CFPB Personal Financial Data Rights Rule: What Consumers and Providers Need to Know
How the CFPB’s personal financial data rights rule reshapes data access, competition, and privacy across the financial services ecosystem.
The Consumer Financial Protection Bureau (CFPB) has adopted a comprehensive rule on personal financial data rights, intended to give consumers more control over their financial information, promote competition, and strengthen privacy protections in an increasingly digital financial system.
This article explains the policy goals behind the rule, the obligations it creates for financial institutions and technology firms, and what it means for everyday consumers who use bank accounts, credit cards, digital wallets, and other financial products.
1. The Legal Foundation: Section 1033 of the Consumer Financial Protection Act
The rule implements Section 1033 of the Consumer Financial Protection Act (part of the Dodd-Frank Act), which gives consumers the right to obtain information about their financial products and services from covered entities.
Under Section 1033, and subject to CFPB regulations:
- Covered entities (such as banks, credit card issuers, and some fintech providers) must make certain transaction and account data available to consumers upon request.
- The CFPB is directed to establish standards and promote the use of standardized, machine-readable formats for this information.
The personal financial data rights rule operationalizes these statutory requirements by specifying what data must be shared, how it must be shared, and which safeguards must protect that process.
2. Policy Goals: Competition, Innovation, and Privacy
The CFPB’s rule serves multiple policy objectives that reflect broader shifts toward open banking and digital finance.
2.1 Empowering Consumer Choice
By giving consumers a clear right to access and share their own financial data, the rule aims to:
- Help consumers compare products more easily across providers.
- Simplify switching between banks, card issuers, or digital financial apps.
- Support tools that analyze spending, fees, and interest to identify better options.
The Future of AI: Preventing a Big Tech Monopoly >
2.2 Promoting Competition and Open Banking
Standardized data-sharing frameworks are designed to reduce barriers to entry for innovative firms and make it harder for incumbents to rely on data lock-in to keep customers.
- New and smaller providers can build services on top of secure access to consumer-authorized data.
- Large institutions face pressure to improve pricing, transparency, and service quality.
2.3 Strengthening Data Protection
The rule is also a response to heightened concerns over data breaches, misuse of personal data, and opaque data aggregation practices.
- Third parties seeking access to data must meet strict criteria to qualify as authorized third parties.
- Obligations around data use, retention, and security are designed to minimize unnecessary collection and risky secondary uses.
3. Who Is Covered? Key Actors Under the Rule
The rule draws clear lines around which entities must share data and which entities may receive that data, subject to consumer authorization.
3.1 Data Providers
Data providers are firms that hold consumer financial information for covered products and services. These typically include:
- Banks and credit unions.
- Credit card issuers and some payment providers.
- Certain nonbank financial service providers that offer covered consumer products.
Data providers are obligated to make covered data available electronically to the consumer and, when authorized, to eligible third parties.
3.2 Consumers and Their Rights
The rule focuses on individual consumers, not businesses. Under Section 1033, a “consumer” includes an individual or an agent, trustee, or representative acting on that individual’s behalf.
Consumers gain the ability to:
- Request copies of their data in standardized, machine-readable formats.
- Direct that their data be securely transmitted to an authorized third party of their choice.
- Revoke earlier authorizations, limiting further access and use of their data.
3.3 Authorized Third Parties
Authorized third parties are companies—often fintech apps or data aggregators—that consumers select to access their data. To qualify, a third party must meet conditions laid out in the rule, including:
- Certifying that they will adhere to restrictions on data collection, use, and retention.
- Implementing robust security safeguards.
- Providing clear, comprehensible disclosures so consumers understand what data is accessed and for what purpose.
4. What Data Must Be Shared and How?
The rule specifies both the scope of data that must be shared and the technical manner in which it should be made available.
4.1 Scope of Covered Data
While details vary by product, covered data generally includes information such as:
- Account identifiers and basic account attributes.
- Transaction histories, including dates, amounts, and counterparties when available.
- Fees, interest rates, and certain other key cost-related information.
Highly sensitive information that is unnecessary for most consumer applications (such as certain internal risk scores) may be excluded, reflecting privacy and security considerations.
4.2 Electronic, Machine-Readable Access
To comply with Section 1033’s directive on standardized formats, the rule requires data providers to offer access in electronic, machine-readable form rather than only through static statements or paper records.
- Standard-setting organizations recognized by the CFPB may issue consensus technical standards, and the rule describes minimum attributes those bodies must have.
- The goal is interoperable data exchange that supports secure APIs and reduces reliance on less secure practices like screen scraping.
| Requirement | Purpose |
|---|---|
| Electronic access | Enables automated tools and digital applications to use consumer data efficiently. |
| Machine-readable format | Supports standardized, interoperable data exchange across providers and apps. |
| Standard-setting body recognition | Ensures technical standards are transparent, consensus-based, and inclusive. |
5. Privacy, Security, and Limits on Data Use
Because the rule encourages broader data sharing, it also includes substantial safeguards to protect consumers from misuse and security failures.
5.1 Conditions for Authorized Third Parties
To gain and retain access to consumer data, a third party must satisfy obligations that typically include:
- Collecting only the data reasonably necessary for the services the consumer has requested.
- Using the data solely for those disclosed purposes and not for unrelated advertising or profiling without additional consent.
- Implementing strong information security programs consistent with federal standards.
- Deleting or de-identifying data once it is no longer needed for the agreed services or when consent is withdrawn.
5.2 Consumer Consent and Revocation
The rule emphasizes meaningful consumer control over how their data is used.
- Consent must be informed, specific, and documented.
- Consumers must be able to revoke consent through clear and accessible mechanisms.
- When consent is revoked, ongoing access must stop, and further use or retention is restricted to limited, lawful purposes (such as records requirements).
5.3 Relationship to Existing Privacy Laws
The CFPB’s framework complements, rather than replaces, existing federal privacy and security requirements, such as those under the Gramm–Leach–Bliley Act (GLBA) for financial institutions.
Entities covered by multiple regimes must comply with all applicable standards, meaning that the data rights rule adds an additional layer of obligations in the specific context of consumer-authorized data sharing.
6. Costs, Fees, and Operational Burdens
One of the most debated elements of the rule is who bears the cost of building and maintaining the required data access infrastructure.
6.1 Data Access at No Direct Charge to Consumers
The CFPB has sought to ensure that consumers do not face new fees simply for exercising their data rights, generally expecting data providers to make data available without charging consumers or their authorized recipients for basic access.
This approach aims to avoid undermining the competitive and consumer-protection goals of Section 1033, although courts and stakeholders have raised questions about the agency’s authority and the economic impact on smaller institutions.[10]
6.2 Operational Impact on Providers
Building secure, standardized interfaces can be complex and costly, particularly for community banks and smaller providers.
- Institutions must invest in technology, cybersecurity, and compliance staff to meet the rule’s requirements.
- Industry groups have urged the CFPB to allow more flexibility in timelines and cost recovery mechanisms.[10]
7. Implementation Timelines and Legal Uncertainty
The rollout of the personal financial data rights rule has involved both phased compliance schedules and legal challenges that affect timing and scope.
7.1 Phased Compliance Deadlines
The final rule contemplates staggered compliance dates, with larger institutions expected to comply earlier than smaller ones.
- This phased approach recognizes different levels of technological sophistication and resources among institutions.
- Industry commenters have requested extensions and additional flexibility to avoid rushed or incomplete implementations.
7.2 Litigation and Reconsideration
The rule has been subject to litigation, including court orders limiting the CFPB’s ability to enforce it pending further reconsideration.
- Some courts have questioned the extent of the CFPB’s authority to require data sharing with commercial third parties and to restrict fees.
- In response, the CFPB has reopened aspects of the rulemaking process, seeking additional public comment and considering adjustments to the existing framework.
While the core concept of consumer data access under Section 1033 remains intact, details of implementation and enforcement may evolve as courts and regulators refine their approaches.
8. Practical Implications for Stakeholders
The rule has different, but interconnected, implications for consumers, financial institutions, and fintech companies.
8.1 What It Means for Consumers
Consumers stand to benefit through:
- Better visibility into fees, terms, and transaction patterns.
- Increased ability to use budgeting tools, account aggregators, and switching services that rely on secure data access.
- Improved security compared with ad hoc data-sharing methods such as sharing passwords with apps.
However, consumers also face new responsibilities, including understanding app permissions and being cautious about which third parties they authorize to access their data.
8.2 What It Means for Banks and Other Data Providers
Data providers need to:
- Map the data that falls within the rule’s definition of covered data for each product.
- Plan and build secure interfaces that align with emerging technical standards.
- Update disclosures, customer service processes, and internal governance to manage data requests and third-party access.
Strategically, institutions may also explore partnerships with fintech firms and invest in their own digital offerings to remain competitive in a more open environment.
8.3 What It Means for Fintech and Data Aggregators
Fintech firms and data aggregators gain clearer legal pathways to access consumer data—but only if they accept heightened regulatory obligations.
- Compliance with data use and security requirements becomes a core operational function, not an afterthought.
- Transparent, consumer-friendly practices can become a competitive differentiator as users grow more sensitive to privacy risks.
9. Preparing for a More Open and Regulated Data Landscape
Although specific deadlines and some provisions are still evolving, the direction of policy is clear: financial data is increasingly treated as something consumers should be able to move and control, within a framework that safeguards security and privacy.
Organizations can prepare by:
- Monitoring updates from the CFPB and Federal Register on reconsideration efforts and any revised timelines.
- Engaging with standard-setting initiatives to ensure technical solutions are practical and interoperable.
- Reviewing contracts, disclosures, and internal data governance policies to align with emerging obligations around consent, purpose limitation, and retention.
Frequently Asked Questions (FAQs)
Q1: Can my bank refuse to share my data with a budgeting or savings app I choose?
A: Under the CFPB’s personal financial data rights framework, data providers generally must share covered data with an authorized third party that you have selected, provided that the third party meets the rule’s criteria and you have given informed consent.
Q2: Does this rule let companies sell my data without my permission?
A: No. Authorized third parties are subject to limits on the collection, use, and retention of data and must only use information for the purposes you agreed to; broader secondary uses typically require additional consent and must comply with privacy and security rules.
Q3: Is screen scraping still allowed under the new framework?
A: The rule encourages secure, standardized access methods (such as APIs) and is part of a broader regulatory trend away from screen scraping, although the specifics can depend on technical standards and other applicable regulations.
Q4: How will smaller banks handle the cost of implementing data-sharing systems?
A: The CFPB has introduced phased compliance timelines and has solicited comments on cost and operational burden; industry groups continue to advocate for extended deadlines and flexibility, especially for community banks.
Q5: What should I consider before granting an app access to my financial data?
A: Review the app’s disclosures about what data it collects, how it uses and stores that data, and how you can revoke access. Choosing firms that provide clear explanations and have strong security practices can reduce risk while allowing you to benefit from data-driven tools.
References
- Required Rulemaking on Personal Financial Data Rights — Consumer Financial Protection Bureau. 2025-08-22 (updated content includes 2024 final rule overview). https://www.consumerfinance.gov/personal-financial-data-rights/
- 12 CFR Part 1033 – Personal Financial Data Rights — Consumer Financial Protection Bureau / Electronic Code of Federal Regulations. 2024-10-22 (rule publication, subsequently updated). https://www.consumerfinance.gov/rules-policy/regulations/1033/
- Personal Financial Data Rights Reconsideration — Federal Register, Consumer Financial Protection Bureau. 2025-08-22. https://www.federalregister.gov/documents/2025/08/22/2025-16139/personal-financial-data-rights-reconsideration
- Required Rulemaking on Personal Financial Data Rights (Rules Under Development and Related Materials) — Consumer Financial Protection Bureau. 2025 (page aggregating rulemaking updates). https://www.consumerfinance.gov/rules-policy/rules-under-development/personal-financial-data-rights-reconsideration/
- CFPB Section 1033 Open Banking Rule Stayed as CFPB Initiates New Rulemaking — Troutman Pepper Consumer Financial Services Law Monitor. 2025-11-14. https://www.consumerfinancialserviceslawmonitor.com/2025/07/cfpb-section-1033-open-banking-rule-stayed-as-cfpb-initiates-new-rulemaking/
- A Revamped CFPB Rulemaking on Personal Financial Data Rights — DLA Piper. 2025-08-29. https://www.dlapiper.com/en-us/insights/publications/2025/08/cfpb-rulemaking-on-personal-financial-data-rights
- Bank Policy Institute Supports CFPB Realigning Section 1033 Rule with the Law — Bank Policy Institute. 2025-08-23. https://bpi.com/bank-policy-institute-supports-cfpb-realigning-section-1033-rule-with-the-law/
Read full bio of Sneha Tete





