CFPB Personal Financial Data Rights — Open Banking Rule

The CFPB Personal Financial Data Rights rule — codified at 12 CFR Part 1033 — is the United States' first comprehensive open banking regulation, implementing Section 1033 of the Dodd-Frank Act (12 U.S.C. § 5533). Finalized in October 2024, the rule requires banks, credit unions, credit card issuers, and certain fintech companies (collectively "data providers") to share consumers' financial data with consumers themselves and with the consumer's authorized third parties — budgeting apps, lending platforms, financial management tools, and others — through standardized electronic interfaces. The rule is designed to give Americans the right to take their financial data and use it with whichever financial services provider they choose, ending the era where banks controlled consumer data as a competitive moat.

Current Rule (2026)

What This Rule Does

The Personal Financial Data Rights rule creates a right for consumers to access and portably transfer their financial data held by their banks and financial services providers. A bank customer can direct their bank to share transaction history, account balances, payment initiation information, and account terms with any app or service the customer authorizes. The bank must comply through a standardized electronic interface — not a PDF, not a screen-scraping workaround, but a proper machine-readable developer API.

The rule organizes obligations around two types of entities. Data providers — banks, credit unions, credit card issuers, and anyone who facilitates payments from bank accounts — must maintain both a consumer-facing interface and a developer interface (API) that third parties can use to access data on the consumer's behalf. Authorized third parties — fintech apps, lending platforms, payroll processors, financial advisors, and others — must follow strict authorization procedures and are barred from using consumers' data for targeted advertising, cross-selling, or resale.

What data is covered ("covered data") spans five categories: (1) transaction information, including at least 24 months of historical data (amounts, dates, merchant names, fees); (2) account balance information; (3) payment initiation information, including ACH routing and account numbers; (4) terms and conditions of the account; and (5) account verification information. Certain data is excluded: proprietary algorithm inputs and outputs (so a bank's internal credit scoring model stays private), data collected solely to prevent fraud or money laundering, and data required by law to be kept confidential.

The compliance timeline is tiered by institution size, phasing in from the largest institutions (those with $500 billion or more in total assets) through smaller banks, credit unions, and nondepository institutions over several years.

Key Provisions

• § 1033.101 — Authority and purpose: implements Dodd-Frank § 1033 to require data providers to make covered data available in electronic form usable by consumers and authorized third parties; also sets standards for industry standard-setting bodies recognized by CFPB
• § 1033.111 — Coverage: applies to any "covered person" that controls or possesses covered data about a "covered consumer financial product or service" — defined as (1) Regulation E accounts (checking, savings, prepaid), (2) Regulation Z credit cards, or (3) services that facilitate payments from those accounts
• § 1033.121 — Tiered compliance dates: data providers must comply by the date based on their asset size (depository institutions) or total receipts (nondepository institutions); the largest institutions face the earliest deadlines; data providers that do not meet size thresholds have later compliance dates
• § 1033.201 — Core obligation: data providers must make covered data available "upon request" to consumers and authorized third parties in electronic form; the provision includes an anti-evasion clause — a bank cannot take actions designed to render the data unusable, interfere with access, or discourage consumers from exercising their rights
• § 1033.211 — Covered data defined: the five categories above; transaction data must go back at least 24 months; payment initiation information (ACH routing/account numbers) may be provided as tokenized numbers only if the tokenization is not used to restrict competitive use
• § 1033.221 — Exceptions: data providers need not share proprietary algorithmic information, fraud-prevention-only data, or legally confidential data; importantly, the fact that data flows through an algorithm does not make it proprietary — the annual percentage rate set by an algorithm must still be shared
• § 1033.301 — Interface requirements: data providers must maintain both a consumer interface and a developer interface; the developer interface must be standardized and machine-readable, must achieve commercially reasonable performance (specific response-rate minimums apply), and must be documented publicly so third parties can connect to it
• § 1033.311 — Developer interface standards: the interface must conform to a format that is standardized (widely used by other data providers) and machine-readable; consensus standards set by CFPB-recognized standard-setting bodies (like the Financial Data Exchange, FDX) satisfy this requirement
• § 1033.321 — Access denials: data providers may deny access to a specific third party if granting access would conflict with prudential safety-and-soundness requirements, Gramm-Leach-Bliley Act information security standards, or other risk-management laws — but denials must be directly related to a specific identified risk and applied consistently and non-discriminatorially (so a bank cannot deny access to one fintech while allowing comparable access to another)
• § 1033.401 — Third party authorization: to become an "authorized third party," the third party must (a) provide the consumer with an authorization disclosure, (b) certify compliance with third-party obligations, and (c) obtain the consumer's express informed consent; the consumer's authorization is for a specific scope of data and a specific product or service
• § 1033.411 — Authorization disclosure: must be clear, conspicuous, segregated from other material, and must include the third party's name, the data provider's name, a description of the product or service being requested, the categories of data to be accessed, the duration of data collection, and how the consumer can revoke access
• § 1033.421 — Third party data use restrictions: authorized third parties may not use covered data for targeted advertising, cross-selling, or sale of the data — collection, use, and retention must be limited to what is reasonably necessary for the requested product or service; data collection authorization expires after one year (the third party must obtain new authorization to continue collecting)
• § 1033.431 — Data aggregators: companies like Plaid, MX, and Finicity that act as intermediaries between third-party apps and data providers may perform authorization procedures on behalf of third parties, but the third party remains responsible for compliance; data aggregators must independently certify to consumers that they agree to the data-use restrictions
• § 1033.441 — Record retention: authorized third parties that are CFPB-supervised persons must retain records evidencing compliance with authorization procedures for at least three years after the consumer's most recent authorization

How It Affects You

If you're a bank or credit union: You are a data provider. You must build or acquire two interfaces — one for consumers to download their own data, one developer API for authorized third parties. The developer interface must meet performance standards (response rates measured quarterly) and conform to standardized formats. You need written policies and procedures, and if a third party requests access for a consumer, you cannot simply refuse without a documented risk-management reason that is applied consistently. The biggest institutions (over $500 billion in assets) had the earliest compliance deadline (April 2026); smaller banks and credit unions have later deadlines. Review your interface capabilities, your denial policies, and your procedures for handling authorization confirmations.

If you're a fintech app, financial management tool, or lending platform: You are (or want to be) an authorized third party. You must go through the authorization procedures for each consumer whose data you access — which means presenting a compliant authorization disclosure and obtaining express informed consent before pulling data. You cannot repurpose that data for advertising or cross-selling. Your data access authorization expires after one year; to keep accessing a consumer's accounts beyond that, you need fresh consent. If you use a data aggregator (Plaid, MX, etc.) to connect, the aggregator must independently certify its compliance to the consumer in your authorization disclosure, but you remain responsible. Evaluate whether your current consent flows and data use practices comply with these obligations.

If you're a data aggregator (Plaid, MX, Finicity, etc.): The rule directly regulates you as a third-party service provider when you act on behalf of authorized third parties. You must certify to consumers that you comply with the data-use restrictions. You cannot sell data or use it for advertising. The rule creates pressure on the business models of aggregators that have historically also sold consumer financial data to data brokers — those secondary uses are now restricted.

If you're a consumer: This rule gives you a legal right to ask your bank to share your data with any authorized app or service. You no longer need to give third-party apps your bank username and password to connect (screen-scraping) — banks must provide proper APIs. Your authorization is specific: you choose what data to share, with whom, and for what purpose. You can revoke access. The third party cannot sell your data or use it to target ads at you. The practical effect will take time to be felt as compliance timelines roll out, but the rule provides the legal foundation for the kind of data portability Americans already have in healthcare (HIPAA right of access) and European consumers have in finance (PSD2).

Statutory Authority

This rule implements:

• 12 U.S.C. § 5533 (Dodd-Frank Act § 1033) — "Consumer Rights to Financial Records" — requires the CFPB to prescribe regulations enabling consumers to access their own financial data and authorizing consumer-directed data sharing; the core statutory mandate
• 12 U.S.C. § 5512 — CFPB rulemaking authority under the Consumer Financial Protection Act
• 12 U.S.C. § 5514 — CFPB supervisory authority over larger participants in consumer financial markets

Recent Rulemakings

• 89 FR 90353 (Oct. 2024) — Final rule establishing 12 CFR Part 1033; the first implementation of Dodd-Frank § 1033 more than 14 years after the statute was enacted; established the four-subpart framework (general, data availability, interfaces, authorized third parties), the five covered data categories, tiered compliance dates, and third-party data-use restrictions including the prohibitions on targeted advertising and data sale

Recent Developments

• Final Rule published October 2024: The CFPB finalized 12 CFR Part 1033 in October 2024 — the first implementation of Dodd-Frank § 1033 more than 14 years after the statute was enacted. The final rule established tiered compliance deadlines: the largest banks (over $500 billion in assets) must comply by April 1, 2026; mid-tier institutions by April 1, 2027; smaller banks and credit unions on later schedules through 2030.
• Industry legal challenge: Banking trade groups including the Kentucky Bankers Association and others challenged the rule in federal court in Kentucky shortly after finalization, arguing the CFPB exceeded its § 1033 authority by regulating third parties and imposing performance standards on bank APIs. The case was pending as of April 2026.
• CFPB structural upheaval (2025): President Trump fired CFPB Director Rohit Chopra in January 2025. Subsequent leadership changes and a DOGE-directed workforce reduction significantly curtailed CFPB's operational capacity, raising questions about whether the bureau has the staff to enforce Part 1033 on its original timelines. CFPB paused most ongoing rulemaking and many enforcement activities in early 2025.
• Open banking industry activity continues: Despite regulatory uncertainty, industry implementation of open banking infrastructure (developer APIs, data aggregator certifications, consumer authorization flows) continued. Major banks began building Part 1033-compliant interfaces ahead of their compliance deadlines, and data aggregators (Plaid, MX, Finicity) continued refining their authorization and certification processes.
• State-level open banking: Several states have enacted or are considering their own consumer financial data rights laws, which may create a patchwork of requirements if CFPB's federal rule is delayed, weakened, or enjoined.

Pending Action

The rule faces legal and political uncertainty. Banking industry trade groups challenged the rule in federal court shortly after finalization, arguing that the CFPB exceeded its statutory authority by regulating third-party conduct and imposing interface-performance standards. The CFPB under the Trump administration (post-January 2025) has taken a less aggressive regulatory posture broadly, and the rule's implementation timeline and enforcement priorities may shift. Watch for CFPB guidance on specific compliance questions, including the performance standards for developer interfaces and the scope of the anti-evasion clause.