Reconsidering Personal Financial Data Rights
How the CFPB’s reconsideration of personal financial data rights could reshape open banking, privacy, and competition.
The Consumer Financial Protection Bureau (CFPB) is revisiting its landmark framework on personal financial data rights, a move that could significantly reshape how consumers access, share, and protect their financial information. This reconsideration comes after the Bureau finalized an open banking rule in 2024 and then initiated a new rulemaking process to reassess key elements of that regime.
The outcome will affect banks, credit unions, fintechs, data aggregators, and, most importantly, the millions of consumers who rely on third-party apps for budgeting, payments, credit management, and more.
Background: Section 1033 and the Rise of Open Banking
Personal financial data rights in the United States are centered on Section 1033 of the Consumer Financial Protection Act, a provision of the Dodd-Frank Act. Section 1033 requires that, subject to CFPB rules, covered entities such as banks must make available to consumers, upon request, transaction data and certain information about financial products or services they have obtained.
- Covered entities: Banks, credit unions, card issuers, and other firms that provide consumer financial products or services.
- Consumer data access: Consumers have a right to obtain information about their accounts and transactions in a usable form.
- Standardization goal: Section 1033 directs the CFPB to promote standardized formats for data access.
Over time, consumers increasingly turned to third-party services—such as personal finance apps, digital wallets, and alternative lenders—that relied on access to bank data. This evolution led to the CFPB’s 2024 final rule on Personal Financial Data Rights, often called the open banking rule.
The 2024 Personal Financial Data Rights Final Rule: Key Features
In October 2024, the CFPB finalized a rule requiring data providers to make covered data available to consumers and authorized third parties electronically, subject to detailed conditions.
Who Must Share Data?
The final rule applied to a set of data providers involved in core consumer financial services, including:
- Banks and credit unions offering checking and savings accounts
- Credit card issuers
- Prepaid account providers
- Digital wallet and payment app providers
The Future of AI: Preventing a Big Tech Monopoly >
These institutions were required to make various categories of account and transaction data available, subject to exclusions and safeguards.
What Data Could Be Accessed?
The rule granted consumers no-cost electronic access to covered data relating to specific accounts and services, and allowed them to authorize third parties to access the same data.
Broadly, covered data included:
- Transaction history: Debits, credits, dates, payees, and other relevant details
- Account characteristics: Balances, account numbers or tokens, account type indicators
- Terms and conditions: Fees, interest rates, payment due dates, credit limits, rewards rules
- Basic identity and contact details: Names, addresses, emails, and phone numbers needed for account verification
The 2024 rule also specified categories of information that did not have to be shared, such as certain internal risk scores and information subject to other legal restrictions.
Authorized Third Parties and Their Obligations
To obtain data from a provider, a third party needed to qualify as an authorized third party by certifying that it would meet defined obligations around data collection, use, security, and retention.
Core obligations included:
- Consent and transparency: Obtain clear consumer authorization describing the data to be accessed and the purpose for which it will be used.
- Purpose limitation: Use data only as necessary to provide the specific product or service requested by the consumer; other secondary uses such as selling data or targeted advertising were generally prohibited without additional express consent.
- Time-limited authorization: Consumer authorization was generally capped at one year, after which new consent would be required.
- Revocation and deletion: Consumers could revoke access at any time, requiring the third party to stop data collection and, in many cases, delete data that was no longer needed.
Consumer Rights Strengthened by the Rule
The 2024 framework aimed to strengthen consumer control over their data in several ways:
- No-cost access to covered data from data providers
- Ability to grant and revoke third-party access
- Limitations on how third parties could use or retain data
- Expectations for strong privacy and security practices
Advocacy groups emphasized that consumers should not have to choose between using beneficial financial services and maintaining robust privacy and security protections.
Why the CFPB Is Reconsidering the Rule
Following the issuance of the 2024 final rule, industry groups challenged aspects of the regulation and a court stayed its implementation. In response, the CFPB opted to initiate a new rulemaking on Personal Financial Data Rights Reconsideration, reopening core policy choices for public comment.
The new rulemaking process seeks input on how best to implement Section 1033 while addressing concerns about costs, security, statutory authority, and market impact.
| Issue | What Is Being Reconsidered? |
|---|---|
| Cost and fees | Whether and how data providers may charge fees for fulfilling consumer and third-party data requests. |
| Security practices | What standards and methods (such as discouraging or ending screen scraping) should govern data access for security and reliability. |
| Scope of data access | Which types of accounts, data elements, and providers should be covered or exempted. |
| Third-party data uses | How far limits on secondary uses, retention, and sharing by third parties should go. |
Key Policy Debates in the Reconsideration
1. Who Should Bear the Cost of Data Access?
Under the 2024 rule, access to covered data for consumers was required to be provided at no cost, and certain fees on third parties and aggregators were restricted. As the rule is reconsidered, the CFPB has indicated it is examining approaches that may allow fees to offset the costs of compliance.
Stakeholders are divided:
- Industry groups argue that prohibiting fees undermines incentives to invest in secure infrastructure and places disproportionate costs on data providers, particularly smaller institutions.
- Consumer advocates worry that allowing too many fees could indirectly limit consumers’ practical access to their data or reduce competition from smaller fintechs.
2. Data Security and the Future of Screen Scraping
Security is one of the most contentious issues. Many providers and regulators have criticized “screen scraping,” in which third parties log into consumer accounts using credentials and copy data from online interfaces.
- Industry commenters urge rules that explicitly phase out screen scraping in favor of more secure, standardized interfaces like APIs, coupled with clear third-party risk management expectations.
- The CFPB is evaluating the security, cost-benefit profile, and operational impacts of different technical approaches to data sharing.
Managing this transition without disrupting consumer access to existing services is a central challenge of the reconsideration.
3. Privacy, Secondary Use, and Consumer Control
Section 1033 implementation is deeply intertwined with privacy policy. The 2024 rule limited third parties’ ability to use data for purposes beyond the service the consumer requested, such as targeted advertising or resale, unless the consumer gave distinct, explicit consent.
During reconsideration, the CFPB is being urged to:
- Maintain strong purpose and use limitations for third parties
- Clarify revocation processes and what happens to data after revocation
- Provide more guardrails on aggregators’ own data analytics and sharing practices
Consumer advocates stress that privacy and security protections must not be weakened in ways that reduce competition or deny consumers access to beneficial tools.
4. Compliance Timelines and Regulatory Certainty
Because the original 2024 rule included phased compliance dates, many institutions began significant planning and investment before the rule was stayed. With reconsideration underway, firms face uncertainty about what standards will ultimately apply and when.
- Industry organizations have asked the CFPB to delay or suspend existing compliance timelines until the revised rule is finalized and litigation is resolved.
- Regulatory clarity is particularly important for smaller institutions and fintechs that must prioritize limited resources.
Potential Impacts on Key Stakeholders
Impact on Consumers
For consumers, the final contours of a reconsidered rule will shape:
- Data access: How easily they can obtain information about their accounts and share it with apps or new providers.
- Choice and competition: Whether they can easily switch providers, compare products, or use innovative services powered by their financial data.
- Privacy and security: The strength of protections against misuse, overcollection, or unnecessary retention of financial data.
Over 100 million consumers already use third-party financial applications that depend on access to bank data, so even subtle rule changes can have broad effects.
Impact on Financial Institutions
Banks and other data providers must navigate both technical and regulatory challenges:
- Developing and maintaining secure interfaces for data access
- Managing relationships and risk with third-party data recipients
- Absorbing or recovering the costs of compliance, depending on how fee rules are finalized
Institutions also have strategic questions: whether to view open banking as a compliance obligation, a competitive opportunity, or both.
Impact on Fintechs and Data Aggregators
Fintech firms and aggregators rely on regular, reliable, and permissioned access to consumer data. A reconsidered rule could influence:
- How they design consent flows and authorization dashboards
- The tools available to connect with financial institutions (for example, API-based access versus legacy methods)
- The business models they can pursue, particularly around data analytics, targeted offers, or resale
Clear, standardized rules may ultimately lower integration costs and enable new products, but in the near term, changing requirements could impose significant transition burdens.
Practical Considerations for Compliance Planning
Until the reconsideration process is complete, firms face a moving target. However, several themes are likely to remain central regardless of precise rule language.
Core Data Governance Steps
- Inventory covered data: Map where covered account and transaction data resides and how it flows across systems.
- Review third-party relationships: Assess contracts and oversight mechanisms for data aggregators and fintech partners.
- Strengthen authorization management: Ensure processes for obtaining, refreshing, and revoking consumer consent are robust and well-documented.
- Enhance security controls: Align data-sharing practices with industry security standards and emerging expectations around API-based access.
Engaging with the Rulemaking Process
The CFPB’s reconsideration is being carried out through a public rulemaking process, including an advance notice of proposed rulemaking and opportunities for written comment.
- Stakeholders can submit data, legal analysis, and practical input on costs, benefits, and implementation challenges.
- Diverse participation—from community banks, consumer advocates, fintech startups, and large institutions—can help the CFPB balance innovation, competition, and protection.
Looking Ahead: Building a Durable Open Banking Framework
The reconsideration of personal financial data rights is not simply a technical regulatory adjustment. It is part of a broader shift toward open banking—a model where consumers can securely move their data among providers to obtain better services, improved pricing, and more tailored financial tools.
For a durable framework, several principles are likely to guide the final outcome:
- Consumer-centric control: Consumers should clearly understand and easily manage how their data is used and shared.
- Security by design: Data access channels must be resistant to fraud, unauthorized access, and misuse.
- Interoperability and standardization: Data formats and access methods should support competition while reducing integration complexity.
- Balanced economics: Costs should be allocated in ways that are sustainable yet do not undermine consumer rights or stifle smaller innovators.
As the CFPB revisits its approach, all participants in the financial data ecosystem will need to stay engaged, informed, and ready to adapt.
Frequently Asked Questions (FAQs)
Q: What is Section 1033 and why does it matter?
Section 1033 of the Consumer Financial Protection Act requires that, under CFPB rules, covered entities make available to consumers, upon request, certain data about financial products and services they have obtained. It is the legal backbone for federal rules governing consumer access to personal financial data and open banking.
Q: Does the CFPB reconsideration mean consumers lose their right to access data?
No. The reconsideration focuses on how the right is implemented—what data must be shared, under what conditions, at what cost, and with what safeguards. The underlying principle that consumers have rights to their financial information remains widely supported, including by industry groups.
Q: How will this affect the apps I use to manage my finances?
Many budgeting, payment, credit, and investment apps rely on access to your bank and card data, often via intermediaries. A revised rule could change how those connections are made, which data they can use, and what consents are required, but it is also intended to make such access safer and more transparent over time.
Q: Are banks allowed to charge for providing data?
Under the 2024 final rule, consumer access to covered data had to be provided at no cost, and fees on some third-party access were constrained. In its reconsideration, the CFPB is evaluating whether and how providers might charge fees to defray costs while preserving meaningful consumer access and competition.
Q: What can consumers do now to protect their financial data?
Consumers can review which apps and services have access to their accounts, revoke permissions they no longer need, use strong authentication methods, and monitor accounts for unauthorized activity. Even as the rule evolves, these practices help reduce risk while preserving the benefits of digital financial services.
References
- Required Rulemaking on Personal Financial Data Rights — Consumer Financial Protection Bureau. 2025-08-22. https://www.consumerfinance.gov/personal-financial-data-rights/
- Personal Financial Data Rights Reconsideration — Federal Register / Consumer Financial Protection Bureau. 2025-08-22. https://www.federalregister.gov/documents/2025/08/22/2025-16139/personal-financial-data-rights-reconsideration
- CFPB Finalizes Open Banking Rule Under Section 1033: Key Takeaways for Accessing Consumer Financial Data — DLA Piper. 2024-11-01. https://privacymatters.dlapiper.com/2024/11/cfpb-finalizes-open-banking-rule-under-section-1033-key-takeaways-for-accessing-consumer-financial-data/
- CBA Urges CFPB to Protect Consumers in Re-Examining Its Personal Financial Data Rights Financial Rule — Consumer Bankers Association. 2025-08-27. https://consumerbankers.com/press-release/cba-urges-cfpb-to-protect-consumers-in-re-examining-its-personal-financial-data-rights-financial-rule/
- Consumer group warns against changes to CFPB rule on personal financial data — FedScoop. 2025-08-27. https://fedscoop.com/cfpb-rule-personal-financial-data-consumer-reports-letter/
- CFPB Section 1033 Open Banking Rule Stayed as CFPB Initiates New Rulemaking — Troutman Pepper Consumer Financial Services Law Monitor. 2025-07-18. https://www.consumerfinancialserviceslawmonitor.com/2025/07/cfpb-section-1033-open-banking-rule-stayed-as-cfpb-initiates-new-rulemaking/
- CFPB Reopens Its Open Banking Rule for Comment — Greenberg Traurig. 2025-09-09. https://www.gtlaw.com/en/insights/2025/9/cfpb-reopens-its-open-banking-rule-for-comment
Read full bio of medha deb





