(a) Obligation to make covered data available—(1) General. A data provider must make available to a consumer and an authorized third party, upon request, covered data in the data provider's control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider, in an electronic form usable by consumers and authorized third parties.

(2) Prohibition against evasion. A data provider must not take any action:

(i) With the intent of evading the requirements of subparts B and C of this part;

(ii) That the data provider knows or should know is likely to render unusable the covered data that the data provider makes available; or

(iii) That the data provider knows or should know is likely to prevent, interfere with, or materially discourage a consumer or authorized third party from accessing covered data consistent with this part.

(b) Current data. In complying with paragraph (a) of this section, a data provider must make available the most recently updated covered data that it has in its control or possession at the time of a request. A data provider must make available information concerning authorized but not yet settled transactions.

Covered data in this part means, as applicable:

(a) Transaction information, including historical transaction information in the control or possession of the data provider. A data provider is deemed to make available sufficient historical transaction information for purposes of § 1033.201(a)(1) if it makes available at least 24 months of such information.

Example 1 to paragraph (a): This category includes amount, transaction date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges.

(b) Account balance information.

(c) Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider. This category includes an account and routing number that can be used to initiate an Automated Clearing House transaction.

(1) In complying with its obligation under § 1033.201(a)(1), a data provider is permitted to make available a tokenized account number instead of, or in addition to, a non-tokenized account number, as long as the tokenization is not used as a pretext to restrict competitive use of payment initiation information.

(2) This paragraph (c) does not apply to data providers who do not directly or indirectly hold the underlying Regulation E account. For example, a data provider that merely facilitates pass-through payments would not be required to make available account and routing number for the underlying Regulation E account.

(d) Terms and conditions. For purposes of this section, terms and conditions are limited to data in agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, such data in the account opening agreement and any amendments or additions to that agreement, including pricing information.

Example 2 to paragraph (d): This category includes the applicable fee schedule, any annual percentage rate or annual percentage yield, credit limit, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement.

(e) Upcoming bill information.

Example 3 to paragraph (e): This category includes information about third party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider.

(f) Basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service. If a data provider directly or indirectly holds a Regulation E or Regulation Z account belonging to the consumer, the data provider must also make available a truncated account number or other identifier for that account.

A data provider is not required to make available the following covered data to a consumer or authorized third party:

(a) Any confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors. Information does not qualify for this exception merely because it is an input to, or an output of, an algorithm, risk score, or predictor. For example, annual percentage rate and other pricing terms are sometimes determined by an internal algorithm or predictor but do not fall within this exception.

(b) Any information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting, or making any report regarding other unlawful or potentially unlawful conduct. Information collected for other purposes does not fall within this exception. For example, name and other basic account verification information do not fall within this exception.

(c) Any information required to be kept confidential by any other provision of law. Information does not qualify for this exception merely because the data provider must protect it for the consumer. For example, the data provider cannot restrict access to the consumer's own information merely because that information is subject to privacy protections.

(d) Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.