Bureau unveils new rule proposal aimed at giving consumers more control over their financial data

Consumers would ostensibly have control over data about their financial lives and “would gain new protections against companies misusing their data,” the federal consumer protection agency said Thursday in proposing a new rule.

The Consumer Financial Protection Bureau (CFPB) said the proposal – dubbed the “Personal Financial Data Rights” rule – would “challenge the financial services industry to compete for customers, protect consumers from excessive surveillance, and help people walk away from bad service.”

The proposal, the agency wrote in its notice of proposed rulemaking, would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts. The proposal, the agency said, would also establish obligations for third parties accessing a consumer’s data, including privacy protections for that data, provide basic standards for data access, and promote “fair, open, and inclusive industry standards.”

More specifically, CFPB said, the proposal would “jumpstart competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products.”

It would also, CFPB said, allow people to “break up with banks” that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.

The bureau said that, under the proposal, bank customers would have the power to share data about their use of checking and prepaid accounts, credit cards, and digital wallets. “This would allow them to access competing products and services without worrying that their data might be collected, used, or retained to serve commercial interests over their own,” the agency said. “Importantly, people could be certain that their data would be used only for their own preferred purpose—and not for financial institutions or tech companies to surveil and manipulate.”

The proposed rule would require companies to, among other things:

  • Agree to certain important conditions, including that third parties could not collect, use, or retain data to advance their own commercial interests through actions like targeted or behavioral advertising. Instead, third parties would be obligated to limit themselves to what is reasonably necessary to provide the individual’s requested product.
  • Acknowledge customers’ right to revoke access to their data by requiring that data access end immediately, and deletion would be the default practice. Access can be maintained for no more than one year, absent the individual consumer’s reauthorization.
  • Adopt ensure industry standards that are fair, open, and inclusive (although the CFPB intends to assess future standards developed by the private sector under the terms described in the rule)

The bureau said the requirements would be implemented in phases, with larger providers being subject to them much sooner than smaller ones. In addition, CFPB said, community banks and credit unions that have no digital interface at all with their customers would be exempt from the rule’s requirements.

CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking