The CFPB has released the final rule implementing Section 1033 of the Dodd-Frank Act, which requires banks and other financial institutions to make a consumer's financial information available to them or a third party at the consumer's direction. The final rule also bans third parties from using consumer data to advertise products the consumer didn't request and requires businesses to delete personal information once customers have revoked access to that data.
The CFPB first proposed the rule last year to move the U.S. close to an "open banking" system where customers will be able to share and gain access to data associated with bank accounts, credit cards and other payment products with few barriers. One change from the original proposal is the final rule bases coverage on the total assets held by a depository institution data provider, exempting institutions with equal to or less than $850 million in assets from the requirements.
The initial compliance dates are April 1, 2026, for depository institutions with at least $250 billion in total assets and nondepository institutions that generated at least $10 billion in total receipts in either 2023 or 2024; April 1, 2027, for depository institutions with at least $10 billion in assets and nondepository institutions that did not generate $10 billion in receipts; April 1, 2028, for depository institutions with at least $3 billion in assets; April 1, 2029, for depository institutions with at least $1.5 billion in assets; and April 1, 2030, for depository institutions with more than $850 million in assets.
To read more, visit:
https://files.consumerfinance.gov/f/documents/cfpb_personal-financial-data-rights-final-rule_2024-10.pdf