(a) Responding to requests—access by consumers. To comply with the requirements in § 1033.201(a)(1), upon request from a consumer, a data provider must make available covered data when it receives information sufficient to:

(1) Authenticate the consumer's identity; and

(2) Identify the scope of the data requested.

(b) Responding to requests—access by third parties. (1) To comply with the requirements in § 1033.201(a)(1), upon request from an authorized third party, a data provider must make available covered data when it receives information sufficient to:

(i) Authenticate the consumer's identity;

(ii) Authenticate the third party's identity;

(iii) Document the third party has followed the authorization procedures in § 1033.401; and

(iv) Identify the scope of the data requested.

(2) The data provider is permitted to confirm the scope of a third party's authorization to access the consumer's data by asking the consumer to confirm:

(i) The account(s) to which the third party is seeking access; and

(ii) The categories of covered data the third party is requesting to access, as disclosed by the third party pursuant to § 1033.411(b)(4).

Example 1 to paragraph (b): An authorized third party that a data provider has authenticated requests covered data on behalf of an authenticated consumer through the data provider's developer interface. The data provider asks the consumer to confirm the scope of the third party's authorization using a means of communication that the consumer is not accustomed to using with the data provider and that the data provider knows or should know will take a long period of time to reach the consumer and allow the consumer to respond with the confirmation. As a result of the long wait time, the consumer cannot provide a timely confirmation, delaying the third party's access to the covered data. This data provider has violated the § 1033.201(a)(2) prohibition against evasion by taking an action that the data provider knows or should know is likely to interfere with an authorized third party's access to covered data.

(c) Covered data not required to be made available. A data provider is not required to make covered data available in response to a request when:

(1) The data are withheld because an exception described in § 1033.221 applies;

(2) The data are not in the data provider's control or possession, consistent with the requirement in § 1033.201(a)(1).

(3) The data provider's interface is not available when the data provider receives a request requiring a response under this section. However, the data provider is subject to the performance specifications in § 1033.311(c);

(4) The request is for access by a third party; and

(i) The consumer has revoked the third party's authorization pursuant to paragraph (e) of this section;

(ii) The data provider has received notice that the consumer has revoked the third party's authorization pursuant to § 1033.421(h)(2); or

(iii) The consumer has not provided a new authorization to the third party after the maximum duration period, as described in § 1033.421(b)(2).

(5) The data provider has not received information sufficient to satisfy the conditions in paragraph(a) or (b) of this section.

(d) Jointly held accounts. A data provider that receives a request for covered data from a consumer that jointly holds an account or from an authorized third party acting on behalf of such a consumer must make available covered data to that consumer or authorized third party, subject to the other provisions of this section.

(e) Method to revoke third party authorization to access covered data. A data provider does not violate the general obligation in § 1033.201(a)(1) by making available to the consumer a reasonable method to revoke any third party's authorization to access all of the consumer's covered data, provided that such method does not violate § 1033.201(a)(2). Indicia that the data provider's revocation method is reasonable include its conformance to a consensus standard. A data provider that receives a revocation request from a consumer through a revocation method it makes available must revoke the authorized third party's access and notify the authorized third party of the request in a timely manner.