Privacy & Cybersecurity Law Blog

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) finalized a rule concerning the portability of consumers’ personal financial data (the “Rule”). The Rule will require financial institutions to provide authorized third parties with access to data associated with consumers’ bank accounts, credit cards, payment apps and other financial products.

In a press release announcing the publication of the Rule, the CFPB emphasized the centrality of consumer privacy to the Rule’s design. It limits the ability of third parties to use consumer data for only those products or services that the consumer requested. It forbids the retention or use of consumer data for other business purposes, such as targeted advertising, and sets forth requirements around revocation of access to data by the consumer, including that data access end immediately and that data deletion be the default.

The press release further highlights the CFPB’s hope that the Rule will advance certain policy goals of the agency, including enabling consumers to move more easily between banks when dissatisfied with their service, shop for better rates on products and credit, and securely share payment information. Together, the CFPB expects the Rule to increase competition and consumer choice in the banking, financial services, and fintech sectors.

While the CFPB emphasized the importance of privacy, there are concerns among financial institutions that the Rule does not go far enough to ensure that non-bank third-party data recipients of personal information safeguard the information or bear appropriate liability for a failure to do so. In addition, both financial institutions (as data providers) and third-party recipients of such data have expressed concerns about the process of setting industry technical standards for secure data sharing, and in relation to what entity will be approved as the standard setting body.

On October 23, 2024, Forcht Bank, N.A., the Kentucky Bankers Association and Bank Policy Institute brought a challenge to the Rule in the U.S. District Court for the Eastern District of Kentucky. The challenge, brought against the CFPB and its director, Rohit Chopra, in his official capacity, asks the court to enjoin the enforcement of the Rule and eventually set aside the Rule in its entirety. In a press release announcing the lawsuit, the Bank Policy Institute expressed concern that the Rule jeopardizes consumers’ privacy, financial data and account security.

The Rule sets phased deadlines for compliance based on an entity’s size. The largest entities must comply with the Rule’s requirements by April 1, 2026, and the smallest entities will have until April 1, 2030.