WASHINGTON, D.C. – Due to a recent ruling by the Consumer Financial Protection Bureau, consumers will have greater rights, privacy and security over their personal financial data.
Banks, credit unions and other financial service providers will be required to make consumers’ data available upon request to consumers and authorized third parties in a secure and reliable manner, explained release. In addition, the final rule of the Consumer Financial Protection Act of 2010 defines obligations for third parties accessing consumers’ data, including important privacy protections and promotes fair, open and inclusive industry standards.
It will require financial institutions, credit card issuers and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.
By fueling competition and consumer choice, the CFPB’s goals include lowering prices on loans and improving customer service across payments, credit and banking markets. Consumers will be able to seek out and more easily switch to providers with superior rates and services.
“Too many Americans are stuck in financial products with lousy rates and service,” said CFPB Director Rohit Chopra. “Today’s [Oct. 22] action will give people more power to get better rates and service on bank accounts, credit cards and more.”
Financial providers will be required to make consumer information available without charging any fees. The rule also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer.
Third parties will not be able to use consumer data for other purposes that benefit the third party. The CFPB press release also said the ruling will help move the industry away from “screen scraping,” a common but risky practice that typically involves consumers providing their account passwords to third parties who use the information to access data indiscriminately through online banking portals.
Compliance with the rule will be implemented in phases, with larger providers subject to the rule sooner than the smaller ones. The largest institutions will be required to comply by April 1, 2026, and the smaller institutions will have until April 1, 2030.