On Aug. 22, the Consumer Financial Protection Bureau (CFPB) released an Advanced Notice of Proposed Rulemaking (ANPRM) on Personal Financial Data Rights while its October 2024 final rule is the subject of ongoing litigation. The ANPRM seeks feedback from stakeholders on the definition of a representative, prohibition on fees, adequacy of security and privacy protection, and compliance dates. Additionally, the CFPB plans to extend the compliance date for the finalized data sharing rule through a separate proposed rule. Although the rulemaking is designated as “accelerated,” the timeline is uncertain and could be driven by the scope of the revisions under consideration.
Section 1033 Recent Developments
On Oct. 22, 2024, the CFPB issued a final rule on Personal Financial Data Rights (Final Rule), which requires depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including privacy requirements; and provide standards for data access. The Final Rule was crafted following the CFPB’s data sharing Notice of Proposed Rulemaking (NPRM) on Oct. 19, 2023, following a Feb. 1, 2023, Small Business Review Panel (SBREFA) and a 2020 ANPRM. Brownstein’s analysis of the Final Rule can be found here.
The rulemaking stems from Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which provides that, subject to a CFPB rulemaking, “a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.” Shortly after the Final Rule was released, a banking trade group filed a lawsuit, arguing that the CFPB “exceeded its statutory authority” by requiring banks to provide customers’ financial information to fintech companies and data aggregators.
On May 30, the CFPB filed a motion for summary judgment in the Eastern District of Kentucky, stating that the Section 1033 Final Rule “unlawfully seeks to regulate open banking by mandating the sharing of data with ‘authorized third parties.’” The CFPB’s filing agreed with the plaintiffs on Administrative Procedure Act (APA) violations, including that the rule exceeds statutory authority under Dodd-Frank, arbitrarily prohibits fees and inadequately addresses consumer data privacy risks. The CFPB later reversed course in a July 29 court filing, explaining that due to “recent events in the marketplace,” it would reconsider the rule through an “accelerated rulemaking process.” It noted that it would issue an ANPRM within three weeks.
ANPRM Overview
The CFPB’s ANPRM acknowledges that Section 1033’s statutory text is sparse and leaves key implementation issues unresolved. To structure public input, the bureau poses five core questions that are outlined below.
Scope of Who May Make a Request on Behalf of a Consumer
The ANPRM details that Section 1033 defines a “consumer” as an individual or an agent, trustee or representative acting for that individual, with agents and trustees traditionally bearing fiduciary duties. The CFPB’s Final Rule reads “representative acting on behalf of an individual” to include third parties that access consumer data under specified authorization and obligations. The CFPB now seeks comment on how far the definition of a “representative” should reach.
Defrayment of Costs in Exercising Rights Under Section 1033
Within the ANPRM, the CFPB explains that the Final Rule prohibits data providers from charging consumers or authorized third parties fees to build or maintain required interfaces or to receive or make available covered data. Section 1033 does not explain how to allocate these costs, so the CFPB is seeking comments on whether a fee prohibition is the best reading of the statute and whether allowing fees would obstruct the data access right. The CFPB includes questions on the feasibility of a fee cap or whether consumers should bear some of the costs, among other possibilities.
Information Security Concerns in the Exercise of Section 1033 Rights
The ANPRM acknowledges the uptick in data breaches as the financial system has transitioned to a digital environment. It explains that the Final Rule attempted to address data security by discouraging screen scraping when more secure access is available, requiring adherence to Gramm-Leach-Bliley Act (GLBA) information security standards and allowing data providers to deny access that conflicts with GLBA-aligned policies. The CFPB seeks feedback on whether the Final Rule’s protections are sufficient, as well as stakeholder feedback on the costs of building and maintaining secure systems.
Privacy Concerns in the Exercise of Section 1033 Rights
The CFPB’s ANPRM notes that consumer transaction data can expose sensitive details, and that a consumer’s privacy depends on strictly limiting access to the consumer, covered institutions and expressly authorized third parties. The CFPB highlights that few customers read privacy policies and are unaware of the potential licensure or sale of their data. Subpart D of the Final Rule requires express informed consent from consumers, specific disclosures and limits on the collection, use, retention and disclosure of consumer data. The CFPB asks whether these protections are sufficient and requests comment on how common data licensing or sale is across banks and nonbanks and whether consent is opt-in or opt-out, among other questions.
Compliance Dates
The ANPRM notes that the Final Rule included a series of compliance dates based on the size of the entity, running from April 1, 2026, to April 1, 2030. The CFPB explains that as part of the reconsideration of the Final Rule, the CFPB plans to issue an NPRM to extend the compliance date. The CFPB also seeks comments and data on the costs of implementing the Final Rule to date and how long stakeholders would need if the CFPB were to make substantial revisions to the Final Rule.
Next Steps
Following the conclusion of the ANPRM comment period on Oct. 21, the CFPB is likely to issue the aforementioned NPRM to extend Final Rule compliance dates. Under the Regulatory Flexibility Act and SBREFA, CFPB must convene a Small Business Review Panel before publishing a proposed rule if the proposal may have a significant economic impact on a substantial number of small entities. The CFPB already conducted a Section 1033 SBREFA process in 2023 for the original Final Rule. Whether the CFPB undertakes a new panel before issuing an NPRM could depend on how sweeping the revisions are and the impacts on small entities. The CFPB has never conducted a second SBREFA panel in the past, even when the scope of rules has changed significantly after changes in leadership.
Congress is also working on some related issues concerning data sharing and data privacy. House Financial Services Committee Chairman French Hill (R-AR) and Financial Institutions Subcommittee Chairman Andy Barr (R-KY) issued a request for input (RFI) seeking feedback on potential updates to the federal consumer financial data privacy framework under GLBA, due Aug. 28.
Against this backdrop, the ANPRM is the first step in the CFPB’s rewrite of the Final Rule and provides stakeholders with a formal opportunity to provide feedback on numerous issues. While the bureau is operating on an “accelerated” timeline, the specific timing of a new proposed rule and a later finalized rule remains uncertain.
