INSIGHTi
CFPB Proposes New Regulation on Consumer
Data Rights
December 19, 2023
On October 31, 2023, t
he Consumer Financial Protection Bureau (CFPB) propose
d a new regulation,
referred to as the Personal Financial Data Rights rule, to implement Section 1033 of the Dodd-Frank Wall
Street Reform and Consumer Protection Act
(P.L. 111-203). The law provides consumers with a right of
access to their financial information, and the proposal would clarify the standards to support this data
right. The proposed standards include online data interface requirements, the types of financial data
covered, obligations for third-party financial institutions accessing consumer data, and data privacy and
security.
The goal of the CFPB’s proposal is to give consumers control of their bank account and credit card
information and make data sharing safe, secure, and reliabl
e. The CFPB director argues that if consumers
can more easily share their financial information in electronic formats, they will find it easier to switch
financial institutions, access credit, and use innovative new financial products and services, increasing
competition i
n consumer financial services. For example, the proposal could allow a consumer to more
easily share (1) bill pay information with another financial institution to switch to another bank, (2) bank
account transaction information with a lender to qualify for a loan, or (3) credit card transaction
information with a financial technology provider that analyzes spending behavior to help spend less.
Data Sharing Background
Financial technology has resulted in greater usage of
digitized consumer financial data. For example,
most consumers currently access bank account information digitally through either
mobile or online
banking.
The CFPB finds that consumer data sharing has been growing in recent years and estimates that at least
100 million consumers have authorized third-party financial institutions, such as a data aggregator or data
intermediary, to access their account data. Third-party financial service applications include personal
financial management tools, payment tools, digital wallets, credit underwriting, and identity verification
tools.
Congressional Research Service
https://crsreports.congress.gov
IN12291
CRS INSIGHT
Prepared for Members and
Committees of Congress
Congressional Research Service
2
Web Scraping and APIs
One technology commonly used to collect account data is
web scraping, a technique that scans websites
to extract data from them. When consumers want to share their information with other financial
institutions, they usually share credentials—such as usernames or passwords—which allow third-party
financial service providers to access their financial account information. This process can create security
risks for consumers who have disclosed their credentials.
As an alternative, financial institutions may provide customer account information through a structured
data feed or application program interface (API) accessed by other financial institutions for consumer-
authorized data sharing without relying upon consumers’ credentials. Using API banking standards to
facilitate data sharing among financial firms is also known as
open banking.
While in the past, most access was through web scraping, the CFPB estimates that today about half of
third-party data access is through APIs. The CFPB asserts that
“there is nearly universal consensus” that
APIs are safer and more accurate than web scraping.
CFPB’s Proposal
Data Interface Requirements
The rule would require financial institutions to establish and maintain an interface for consumers and
authorized third parties to easily access consumer-authorized data for free. The data would need to be
made available in a standardized, electronic format that is both human- and machine-readable. A goal of
this data interface requirement is to transition away from web scraping to APIs, resulting in more secure
data sharing by reducing the risk of fraud and unauthorized access for consumers. The CFPB believes that
establishing and maintaining this data interface will be the largest
cost of compliance to financial
institutions of this rulemaking.
Covered Financial Institutions and Consumer Data
The rule would generally cover data pertaining to financial products such as bank accounts and credit
cards. Data would include consumer transaction and account balance information; payment initiation
information; and financial product prices, terms, and conditions for the past two years. The CFPB states
that it aimed to include data most valuable for consumers and third parties for purposes such as credit
underwriting, financial account switching, and comparison shopping for financial products and services.
The rule would cover both banks and nonbanks offering these types of products to consumers. Small
financial institutions that do not have online or mobile consumer interfaces are excluded from the rule.
The proposal includes staggered compliance dates for institutions of different sizes.
Third-Party Responsibilities
To access consumers’ financial data, third parties would need to provide a disclosure to consumers
describing the data they are accessing and use of the data. They would be permitted only to collect and
retain consumer data that is reasonably necessary to provide the consumers’ products or services and not
for other purposes such as marketing.
Third parties would need to reauthorize a consumer’s permission for the data annually or delete the data.
Consumers would be able to revoke third-party authorization at any time.
Congressional Research Service
3
Consumer Privacy and Security Risks
Data providers and third-party financial institutions would be required to adhere to existi
ng data security
standards for consumer financial data. Data providers would be able to confirm third-party authorization
requests with the consumer, and data access could be denied for legitimate risk management concerns.
Views on the Proposal
There has bee
n support for the proposal’s aim of allowing consumers to have more control over their
financial data and making data sharing safer and more reliable. However, some stakeholders have raised
concerns about parts of the proposal.
M
any financial technology companies support this proposal, as they may be able to attract new consumers
by making it easier and more secure for consumers to share their financial data. Whil
e banking groups
support parts of the proposal, they also express concerns around the cost to maintain the data interface.
Chairman McHenry of the House Financial Services Committee expressed concerns about the proposal’s
restriction of consumer data use to improve or create new consumer financial products and services. He
argues that this part of the proposal could limit innovation in consumer financial markets. In addition,
some stakeholders argue that covered data should include other financial accounts, such as
mortgages or
electronic benefit transfer (EBT) accounts related to the Supplemental Nutrition Assistance Program
(SNAP).
Author Information
Cheryl R. Cooper
Analyst in Financial Economics
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.
IN12291 · VERSION 1 · NEW