CFPB Seeks Comments on Rule Governing Personal Financial Data

The Consumer Financial Protection Bureau requested comment on the implementation provisions of Section 1033 of the Dodd-Frank Act, a rule requiring a financial institution to provide consumer access their own financial data.

In the Advance Notice of Proposed Rulemaking, the CFPB asked stakeholders to weigh in on the 2024 Personal Financial Data Rights Rule—the regulation intended to implement Section 1033. (See previous coverage.) Specifically, the CFPB asked for feedback on:

1. Consumer Representatives. The CFPB asked how to interpret who qualifies as a "representative" authorized to act on behalf of a consumer, including whether the term should extend to non-fiduciary third parties such as Fintechs.
2. Cost Recovery. The CFPB questioned whether financial institutions may impose fees for complying with consumer data requests and, if permitted, whether such fees should be capped.
3. Information Security. The CFPB asked how best to safeguard consumer data during storage and transfer, including whether existing Gramm-Leach-Bliley Act standards are sufficient and how to address risks from screen scraping and cyberattacks.
4. Privacy Concerns. The CFPB requested more insight on potential privacy risks from consumer-authorized data sharing, including inadvertent disclosure of sensitive information, sale or licensing of consumer data, and whether current consent rules provide adequate protection.

The CFPB also invited feedback on whether compliance timelines—currently set between 2026 and 2030—should be extended if substantial revisions are made. The CFPB said it may revise or replace its 2024 rule to address statutory interpretation, market impacts, and consumer protection.

The CFPB also cited ongoing litigation over the Personal Financial Data Rights Rule. The CFPB noted that it was previously granted a court-ordered stay after moving to pause the case.

Comments are due within 60 days of the Notice’s publication in the Federal Register.