Financial Data Privacy: CFPB Updates

January 23, 2025

By: Dori K. Bailey, Savanna P. Klinek, and Shannon A. Knapp

The current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (the GLBA) and the Fair Credit Reporting Act (the FCRA), along with the respective implementing regulations of these laws. The Consumer Financial Protection Bureau (the CFPB) has been increasingly focused on emerging data privacy concerns and challenges facing consumers in the digital world, particularly as it relates to the existing protections under the GLBA, the FCRA and other federal law. Below we outline two updates from the CFPB concerning financial data privacy.

CFPB Personal Financial Data Rights Rule:

At the end of 2024, the CFPB announced its final rule regarding “Personal Financial Data Rights” (the Rule). The Rule implements Section 1033 of the Dodd-Frank Act, which provides consumers with the right to access and transfer their financial information between different financial institutions and other financial providers without cost. The goal of the Rule is to accelerate the shift to “open banking” and to increase competition within the financial services sector.

The Rule applies to Data Providers, which includes banks, credit unions and other depository institutions, consumer credit lenders and payment facilitation companies. It also applies to third parties accessing consumer data, such as financial technology companies providing financial management tools. The Rule exempts small depository institutions with fewer than $850 million in assets from compliance with the Rule.

There are three main requirements that apply to Data Providers. Specifically, Data Providers are required to (1) make consumer data available without fees or charges to the consumers to whom the account relates, as well as any entity authorized to act on the consumer’s behalf; (2) establish and maintain an accessible developer interface for third parties to access consumer-authorized data; and (3) implement a standardized format that is usable to consumers and authorized third parties. The interface must have security safeguards consistent with GLBA and provide necessary disclosures to consumers to ensure they have the necessary information to make requests and use the interface. The standardized format can be obtained in multiple ways, including through industry standard-setting bodies, which issue consensus standards that providers can use to comply with the Rule. The CFPB has set varied compliance deadlines based on the size of the Data Provider, with the largest providers required to comply by April 1, 2026, and smaller providers given extended timelines spanning from 2027 to 2030.

CFPB Report Concerning Federal and State Privacy Protections for Consumers’ Financial Data:

At the end of 2024, the CFPB released a report identifying limits in federal privacy protections afforded by the FCRA and the GLBA and the impact on the protection of consumer financial data (the Report). Specifically, the Report notes that many states have enacted new data privacy laws that include exemptions for financial institutions that are separately required to comply with the GLBA and the FCRA. As a result, while such states provide consumers with greater protection and more control over their non-financial information (including the right to know what information a business has and the right to request deletion of such information), the CFPB believes that privacy protections for financial information now lag behind required safeguards under these state consumer privacy laws.

In the Report, the CFPB notes that although GLBA was groundbreaking in 1999 and provides important protections today, certain limitations in its framework have been identified, especially as consumers continue to use digital tools for their finances. The CFPB specifically points out that the focus of the GLBA on notice and opt-out rights is important, but that an opt-in approach that prohibits financial institutions from sharing information until the consumer affirmatively agrees could be more protective of consumer financial data. The Report further notes that consumers who do not wish to share information need to separately inform each financial institution that they are opting out. The CFPB believes that a global opt-out request mechanism whereby all financial institutions would be notified through one mechanism would better protect consumers. This type of global opt-out mechanism is already required under some state privacy laws.

The CFPB is also concerned that many state consumer privacy laws reach beyond exempting traditional financial institutions (such as banks and credit unions) and also exempt other businesses engaged in financial activities due to the broad definition of a financial institution under GLBA.

As a result of the above concerns, the CFPB is encouraging state lawmakers to consider how consumers are impacted by exemptions for financial institutions that are contained in the state consumer privacy laws.

The CFPB continues to focus on data privacy matters for consumers. If you have any questions about any of the information contained in this memo, please contact Dori Bailey, Savanna Klinek, Shannon Knapp, CIPP/A/US.