CFPB Summary the Advanced Notice of Proposed Rulemaking on the Personal Financial Data Rights Reconsideration

12 CFR Part 1033

The Consumer Financial Protection Bureau (CFPB) issued an advanced notice of proposed rulemaking (ANPR) seeking comments and data to inform its consideration of four issues related to implementation of Section 1033 of Dodd-Frank.  These issues are:

  • The proper understanding of who can serve as a “representative” making a request on behalf of a consumer
  • The optimal approach to the assessment of fees to defray the costs incurred by a “covered person” in the responding to a customer driven request
  • The threat/cost-benefit pictures for data security associated with Section 1033 compliance
  • The threat picture for data privacy associated with Section 1033 compliance

Comments are due by October 21, 2025 and the ANPR can be found here.

Summary

Section 1033 of the Dodd-Frank Act provides consumers with the ability to request information, in the control or possession of financial entities, relating to the products/services obtained from those entities.  In addition, the Act provides that “covered persons” are required to make financial transaction data available to consumers and authorized third parties available upon request under rules prescribed by the Bureau. 

The rule applies to financial institutions, which are described as “data providers,” that issue credit cards, hold transaction accounts, issue devices to access account or provide other types of payment facilitation products/services.  The rule generally requires covered institutions to provide information about transactions, costs, charges and usage to consumers upon request.  The rule also contains additional provisions regulating how covered data are to be made available and the mechanics of data access, and provisions establishing authorization procedures and obligations for third parties seeking to access covered data from data providers. 

However, the text of the statute leaves several questions unaddressed.  For example:

  • Who may act on behalf of the consumer?
  • How the costs of effectuating such rights may be defrayed by the “covered person” providing the data?
  • The potential negative consequences to the consumer of exercising these rights in an environment where there are tens of thousands of malicious actors regularly seeking to compromise data sources and transmissions
  • The potential negative consequences to the consumer in exercising this right where data contains information that the consumer may not want disclosed, but does not fully understand or realize may be disclosed by the third party through which it has made a request
  • The potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties.

The ANPR also seeks comment on a number of additional questions under various headings that can be found below.

Scope of Who May Make a Request on Behalf of a Consumer

The Bureau is seeking comments generally on the proper scope of how the term “representative” should be interpreted.  Additionally, the Bureau is seeking comment on the following questions.

  • What is the plain meaning of the term “representative?” Does the PFDR Rule’s interpretation of the phrase “representative acting on behalf of an individual” represent the best reading of the statutory language? Why or why not?
  • Are there other provisions in Federal statues or financial services market practice in which third parties authorized to act on behalf of an individual encompass, on an equivalent basis, both those having fiduciary duties and those who do not?
  • Does the statutory reference to an “agent, trustee, or representative” indicate that “representative” is intended to encompass only those representatives that are serving in a fiduciary capacity? If a “representative” under 12 USC 5481 is interpreted to be an individual or entity with fiduciary duties, what are the distinctions between an “agent” and a “representative” for purposes of Section 1033?
  • In seeking the best reading of the statutory language, which evidence or interpretative principles should the Bureau consider with respect to the term “representative?”
  • If a “representative” (under 12 USC 5481) is interpreted to mean an individual/entity with fiduciary duties, to what extent would it limit customers’ ability to transfer their transaction data to third parties under Section 1033 or the ability of financial technology and other third-party service providers to compete with incumbent market participants?
  • Does the requirement in Section 1033 for the Bureau to prescribe standards promoting the development and use of standardized format for information made available under Section 1033 illuminate the types of entities that should be considered “consumers” or have any other implications for how “representative” under 12 USC 5481 should be interpreted?
  • If a “representative” under 12 USC 5481 is interpreted not to be required to have fiduciary duties, what elements are required in establishing that the individual is a “representative” acting on behalf of the consumer?
  • Are there any legal precedents or other considerations relevant to the above questions based on the applicability of the same definition of “consumer” to other Dodd Frank Act provisions?

Defrayment of Costs in Exercising Rights Under Section 1033

Section 1033 of the Dodd-Frank Act is silent on the question of how the burden of consumers’ exercise of the rights it creates should be shared between the consumer and the “covered person.”  The Bureau is seeking comments and data generally on how to deal with this omission, and whether costs, benefits, or market forces might justify modifying the PFDR Rule’s provisions.  The Bureau is seeking comments/data on the following questions:

  • Does the PFDR Rule’s prohibition on fees represent the best reading of the statute? Why or why not?
  • Was the PFDR Rule correct to conclude that permitting fees “would obstruct the data access right that Congress contemplated”? Why or why not?
  • What is a reasonable range of estimates regarding the fixed costs to “covered persons” of putting in place the standards required by sub-section D of Section 1033 and the operational architecture to intake, document, and process requests made by consumers, including natural persons and persons acting on behalf of a natural person? How do these estimates vary by the size of the covered financial institution?
  • How is the range above affected by the need of the “covered person” to confirm that an agent, trustee, or representative acting on behalf of an individual has actually been authorized by the consumer to act on their behalf?
  • Is there any legal precedent from other Federal statutes, not involving Federal criminal law or provision of services by the US government, where there is a similar omission of explicit authorization to the agency to set a costs sharing balance in effectuation of a new statutory right and, if so, what principles has the court allowed the agency to use in establishing a proper balance?
  • Absent any legal precedent from other laws, should covered persons be able to recover a reasonable rate for offsetting the cost of enabling consumers to exercise their rights under Section 1033? Why or why not?
  • If covered persons should be able to recover a reasonable rate for offsetting the costs of enabling consumers to exercise their rights under Section 1033, should the Bureau place a cap on the upper bounds of such rates that can be charged? If so, what should the cap be on such rates, and why? If not, why not?
  • If consumers ought to bear some of the cost in implementing requirements under Section 1033, should that be shared by every consumer of a covered person, including those who may not wish to exercise their rights under Section 1033?

Information Security Concerns in the Exercise of Section 1033 Rights

The Bureau is seeking comments/data generally on the threat and cost-benefit of securing consumer financial data both in storage and in transit by consumers, including any information security developments that might justify modifying the PFDR Rule’s provisions.  Specifically, the Bureau is seeking comments/data on the following questions:

  • Does the PFDR Rule provide adequate protection for the security of consumer’s data? Why or why not?
  • What are the fixed costs of establishing an information security architecture that is capable of ensuring, in the absence of compromise of operational protocols, that customer financial information can be securely acquired, stored and transmitted, by the consumer, from a “covered person” to the consumer?
  • How do the fixed costs above relate to the number of clients serviced by the covered person or a person acting on behalf of an individual customer? Is the market providing reasonably priced solutions to meet the provisions of the PFDR rule for covered persons with few customers?
  • In what way does the existence or non-existence of a fiduciary relationship affect the incentives in doing cost-benefit analysis regarding the level of information security established?
  • Are there any peer-reviewed studies discussing whether levels of information security materially vary between those businesses that have fiduciary duties to their clients and those that do not?
  • In the case of large-scale data breaches, what is the general cost per client in protecting such clients from the risks created by the breach, and how well-cushioned must working capital reserve be to respond to such breaches?
  • What has been the experience of covered person with secure storage and transmission of consumer financial data and how effective have such institutions been in establishing controls and information security protocols?
  • Covered persons are subject to several legal obligations regarding risk management, such as safety and soundness standards, BSA requirements, and AML regulations.  What should covered persons consider under these legal obligations when making information available to consumers? How could the rule’s interface access provision better allow covered persons to satisfy these legal obligations?
  • What are the costs and benefits of the rule’s reliance on existing information security standards in the GLBA?
  • To what information security standards ought entities adhere when accessing consumer financial data held by a covered person, and who is best positioned to evaluate whether these entities are adhering to such standards?
  • What are the costs/benefits of the rule’s provisions designed to reduce the use of screen scraping? What changes would better protect security of consumer credentials?
  • Does the rule provide adequate protection for consumers and covered persons to ensure that the request for a consumer’s information is in fact knowingly authorized by the individual consumer and that the information is in fact being made available to the consumer as opposed to a malicious actor?

Privacy Concerns in the Exercise of Section 1033 Rights

The Bureau notes that there may be certain information, related to a consumer’s financial transactions, that the consumer would prefer not be shared.  Part D of the final rule required third parties to obtain a consumer’s express informed consent to access covered data on behalf of the consumer.  The Bureau is seeking comments/data on threats to data privacy as a result of unwitting licensing or sale of sensitive personal financial information. They are also seeking comments on possible modifications to the rule’s provisions.  Finally, the Bureau is also seeking comments to the following questions:

  • Does the final rule provide adequate protection of consumer privacy? Why or why not?
  • How prevalent is the licensure or sale of consumer financial data by bank and nonbank financial institutions, where customers either have the right to opt into or opt out of having their data licensed or sold? What is the approximate balance between such regimes where the customer is given a choice?
  • How prevalent is the licensure or sale of consumer financial data by bank and nonbank financial institutions where consent to license or sale is part of a standard user agreement or privacy notice?
  • What is the prevalence of licensure or sale of consumer data by companies with a fiduciary duty to their clients?
  • What estimates exist on the percentage of financial service platform users who actually read and/or understand user agreements and privacy notices in their entirety?

Compliance Dates

The final rule included a series of compliance dates by which providers would need to comply with the requirements in subparts B and C.  The dates were determined based on asset size of the entity.

As part of reconsideration of the rule, the Bureau plans to issue a Notice of Proposed Rulemaking to extend the compliance dates.  The Bureau is seeking comments/data generally on the appropriateness of the compliance dates in the final rule.  In addition, the Bureau is seeking comments and data on the following questions:

  • Have entities encountered unexpected difficulties or costs in implementing the PFDR rule to date?
  • If the Bureau were to make substantial revisions to the PFDR rule, how long would entities need to comply with a revised rule? How would the necessary implementation time vary based on the size of the entity covered by the rule?