties who are accessing their financial information? Does a consumer have a responsibility to contact the third party regarding deletion of information? These are some of the questions posed by the CFPB as the agency seeks public feedback.

The CFPB proposals also contemplate consumers’ ability to allow third-party access to information and limitations involving access only to information needed to provide a particular product or service. The proposals also look at duration and frequency limits. The CFPB is also considering accuracy standards relative to third parties’ use of consumer data. Third parties could be required to implement and maintain policies and procedures which would verify the accuracy of information and handle consumer disputes. 


The CFPB outline provides long-awaited rulemaking guidance for financial industry leaders. The questions posed in the proposals will certainly spark conversations, likely leading to additional input for consideration. In particular, banks and other financial institutions will have to consider how to maintain the integrity of the data being shared and how to create controls that safeguard that data. 

For more information on this CFPB’s rulemaking process, a future Client Alert will provide more details; please subscribe here. Alternatively, please contact the authors with any questions.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.