Skip to main content
Resources Center

Consumer Financial Protection Bureau (CFPB) Proposed Rulemaking on Personal Financial Data Rights

By November 7, 2023No Comments

On November 1, 2023, the Consumer Financial Protection Bureau (CFPB) issued a proposed rule to establish 12 CFR part 1033, to implement section 1033 of the Consumer Financial Protection Act of 2010 (CFPA or Dodd-Frank Act). The proposed rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data; provide basic standards for data access; and promote fair, open, and inclusive industry standards.

Under the proposed rule, the “Covered data” include:
 Transaction information, including historical transaction information in the control or possession of the data provider;
 Account balance;
 Information to initiate payment to or from a Regulation E account;
 Terms and conditions (e.g., applicable fee schedule, any annual percentage rate or annual percentage yield, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement);
 Upcoming bill information (e.g., information about third party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider); and
 Basic account verification information (limited to the name, address, email address, and phone number associated with the covered consumer financial product or service).

The covered data does not include:
 Confidential commercial information
 Information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct;
 Information required to be kept confidential by any other provision of law; or
 Information that the data provider cannot retrieve in the ordinary course of its business.

Comments on the proposed rule are due by December 29, 2023.

For more details, please see

Leave a Reply