CR outlines protections needed to ensure consumers can access their financial data at no charge with strong privacy and security safeguards
WASHINGTON DC – In a comment letter submitted to the Consumer Financial Protection Bureau today, Consumer Reports called on the Bureau to make sure that its revised Personal Financial Data Rights rule enables consumers to access their own financial data at no cost and includes strong privacy and security protections.
The CFPB is considering changes to the regulation, also known as the “open banking” rule, which gives consumers greater access and control of their personal financial data to make it easier to switch financial providers and to foster greater competition in the marketplace.
Section 1033 was enacted fifteen years ago in 2010, yet millions of consumers continue to use data-sharing services without adequate protections. CR’s letter urges the CFPB to move forward with implementation without excessive delay. Among the issues the CFPB is seeking public comment on is whether financial institutions can charge customers fees to access their personal information and the data privacy and security standards required under the rule.
“Consumers should never have to pay to access their own financial information,” said Delicia Hand, senior director, digital marketplace, at Consumer Reports. “Allowing financial firms to charge customers to access their personal data would undermine the whole purpose of the open banking rule and prevent many people from seeking out better deals and services with other providers.”
Hand added, “Consumers deserve strong privacy and security protections without having to give up access to beneficial services,” said Hand. “These safeguards are critical and shouldn’t be used to limit competition or access to services that improve their financial lives.”
Under the rule issued in October 2024, banks and other financial institutions must provide consumers access to data about their checking and prepaid accounts, credit cards, payment apps and digital wallets through secure interfaces at no charge. When consumers choose to share this data with other financial firms, these third parties must obtain express consumer consent, use the data only for providing requested services, and allow consumers to revoke access. The rule prohibits third parties from using consumer financial data for unrelated purposes.
CR’s letter points out that imposing fees would transform this fundamental right into a service available only to those who can afford it – creating the kind of economic barrier Congress sought to eliminate when it adopted the Consumer Financial Protection Act. Data access fees would price out the consumers who stand to benefit the most from being able to access personal financial management tools from other providers that could help them avoid costly fees and services that use transaction data that could improve their creditworthiness.
Hand noted, “Financial institutions already profit handsomely by charging customers a whole host of fees and interest charges and by monetizing their data for cross-selling and marketing. Charging consumers for data access would mean that they pay twice – once through these existing revenue sources and fees, and again for obtaining their own data.”
CR’s evaluations of data security practices across peer-to-peer payment apps, buy now, pay later services, banking apps and digital wallets have revealed a number of concerning gaps in current practices that the rule can help address. For example, at the time/in 2022 CR found that 9 percent of peer-to-peer payment app users reported being victims of scams or fraud – a rate that demonstrates significant security vulnerabilities in current data sharing practices that rely on screen scraping and credential sharing.
Security features vary dramatically across banking apps, with some institutions providing robust protections while others lag significantly behind. Fraud protection documentation is often incomplete or unclear, leaving consumers confused about their rights and protections. Consumer recourse mechanisms are inconsistent, with some institutions providing clear processes for addressing unauthorized transactions while others create obstacles.
“Consumers need clear information about how their data is being protected, what security measures are in place, what to do if security issues arise, and who is responsible when problems occur,” said Hand. “These protections are often lacking in current financial services, leaving consumers in the dark about their protections until something goes wrong.”
CR’s letter notes that when companies face clear consequences for security failures, they invest in better protection. For financial data, this means establishing clear responsibility when security failures occur, protecting consumers from unauthorized transactions, prohibiting contractual terms that waive consumer rights, and implementing penalties that deter companies from taking shortcuts with consumer security.
For a more complete explanation of the security safeguards and other protections needed for consumers, see CR’s letter to the CFPB on its Advance Notice of Proposed Rulemaking of the Personal Financial Data Rights Rule.
Media Contact: Michael McCauley, michael.mccauley@consumer.org