The CFPB’s Personal Data Rights Rule: Exhale, but Don’t Get Comfortable

After nearly a year of deliberation, the Consumer Financial Protection Bureau has finally issued its final rule governing personal data rights, which is widely expected to set the framework for open banking in the US. Across 594 pages, the CFPB still somehow managed to kick the can down the road on several critical decision points.

It does clarify some important factors, however- including key changes to the proposed rule released in late 2023. For the short-term, most credit unions can breathe a sigh of relief. This is far from a hall pass, however- no CU should be sleeping on this issue.

As a reminder, the rule codifies consumer ownership of the financial data housed by FIs and requires it to be shared with third parties upon proper consumer request. CFPB Director Rohit Chopra argues this right was asserted in the Dodd-Frank Act twelve years ago (hence the nerdy references to Section 1033) but is only now being acted upon.

The CFPB reported receiving 11,290 comments to its proposed rule. Most of these were boilerplate copy/paste jobs, but even the 290 unique, detailed comment letters is a remarkable number. The agency made enough alterations over the past year to claim it has been responsive to feedback. Nonetheless it’s hard to see credit unions or banks expressing satisfaction.

The most welcome change is an extension to the deadline for compliance. The country’s largest FIs, those with more than $10 billion in assets- a group that includes 21 CUs- now have until April 2027 to comply- a year longer than initially contemplated (the 13 largest banks, plus some non-depository institutions, must comply in 2026). Three additional tiers- those exceeding $3 billion, $1.5 billion and $850 million, have until April of 2028, 2029 and 2030, respectively. Bonus points for anyone able to foresee the 2030 financial services environment.

Credit unions with less than $850 million in assets are exempt from the formal data sharing rule. The CFPB points out this translates to nearly 90% of credit unions (4,087 to be precise) falling out of scope. I strongly discourage credit unions from taking this “get out of jail free” card literally. The smallest of CUs- those with limited offerings and no digital presence beyond a website listing branch offerings- might be able to disregard the open banking dynamic. All others- including many of those under the $850 million threshold- risk looking antiquated and out of touch if current and prospective members are unable to engage with solutions poised to become even more commonplace.

Director Chopra effectively confirmed this belief on stage at Money 20/20 Sunday evening. “Over time I think consumers are going to be demanding this,” he said, adding that “I hope they won’t really have to think about it, but will just receive the benefits.”

The most disappointing aspect of the final rule is probably the CFPB’s doubling down on its prohibition against FIs assessing any fee for data provision. In an environment where financial fees of all types are under attack, a ban on seeking cost recovery for a mandate imposing significant implementation and due diligence expenses is hard to reconcile. Nearly as disappointing, the CFPB failed to include a process to end screen scraping, a risk-laden and error-process whose extinction was among the silver linings FIs saw in the proposed rule.

Equally troublesome are the factors left insufficiently addressed, such as liability for fraud, third party due diligence requirements, and safe harbors for denying access to suspicious actors. History shows that FIs will be left holding the bag on these, whether implicitly or explicitly.

Not surprisingly, multiple legal challenges to the rule have already been file. With 594 pages to unpack there is of course far more to say about this- and we will, in the coming weeks.