(a) Authority. The regulation in this part is issued by the Consumer Financial Protection Bureau (CFPB) pursuant to the Consumer Financial Protection Act of 2010 (CFPA), Pub. L. 111-203, tit. X, 124 Stat. 1955.

(b) Purpose. This part implements the provisions of section 1033 of the CFPA by requiring data providers to make available to consumers and authorized third parties, upon request, covered data in the data provider's control or possession concerning a covered consumer financial product or service, in an electronic form usable by consumers and authorized third parties; and by prescribing standards to promote the development and use of standardized formats for covered data, including through industry standards developed by standard-setting bodies recognized by the CFPB. This part also sets forth obligations of third parties that would access covered data on a consumer's behalf, including limitations on their collection, use, and retention of covered data.

(c) Organization. This part is divided into subparts as follows:

(1) Subpart A establishes the authority, purpose, organization, coverage of data providers, compliance dates, and definitions applicable to this part.

(2) Subpart B provides the general obligation of data providers to make covered data available upon the request of a consumer or authorized third party, including what types of information must be made available.

(3) Subpart C provides the requirements for data providers to establish and maintain interfaces to receive and respond to requests for covered data.

(4) Subpart D provides the obligations of third parties that would access covered data on behalf of a consumer.

(5) Appendix A to this part provides instructions for how a standard-setting body would apply for CFPB recognition.

(a) Coverage of data providers. A data provider has obligations under this part if it controls or possesses covered data concerning a covered consumer financial product or service that the consumer obtained from the data provider, subject to the exclusion in paragraph (d) of this section.

(b) Definition of covered consumer financial product or service. Covered consumer financial product or service means a consumer financial product or service, as defined in 12 U.S.C. 5481(5), that is:

(1) A Regulation E account, which means an account, as defined in Regulation E, 12 CFR 1005.2(b);

(2) A Regulation Z credit card, which means a credit card, as defined in Regulation Z, 12 CFR 1026.2(a)(15)(i); or

(3) Facilitation of payments from a Regulation E account or Regulation Z credit card, excluding products or services that merely facilitate first party payments. For purposes of this part, a first party payment is a transfer initiated by the payee or an agent acting on behalf of the underlying payee. First party payments include payments initiated by loan servicers.

(c) Definition of data provider. Data provider means a covered person, as defined in 12 U.S.C. 5481(6), that is:

(1) A financial institution, as defined in Regulation E, 12 CFR 1005.2(i);

(2) A card issuer, as defined in Regulation Z, 12 CFR 1026.2(a)(7); or

(3) Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.

Example 1 to paragraph (c): A digital wallet provider is a data provider.

(d) Coverage threshold—Certain depository institutions. The requirements of subparts B and C of this part do not apply to data providers defined under paragraphs (c)(1) through (3) of this section that are depository institutions that hold total assets equal to or less than the Small Business Administration (SBA) size standard, as determined in accordance with this paragraph (d). If at any point a depository institution that held total assets greater than that SBA size standard as of or at any point after January 17, 2025 subsequently holds total assets below that amount, the requirements of subparts B and C of this part continue to apply.

(1) Determining SBA size standard. For purposes of paragraph (d) of this section, the SBA size standard is the SBA size standard for the data provider's appropriate North American Industry Classification System (NAICS) code for commercial banking, credit unions, savings institutions and other depository credit intermediation, or credit card issuing, as codified in 13 CFR 121.201.

(2) Calculating total assets. For purposes of paragraph (d) of this section, total assets held by a depository institution are determined by averaging the assets reported on its own four preceding quarterly call report submissions to the Federal Financial Institutions Examination Council or National Credit Union Association, as applicable, or its submissions to the appropriate oversight body to the extent it does not submit such reports to the Federal Financial Examination Council or National Credit Union Administration.

(3) Merger or acquisition—coverage of surviving depository institution when there are not four quarterly call report submissions. After a merger or acquisition the surviving depository institution shall determine quarterly assets prior to the merger or acquisition by using the combined assets reported on the quarterly call report submissions by all predecessor depository institutions. The surviving depository institution shall determine quarterly assets after the merger or acquisition by using the assets reported on the quarterly call report submissions by the surviving depository institution. The surviving depository institution shall determine total assets by using the average of the quarterly assets for the four preceding quarters, whether the quarterly assets are the combined assets of the predecessor depository institutions or from the surviving depository institution.

(a) Determining assets and revenue for purposes of initial compliance dates. A data provider's compliance date in paragraph (b) of this section is based on the calculation of total assets or total receipts, as appropriate, described in paragraphs (a)(1) and (2) of this section.

(1) With respect to a depository institution data provider, total assets are determined by averaging the assets reported on its 2023 third quarter, 2023 fourth quarter, 2024 first quarter, and 2024 second quarter call report submissions to the Federal Financial Institutions Examination Council or National Credit Union Administration, as applicable, or its submissions to the appropriate oversight body to the extent it does not submit such reports to the Federal Financial Examination Council or National Credit Union Administration. If, as a result of a merger or acquisition, a depository institution data provider does not have the named four quarterly call report submissions, the depository institution data provider shall use the process set out in § 1033.111(d)(3) to determine total assets for the time period named in this paragraph (a)(1).

(2) With respect to a nondepository institution data provider, total receipts are calculated based on the SBA definition of receipts, as codified in 13 CFR 121.104(a).

(b) Initial compliance dates. A data provider defined under § 1033.111(c)(1) through (3) must comply with the requirements in subparts B and C of this part beginning on:

(1) April 1, 2026, for depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024.

(2) April 1, 2027, for data providers that are:

(i) Depository institutions that hold at least $10 billion in total assets but less than $250 billion in total assets; or

(ii) Nondepository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and calendar year 2024.

(3) April 1, 2028, for depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets.

(4) April 1, 2029, for depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets.

(5) April 1, 2030, for depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets.

(c) Compliance dates for depository institution data providers that subsequently cross coverage threshold. A depository institution data provider under § 1033.111(c)(1) through (3) that has total assets as calculated in § 1033.111(d)(2) equal to or less than the SBA size standard as determined in accordance with § 1033.111(d)(1), but that subsequently holds total assets that exceed that SBA size standard, as measured in § 1033.111(d)(2), must comply with the requirements in subparts B and C of this part within a reasonable amount of time after exceeding the size standard, not to exceed five years.

For purposes of this part, the following definitions apply:

Authorized third party means a third party that has complied with the authorization procedures described in § 1033.401.

Card issuer is defined at § 1033.111(c)(2).

Consensus standard means a standard that is adopted by a recognized standard setter and that continues to be maintained by that recognized standard setter.

Consumer means a natural person. Trusts established for tax or estate planning purposes are considered natural persons for purposes of this definition. Consumer also includes guardians, trustees, custodians, or other similar natural persons acting on behalf of a consumer pursuant to State law.

Consumer interface means an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by consumers in response to the requests.

Covered consumer financial product or service is defined at § 1033.111(b).

Covered data is defined at § 1033.211.

Data aggregator means a person that is retained by and provides services to the authorized third party to enable access to covered data.

Data provider is defined at § 1033.111(c).

Depository institution means any depository institution as defined by the Federal Deposit Insurance Act, 12 U.S.C. 1813(c)(1), or any credit union as defined by 12 CFR 700.2.

Developer interface means an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by authorized third parties in response to the requests.

Financial institution is defined at § 1033.111(c)(1).

Recognized standard setter means a standard-setting body that has been recognized by the CFPB under § 1033.141.

Regulation E account is defined at § 1033.111(b)(1).

Regulation Z credit card is defined at § 1033.111(b)(2).

Third party means any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer's covered data.

(a) Recognition of a standard-setting body. A standard-setting body may request CFPB recognition. Recognition will last up to five years, absent revocation. The CFPB will not recognize a standard-setting body unless it demonstrates that it satisfies the following attributes:

(1) Openness. The sources, procedures, and processes used are open to all interested parties, including: consumer and other public interest groups with expertise in consumer protection, financial services, community development, fair lending, and civil rights; authorized third parties; data providers; data recipients; data aggregators and other providers of services to authorized third parties; and relevant trade associations. Parties can meaningfully participate in standards development on a non-discriminatory basis.

(2) Balance. The decision-making power is balanced across all interested parties, including consumer and other public interest groups, and is reflected at all levels of the standard-setting body. There is meaningful representation for large and small commercial entities within these categories. No single interest or set of interests dominates decision-making. Achieving balance requires recognition that, even when a participant may play multiple roles, such as data provider and authorized third party, the weight of that participant's commercial concerns may align primarily with one set of interests. The ownership of participants is considered in achieving balance.

(3) Due process and appeals. The standard-setting body uses documented and publicly available policies and procedures, and it provides adequate notice of meetings and standards development, sufficient time to review drafts and prepare views and objections, access to views and objections of other participants, and a fair and impartial process for resolving conflicting views. An appeals process is available for the impartial handling of procedural appeals.

(4) Consensus. Standards development proceeds by consensus, which is defined as general agreement, though not necessarily unanimity. During the development of consensus, comments and objections are considered using fair, impartial, open, and transparent processes.

(5) Transparency. Procedures or processes for participating in standards development and for developing standards are transparent to participants and publicly available.