The Personal Financial Data Rights Rule

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) finalized the Personal Financial Data Rights rule, which moves the United States closer to “an open banking system in which consumers, not dominant firms, control their data.”  The CFPB is generally tasked with “promoting fair, transparent, and competitive markets for consumer financial products and services.”

On October 23, 2024, CFPB Director Rohit Chopra spoke at Georgetown University’s DC Fintech Week.  As shown below, his prepared remarks do a nice job of describing how the new rule will address data ownership and stewardship problems largely ignored by helpless consumers.

Today, I primarily want to focus on the data protections in the rule, which are essential to ensuring the rule works to advance competition in financial markets. This rule will help to dramatically improve privacy and security, ending the problematic credential sharing and invasive surveillance that we too often see.

First, to obtain data on a consumer’s behalf, a bank, fintech, or other financial company will need to adhere to federal data security requirements. This means they can’t have shoddy security like we saw at companies like Equifax. And if they fail to meet their obligations, they can face enforcement actions and can even get shut down by the licensing or chartering authority.

Second, the rule works towards ending the practice of “screen scraping.” This occurs when a company collects a consumer’s username and password to log in to online banking on the consumer’s behalf to scrape away data. “Screen scraping” is risky, since it can involve unencrypted credential sharing and massive overcollection of data.

Third, the rule requires companies to minimize the data they collect, secure it, and, as a default practice, delete it upon revocation. In addition, the rule forbids companies from seeking to obtain a permanent authorization to continually harvest data. These requirements should lessen the amount of data that would be vulnerable to a data breach.

Fourth, the rule allows banks and fintechs that currently hold the consumer’s data to deny access to companies requesting on the consumer’s behalf when they fail to meet minimum standards. Companies making requests will need to prove they have the authorization from the consumer, disclose their legal entity identifier, and more. The rule allows banks and fintech to engage in legitimate blocking, as long as those practices are applied consistently and fairly.

Fifth, and most importantly, the rule puts into place significant limitations on how companies can use data. Right now, financial companies send consumers an annual privacy notice that tells them any parties they reserve the right to share the data with. In theory, consumers review this and then opt out of sharing they don’t want. In reality, almost no one opts out of anything. Many believe this is just another notice that doesn’t meaningfully limit misuse of personal data.

The rule spells out a simple, but much different approach: you can use a consumer’s data to provide the product or service the consumer asked you for, but you can’t use it for unrelated purposes the consumer doesn’t want. In other words, companies can’t engage in a bait-and-switch, where they lure people in with an offer for a loan or an account, but then sell, exploit, or monetize the data for another purpose.

And there’s a lot more. Taken together, these protections improve the privacy and security of our financial data, compared to the status quo. This will help to stop the lurch toward surveillance pricing.

The CFPB has closely studied how Big Tech companies and other firms can combine your search history, browsing history, geolocation history, your contacts, and more to create a detailed profile about you. We also see how large banks are also seeking to harvest more data from their customers without meaningful limits. When this information includes your sensitive personal financial data, this can create the conditions for surveillance pricing.

For example, if a rideshare giant knows that you worked an extra shift and just got a larger paycheck than usual, it might decide to charge you more for a ride home. If a dominant player in search knows that you just made a payment at a fertility clinic, it might start targeting you with ads for dubious treatments you didn’t ask for.

While the CFPB’s Personal Financial Data Rights that implements new statutory rights will help to jumpstart competition, it is also a major step forward for privacy, security, and data protection.

Director Chopra is correct in his optimistic assessment of the rule given the longtime “data slurping” conducted by so many companies has largely gone unabated and this new rule – which solves some but far from every consumer data transgression, is a great beginning.  It only took the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 to establish the CFPB and it then another fourteen years to get the CFBP to promulgate this new rule.  When dealing with the “data industrial complex”, these things take time. 

Indeed, as shown by this new rule’s compliance schedule, it will be years before the individual parts of the rule take effect with possible judicial and governmental intervention in the interim.  See Personal Financial Data Rights Rule (“Data providers must comply with the requirements in subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, depending on the criteria set forth in § 1033.121(c)”). At the very least, the new rule discussed by Director Chopra alerts consumers to the dark “data industrial complex”. Even if the rule eventually gets neutered, its underlying wake up call hopefully doesn’t get unanswered on a state level.