Summary of the CFPB Final Rule on Personal Financial Data Rights

The CFPB’s Final Rule on Personal Financial Data Rights requires that non-depository mortgage lenders and servicers ensure consumer access to financial data in secure, standardized formats. This summary focuses on key aspects of compliance, including the types of data covered, access obligations, privacy and security mandates, and operational impacts on non-depository institutions.

1. Compliance Dates and Total Receipts Thresholds

Compliance Deadlines Based on Total Receipts:

  • Large Non-Depository Institutions (>$10 billion in receipts in 2023 or 2024): Must comply by April 1, 2026.

  • Smaller Non-Depository Institutions (<$10 billion across both 2023 and 2024): Must comply by April 1, 2027.

A non-depository institution calculates total receipts based on the SBA definition of receipts, as codified in 13 CFR § 121.104(a).

2. Types of Data Covered by the Rule

The rule mandates that non-depository mortgage lenders and servicers provide access to specific types of consumer financial data, collectively termed “covered data”:

  • Transaction Data: Includes consumer transaction histories, payment records, and other financial activities.

  • Account Information: Encompasses balances, interest rates, fees, and other account-specific details.

  • Usage Data: Includes data reflecting consumer engagement, frequency of transactions, and other behavioral indicators.

These data types must be made available in a machine-readable format, ensuring data is accessible and usable by consumers and third-party applications, promoting competitiveness and innovation. 

3. Obligations for Consumer and Third-Party Data Access

Direct Consumer Access Requirements:

  • Non-depository entities must provide consumers with access to their financial data through a secure, user-friendly interface.

  • Data access must be free for consumers, and information should be provided in near real-time for accurate, up-to-date data availability.

Third-Party Data Access via Developer Interfaces:

  • Institutions must offer third parties (with consumer-authorization) access to data through developer interfaces (e.g., APIs).

  • They must ensure unrestricted access for authorized third parties, avoiding any unreasonable limits on access frequency.

  • Screen scraping is prohibited, requiring institutions to implement credential-free data access methods for security purposes.

  • Institutions must provide clear disclosures on data access capabilities and enable consumers to control or revoke third-party access as desired. 

4. Privacy, Security, and Data Retention Requirements

The rule includes comprehensive privacy and security standards to protect consumer data.

Privacy Standards and Consumer Control:

  • Informed Consent: Third parties must disclose to consumers how they will access, use, and retain their data.

  • Data Minimization: Third parties are limited to collecting only data necessary for the requested service. Secondary uses, like advertising, are prohibited.

  • Revocation Mechanism: Institutions must ensure that consumers can easily revoke third-party access at any time.

Security Standards:

Third parties must comply with data security protocols under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which includes:

  • Robust Information Security Programs covering administrative, technical, and physical safeguards.

  • Incident Response Plans to manage and address any data breaches.

  • Ongoing Security Assessments and Certifications to ensure adherence to industry security standards.

Data Retention and Disposal:

  • Data retention by third parties is limited to the period necessary to provide the service requested by the consumer.

  • When authorization expires or is revoked, third parties must delete consumer data unless retention is required for legal or regulatory reasons. 

5. Cost and Operational Impact for Non-Depository Institutions

Implementation Costs:

The rule acknowledges that non-depository institutions may incur certain implementation costs:

  • Infrastructure Development: One of the most significant operational impacts will be the development of secure data interfaces (APIs) for third-party access. This will require coordination with IT, data security, and compliance teams to ensure compliance with the rule’s security and standardization requirements.

  • Compliance Oversight: Compliance will need to work closely with third-party partners to ensure that they meet the privacy, security, and data retention requirements of the rule. Additionally, there must be established protocols for handling consumer data requests efficiently and ensure data accuracy across systems.

  • Training and Policies: Updated policies and procedures will be needed to ensure staff understand the new obligations, especially around consumer data rights, privacy protections, and the use of third-party service providers.

A tiered compliance structure and phased deadlines help reduce the immediate financial burden, especially for smaller institutions. 

6. Risk Considerations

Liability and Consumer Protection Risks:

  • Institutions need strong third-party oversight to ensure compliance with data access, security, and retention rules.

  • Non-depository institutions are liable for unauthorized transactions initiated through third parties, subject to Electronic Fund Transfer Act (EFTA) and Regulation E obligations.

  • Liability risks can be managed through contractual liability allocation agreements with third-party agents, mitigating risks associated with data misuse or breaches.

Compliance Risks:

  • Consumer Complaints and Disputes: Increased consumer access to data may result in a rise in data disputes or requests for corrections. Companies need to ensure that systems and customer service processes are equipped to handle these efficiently.

  • Data Breaches and Liability: Although third parties are required to implement robust security measures, companies must ensure systems are secure against unauthorized access. Companies should establish clear agreements with third-party providers regarding liability in the event of data breaches or misuse of consumer data.

7. Conclusion and Next Steps for Non-Depository Mortgage Lenders and Servicers

Immediate Action Steps:

  1. Assess Data Access Infrastructure: Review current data systems for compliance with secure API and data access requirements.

  2. Update Privacy and Security Policies: Implement data privacy, security, and retention policies consistent with the rule’s standards.

  3. Engage IT Vendors as Needed: Where necessary, engage with vendors to support secure data access and compliance with the rule’s technical requirements.

Long-Term Compliance Strategy:

  1. Monitor Consumer and Third-Party Data Requests: Regularly assess and adjust data access protocols as necessary.

  2. Conduct Regular Security Audits: Maintain updated documentation and perform audits to ensure continuous compliance.

  3. Participate in Industry Standard-Setting Initiatives: Align with evolving industry standards for data access and security to manage long-term compliance risks. 

The CFPB’s Final Rule on Personal Financial Data Rights establishes consumer-centric access standards and promotes competitive, secure data sharing in the financial services market. Compliance with this rule will enable non-depository mortgage lenders and servicers to offer accessible data solutions while upholding high standards of data protection and regulatory compliance.