On August 22, the CFPB issued an advance notice of proposed rulemaking in the Federal Register seeking public comments and data to inform its decisions on implementing Section 1033 of the Dodd-Frank Act (the Personal Financial Data Rights rule). The rule would generally require financial institutions to provide information about transactions, costs, charges and usage to consumers upon request. The rule would contain additional provisions regulating how covered data are to be made available and the mechanics of data access, with specific authorization procedures for third parties seeking to access covered data. Specifically, the CFPB stated its plans on four key issues:
- Who can serve as a “representative” making a request on behalf of the consumer;
- Assessing fees to defray costs incurred by a “covered person” in responding to a customer’s request;
- Data security concerns associated with Section 1033 compliance; and
- Data privacy threats associated with Section 1033 compliance.
Section 1033(a) of the Dodd-Frank Act empowers the CFPB to create rules on how consumers could control the information possessed by financial entities relating to products or services. As previously covered by InfoBytes, the CFPB finalized this rulemaking with its Personal Financial Data Rights rule in October 2024, which would have mandated that financial institutions, credit card issuers and other financial providers make covered data available to consumers and third parties in a standardized format. The Personal Financial Data Rights rule included compliance dates for data providers based on entity size, from April 1, 2026, through April 1, 2030, and the Bureau now plans to issue a notice of proposed rulemaking to extend these dates. Comments will be due by October 21.
[View source.]
