The Consumer Financial Protection Bureau (CFPB) recently issued a rule under Section 1033(a) and (b) of the Consumer Financial Protection Act, granting consumers secure access to their financial data for sharing with authorized third parties. This regulation impacts financial institutions, enhances opportunities for FinTech’s, places greater obligations on data aggregators, and provides consumers with more control over their financial information. Any financial institution offering or managing products defined in Reg E (Electronic Fund Transfer Act) or Reg Z (Truth in Lending Act) will be required to comply with these data-sharing practices. This blog summarizes Section 1033, its exclusions, and its potential impact on the financial services industry.
Summary of provisions
The CFPB's rule empowers consumers by giving them control over their financial data, requiring financial institutions and service providers to make data accessible upon request.
Consumer rights
Consumers can access and share their financial data, including account information and transaction history, with third parties (e.g., services providing a consolidated view of their financial status). They also can revoke access whenever necessary.
Data provider obligations
Financial institutions must provide consumer data securely via APIs, outdated methods like screen scraping. They are prohibited from charging fees or restricting the frequency of third-party access.
FinTech and third-party standards
Authorized FinTech and third parties must meet certification standards, secure explicit consent and renew annually. Data collection is limited to the requested service, ensuring strict security and compliance.
Data aggregators
Data aggregators must adhere to similar security and certification standards when handling authorizations. However, the financial institutions utilizing these aggregators remain liable for any instances of non-compliance.
Standard-setting organizations
These organizations establish secure, interoperable data-sharing standards, involving diverse stakeholders to ensure robust industry-wide API, data format and security standards.
Implementation timeline
To facilitate the transition, the CFPB has introduced a phased compliance schedule, extending from 2026 to 2030, depending on the size and type of data provider. By the end of this period, all covered entities will have adopted secure, standardized data-sharing frameworks, resulting in a fully compliant ecosystem.
Exemptions
The rule exempts certain small institutions and non-financial entities. Details of exclusion are provided below
| Excluded institutions | Reason for exclusion |
| Small banks and credit unions (< $1B) | Avoids imposing a disproportionate burden on small, community-focused institutions with limited resources |
| Non-financial entities | Excludes companies for whom financial services are ancillary to their main business, such as retailers that offer credit cards. |
| Certain non-depository institutions | Exempts institutions that do not handle transactional accounts, where the relevance of data access is limited, such as mortgage servicers. |
| Investment-only firms | Excludes firms that focus exclusively on investment management, as their business does not typically involve consumer financial transactions. |
| Insurance companies and broker-dealers | Entities under distinct regulatory regimes, such as those governed by state insurance laws or the SEC, are generally excluded. |
What can the US markets learn from PSD2 implementation?
Regulatory compliance is complex but essential
The regulation laid a solid foundation, but varying interpretations across countries have created challenges. U.S. regulators and standard setters must provide clear, consistent guidelines to ensure that financial institutions interpret the regulations uniformly, minimizing confusion and ensuring compliance across the industry.
Collaboration between banks and FinTech’s is key
Successful implementations thrived on collaboration rather than competition, with banks leveraging the agility of FinTech’s, while FinTech’s benefitted from banks' scale and trust.
Open finance is the next evolution
Open banking paved the way for open finance, expanding data-sharing beyond banking to include insurance, investments and pensions, fostering a more interconnected financial ecosystem.
HCLTech point of view on potential impacts to industry
| Financial institution | Fintech and third parties | Data aggregator | Consumers | |
|---|---|---|---|---|
| Operational adjustments |  Must invest heavily in building and maintaining secure, interoperable APIs. |  Replace outdated methods like screen scraping with advanced data-sharing protocols. | Shift from screen scraping to API-based access demands technical investments to comply with new standards. | - |
 Require significant upgrades to legacy systems, dedicated compliance teams, and partnerships with technology vendors. | - | Certification requirements mandate strict adherence to security protocols and accountability for data handling. | - | |
| Increased competition | Opportunity to reduce consumer inertia through frictionless onboarding processes and incentives like improved rates, loyalty programs, or innovative features. | New entrants and existing players will compete fiercely, requiring differentiation through innovative, secure and user-friendly products. | - | Enhanced data portability facilitates easier consumer switching, forcing institutions to compete on service quality and pricing. |
 Must focus on innovation and customer-centric strategies to retain market share against agile fintech competitors. | Opportunities for partnerships with financial institutions to co-create tailored solutions. | - | Face fewer barriers in accessing competitive and personalized financial products. | |
| Customer engagement | Compete with fintech for consumer attention by offering engaging platforms and superior features. | Gain an edge in engagement through data-driven, personalized services enabled by seamless data access. | - | - |
Must invest in innovative financial advice and enhanced customer experiences to stay competitive. | - | - | - | |
| Data security | Bear responsibility for ensuring secure data sharing via APIs and compliance with regulatory standards. | Manage sensitive consumer data, requiring adherence to stringent security and privacy standards. | Need to align with enhanced security standards and establish clear accountability measures to ensure data integrity. | Face potential risks of data breaches or identity theft when dealing with less-reliable third parties. |
Must monitor third-party providers to prevent data misuse or mishandling, avoiding penalties and reputational damage. | Compliance entails securing explicit consumer consent and renewing certifications annually, increasing operational costs. | - | Must carefully select trusted providers and stay informed about data-sharing agreements. | |
| Market evolution and opportunities | Strategic shift towards customer-centric services and partnerships with fintech to retain competitiveness. | Innovation opportunities in areas like real-time credit scoring, dynamic pricing and tailored financial advice. | Act as enablers of innovation by fostering seamless data exchange between legacy institutions and emerging fintech solutions. | Benefit from expanded access to fintech tools, improved financial literacy and greater control over financial decisions. |
Increased focus on value-added offerings like personalized financial advice and seamless digital platforms. | Expansion into underserved markets with affordable, personalized services, driving financial inclusion. | - | - | |
| Data sharing standardization | - | Standardization simplifies data access but increases regulatory oversight, pushing providers to innovate within defined parameters. | Standardized APIs reduce their market dominance but provide opportunities to complement fintech innovation. | - |
| - | - | Facilitate industry-wide interoperability, enabling direct connections between financial institutions and third parties. | - | |
| Financial inclusion | - | Opportunity to address gaps in financial inclusion by offering tailored solutions to historically underserved populations. | - | Broader access to affordable and personalized financial services benefits underserved and underbanked communities. |
| - | - | - | Empowerment through control over their financial data fosters participation in the financial ecosystem. | |
Positive impact on business | No significant impact to business | Additional business impact | - |
Conclusion
The CFPB’s final rule on personal financial data rights marks a crucial step in advancing consumer empowerment and open banking in the U.S. By establishing clear data access rights, the rule aims to transform financial services, promoting competition and innovation while safeguarding consumer data. The phased rollout, exemptions for small entities and engagement with standard-setting bodies ensure a balanced, adaptable approach that empowers consumers and supports a competitive financial ecosystem. As compliance phases progress, institutions and third-party providers must prioritize data security, transparency and innovation to thrive in this evolving regulatory financial landscape.
The evolving political landscape and potential changes within the Consumer Financial Protection Bureau (CFPB) could influence the implementation and enforcement of personal financial data rights regulation. It remains to be seen as to how the change in the administration may potentially affect the pace and manner of the rollout.
References:
