Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

Understanding the CFPB’s Personal Financial Data Rights Rule

Published June 6, 2024 / Updated October 29, 2024

Introduction

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) issued the final Personal Financial Data Rights Rule (the final rule) to implement section 1033 of the Consumer Financial Protection Act of 2010 (Title X of the Dodd-Frank Act).

Among other things, the final rule requires data providers to make available to consumers and authorized third parties, upon request, transaction data and other information concerning a consumer financial product or service. In addition to providing for obligations of the data providers, the final rule also imposes certain obligations on authorized third parties involved in processing covered data.

Scope of the Final Rule

The final rule applies to data providers that control or process covered data concerning a covered consumer financial product or service that a consumer obtains from the data provider. However, the data providers that are depository institutions and whose total assets not more than the specified Small Business Administration (SBA) size standard are exempt from the requirements of the final rule.

Definitions of Key Terms

To appreciate the true scope of the final rule, let us understand some key concepts:

1. Data Provider

Data Provider means a covered person, as defined in 12 U.S.C. 5481(6), that is:

A financial institution, as defined in Regulation E;
A card issuer, as defined in Regulation Z;
Any other person who controls or possesses information concerning a covered consumer financial product or service the consumer obtained from that person.

2. Covered Person

Covered person means:

any person that engages in offering or providing a consumer financial product or service; and
any affiliate of a person described in (a) above if such affiliate acts as a service provider to such person.

3. Covered Data

Covered data means, as applicable:

Transaction information, including historical transaction information in the control or possession of the data provider. A data provider is deemed to make available sufficient historical transaction information if it makes available at least 24 months of such information;
Account balance;
Information to initiate payment to or from a Regulation E account;
Terms and conditions;
Upcoming bill information; and
Basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service.

4. Covered Consumer Financial Product or Service

Covered consumer financial product or service means a consumer financial product or service, as defined in 12 U.S.C. 5481(5), that is:

An account, as defined in Regulation E;
A credit card, as defined in Regulation Z; and
Facilitation of payment from an account or a credit card.

5. Consumer Interface

Consumer interface means an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by consumers in response to the requests.

6. Developer Interface

Developer interface means an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by authorized third parties in response to the requests.

7. Financial Institution

Regulation E defines a financial institution as a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services.

8. Card Issuer

Regulation Z defines a card issuer as a person who issues a credit card or that person's agent with respect to the card.

9. Account

Regulation E defines an account as a demand deposit (checking), savings, or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes.

10. Credit Card

Regulation Z defines a credit card as any card, plate, or other single credit device that may be used from time to time to obtain credit.

11. Third-Party

Third party means any person or entity other than the consumer to whom the covered data pertains or the data provider that controls or possesses the consumer's covered data.

Obligations of Data Providers

A. Data Provider Interfaces

Data providers must establish and maintain a consumer interface and a developer interface to receive information access requests. In response to requests received through the interfaces, the data providers must make available to a consumer or an authorized third party covered data in a machine-readable file that can be retained by the consumer or authorized third party and transferred for processing into a separate information system.

Data providers must not impose any fees or charges on consumers or authorized third parties for maintaining the interfaces or receiving and responding to access requests.

Requirements for Developer Interface

The developer interface must satisfy the following requirements:

a. Standardized Format

A developer interface must make the information available in a standardized format, i.e., a format set forth in a qualified industry standard or a format widely used by the developer interfaces of other similarly situated data providers with respect to similar data.

b. Performance Specifications

A developer interface's performance must be commercially reasonable. To be commercially reasonable, the response time of the developer interface should not exceed 3,500 milliseconds.

c. Access Cap Prohibition

Data providers must not unreasonably limit the number of requests that the developer interface can receive and respond to. Any such cap/ frequency restrictions must align with the policies and procedures established and maintained by a data provider.

d. Security Specifications

The data providers should ensure that a third party is not able to access the developer interface using the credentials that a consumer uses to access the consumer interface.

Furthermore, a data provider must ensure that its developer interface is subject to an information security program in compliance with section 501 of the Gramm-Leach-Bliley Act (GLBA). However, if a provider is not subject to section 501 of GLBA, it must implement an information security program required by the Federal Trade Commission's Standards for Safeguarding Customer Information.

Interface Access

Data providers can deny consumers and third parties access to the interface in the following circumstances:

a. Risk Management

A data provider can reasonably deny a consumer or third-party access to an interface based on risk management concerns.

A denial based on risk management concerns is not unreasonable if it is necessary to comply with section 39 of the Federal Deposit Insurance Act or section 501 of the Gramm-Leach-Bliley Act. Additionally, to be reasonable, a denial must, at minimum:

be directly related to a specific risk of which the data provider is aware; and
be applied in a consistent and non-discriminatory manner.

b. Lack of Information

A data provider can reasonably deny a third party access to the interface if:

The third-party does not present evidence that its data security practices are adequate to safeguard the covered data; and
The third party does not make the identifying information (as discussed below under Transparency requirements) available in both human-readable and machine-readable formats, and readily identifiable to members of the public.

B. Requests for Information

Upon a request from the consumer or an authorized third party, the data providers are required to make available the covered data in the data provider's control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider. The data providers must ensure that the information is provided in an electronic form and is up-to-date.

Exceptions

The data providers are exempt from making available the following covered data to a consumer or an authorized third party:

Any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors. Information does not qualify for this exception merely because it is an input to, or an output of, an algorithm, risk score, or predictor.
Any information collected by the data provider for the sole purpose of preventing fraud or money laundering or detecting or making any report regarding other unlawful or potentially unlawful conduct. Information collected for other purposes does not fall within this exception.
Any information required to be kept confidential by any other provision of law. Information does not qualify for this exception merely because the data provider must protect it for the benefit of the consumer.
Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.

Responding to Requests

In response to an access request by a consumer, a data provider must make available covered data when it receives information sufficient to:

Authenticate the consumer's identity; and
Identify the scope of the data requested.

Similarly, in response to an access request by an authorized third party, a data provider must make available covered data when it receives information sufficient to:

Authenticate the consumer's identity;
Authenticate the third party's identity;
Confirm the third party has followed the authorization procedures provided under the proposed rule (discussed below); and
Identify the scope of the data requested.

Confirming the Scope of a Third Party’s Authorization

To confirm the scope of a third party’s authorization to access the consumer’s data, a data provider may ask the consumer to confirm the following:

The account(s) to which the third party is seeking access; and
The categories of covered data the third party is requesting to access

Denying an Access Request

A data provider can choose not to make the information available in response to an access request in the following circumstances:

The data are withheld because an exception applies (as discussed above);
The data are not in the data provider’s control or possession;
The data provider's interface is not available when the data provider receives a request; and
The request is for access by a third party, and:
1. The consumer has revoked the third party's authorization;
2. The data provider has received notice that the consumer has revoked the third party's authorization; and
3. The consumer has not provided a new authorization to the third party after the maximum duration period (one year).
The data provider has not received information sufficient to authenticate the identity of a consumer or a third party, determine the scope of the request, and ensure that the authorization procedures are followed.

Mechanism to Revoke Third-Party Authorization

Data providers are required to provide the consumers with a reasonable method to revoke any third party’s authorization to access their covered data. To be reasonable, the revocation method must, at a minimum, not interfere with, prevent, or materially discourage consumers' access to or use of the data, including access to and use of the data by an authorized third party.

Upon receiving a revocation request from a consumer, a data provider must notify the authorized third party about such a request.

C. Transparency Requirements

Identifying Information

Data providers must make certain identifiable information available to consumers and third parties. The information must be available in both human-readable and machine-readable formats and must be at least as available as it would be on a public website.

A data provider’s identifying information should include the following:

Its legal name and, if applicable, any assumed name it is using while doing business with the consumer;
A link to its website;
Its LEI that is issued by:
1. A utility endorsed by the LEI Regulatory Oversight Committee, or
2. A utility endorsed or otherwise governed by the Global LEI Foundation (or any successor thereof) after the Global LEI Foundation assumes operational governance of the global LEI system; and
Contact information that enables a consumer or third party to receive answers to questions about accessing covered data.

Developer Interface Documentation

A data provider must disclose documentation, including metadata describing all covered data and their corresponding data fields, sufficient for a third party to access and use the interface. The documentation must:

Be maintained and updated as the developer interface is updated;
Include how third parties can get technical support and report issues with the interface; and
Be easy to understand and use, similar to data providers' documentation for other commercially available products.

D. Policies and Procedures

Appropriate to the size, nature, and complexity of its activities, a data provider must establish and maintain written policies and procedures to comply with the obligations set forth in the proposed rule. Such policies and procedures must be reviewed periodically and updated appropriately to ensure continued effectiveness.

The policies and procedures must be reasonably designed to ensure the following:

Maintaining a record of the data fields that are covered data in the data provider's control or possession;
Covered data that are not made available in response to an access request because of an exception and the reasons for the application an exception;
In case of denial to a developer interface, a record of the basis for denial and communication of the reasons for denial to the third party as soon as practicable;
In case of denial of an access request, a record of the basis for denial and communication to the consumer or the third party of the types of information denied and the reasons for denial as soon as practicable;
Maintaining and making available accurate covered data;
Retaining records of response to requests for at least three years;
Copies of a third party’s authorization to access data on behalf of a consumer;
Records related to revocation of authorization of a third party by a consumer; and
All other records that are evidence of compliance with the requirements of the proposed rule.

Obligations of Authorized Third Parties

To act as an authorized third party and access the covered data on behalf of a consumer, a third party must comply with the following requirements:

a. Authorization Disclosure

A third party must provide the consumer with a clear, conspicuous, and segregated authorization disclosure, electronically or in writing, containing the following information:

The name of the third party that will be authorized to access covered data;
The name of the data provider that controls or possesses the covered data that the third party seeks to access on behalf of the consumer;
A brief description of the product or service that the consumer has requested from the third party and a statement that the third party will collect, use, and retain the consumer's data only for the purpose of providing that product or service to the consumer;
The categories of covered data that will be accessed
A certification statement (as discussed in (b) below); and
A description of the revocation mechanism.

The language of the authorization disclosure should be the same as the language in which the authorization disclosure is conveyed to the consumer. In case the authorization disclosure is in a language other than English, it must include a link to an English version. Similarly, for other languages, a third party can provide links to translations.

b. Certification Statement

As part of the authorization disclosure, a third party must provide the consumer with a statement certifying that it agrees to comply with its obligations under the proposed rule.

A third party must obtain a consumer’s express informed consent to access the covered data on the consumer’s behalf. For valid consent, a third party should obtain an authorization disclosure signed by the consumer electronically or in writing.

Following are some other obligations of third parties in relation to the collection and use of consumers’ covered data:

A. Collection, Use, and Retention of Consumer Data

A third party must limit the collection, use, and retention of consumer data to what is reasonably necessary to provide the consumer with the requested product or service.

Under the proposed rule, the following activities are not part of, or reasonably necessary to provide, any product or service:

Targeted advertising;
Cross-selling of other products or services; or
The sale of covered data.

B. Maximum Duration and Reauthorization

A third party must limit the duration of collection of a consumer’s data to a maximum period of one year after the consumer’s latest authorization. To continue collecting data beyond the maximum duration, a third party must ask the consumer for a new authorization no later than the anniversary of the most recent authorization from the consumer

If a consumer does not provide a new authorization, a third party will no longer:

Collect the consumer’s data pursuant to the previous authorization; and
Use or retain covered data that was previously collected unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service.

C. Data Accuracy

A third party must have policies and procedures in place to ensure the accuracy of the consumer’s data received from a data provider. To ensure the accuracy of the covered data, a third party must also take into account the information received from the consumer, data provider, or another third party regarding inaccuracies in the covered data.

D. Data Security

A third party must implement an information security program in compliance with section 501 of the Gramm-Leach-Bliley Act (GLBA). However, if a provider is not subject to section 501 of GLBA, it must implement an information security program required by the Federal Trade Commission's Standards for Safeguarding Customer Information.

E. Data Processing Agreement

Before sharing a consumer’s data, a third party must enter into a binding agreement with another third party, requiring it to comply with all the applicable obligations under the proposed rule.

F. Transparency

To ensure transparency and keep the consumers informed, a third party must undertake the following:

Provide the consumer with a copy of the authorization disclosure that is signed or otherwise agreed to by the consumer and reflects the date of the consumer's signature or other written or electronic consent. A third party may deliver a copy of the signed authorization disclosure to the consumer or make it available in a location that is readily accessible to the consumer, such as the third party's interface.
Provide contact information that enables a consumer to receive answers to questions about the third party's access to the consumer's covered data; and
Design and implement policies and procedures to ensure that the third party provides the consumer, upon request, the following information:
1. Categories of covered data collected;
2. Reasons for collecting the covered data;
3. Names of parties with which the covered data was shared;
4. Reasons for sharing the covered data;
5. Status of the third party's authorization; and
6. How can the consumer revoke the third party's authorization to access the consumer's covered data and verification the third party has adhered to requests for revocation.

G. Revocation of Authorization

A third party must establish and maintain an easy-to-access mechanism for the consumers to revoke the third party’s authorization to access their covered data. As soon as a third party receives a revocation request from a consumer, it must notify the data provider and other third parties about such revocation.

Furthermore, on receipt of a revocation request, a third party must not:

Collect the consumer’s data pursuant to the previous authorization; and
Use or retain covered data that was previously collected unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service.

H. Use of Data Aggregator

A third party may use a data aggregator to perform authorization procedures on its behalf; however, it remains responsible for complying with the applicable requirements of the proposed rule. Moreover, the name of the data aggregator and a brief description of services that the data aggregator provides must be included in the authorization disclosure.

I. Policies and Procedures

A third party must establish and maintain policies and procedures to retain records that evidence its compliance with the proposed rule. Such records must be maintained for a reasonable time, not less than three years, from the consumer's most recent authorization.

The records maintained by a third party must include, without limitation, the following:

A copy of the authorization disclosure that is signed or otherwise agreed to by the consumer and reflects the date of the consumer's signature or other written or electronic consent and a record of actions taken by the consumer, including actions taken through a data provider, to revoke the third party's authorization; and
With respect to a data aggregator, a copy of any data aggregator certification statement provided to the consumer separate from the authorization disclosure.

Effective and Compliance Dates

The final rule will be effective 60 days after its publication in the Federal Register. However, compliance with the provisions of the final rule will be required at a later time depending upon the status and size of the data providers. The table below sets forth different compliance dates for the data providers:

Covered Data Providers	Compliance Date
Depository institutions that hold at least $250 billion in total assets based on an average of Q3 2023 through Q2 2024 call report submissions	April 1, 2026
Non-depository institutions that generated at least $10 billion in total receipts in calendar year 2023 or calendar year 2024	April 1, 2026
Depository institutions that hold at least $10 billion in total assets but less than $250 billion in total assets based on an average of Q3 2023 through Q2 2024 call report submissions	April 1, 2027
Nondepository institutions that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024	April 1, 2027
Depository institutions that hold at least $3 billion in total assets but less than $10 billion in total assets based on an average of Q3 2023 through Q2 2024 call report submissions	April 1, 2028
Depository institutions that hold at least $1.5 billion in total assets but less than $3 billion in total assets based on an average of Q3 2023 through Q2 2024 call report submissions	April 1, 2029
Depository institutions that hold less than $1.5 billion in total assets but more than $850 million in total assets based on an average of Q3 2023 through Q2 2024 call report submissions	April 1, 2030

Data providers that are exempt from the provisions of the final rule for not meeting the specified SBA size standard must start complying with the final rule within a reasonable time, not more than five years, after exceeding the SBA size standard.

How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with CFPB’s Personal Financial Data Rights Rule by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.