On August 22nd, the Consumer Financial Protection Bureau (the “CFPB”) published an advanced notice of proposed rulemaking (an “ANPR”) relating to a reconsideration of the CFPB’s current Personal Financial Data Rights Rule (the “Current PFDR Rule”) that had been previously released in late 2024 pursuant to the authority of Section 1033 of the Dodd-Frank Act [1] . The Current PFDR Rule requires that data providers (i.e., banks and other financial institutions) make available to consumers and their authorized third parties (such as FinTech service providers) certain covered data in the data provider’s control or possession concerning a covered consumer financial account.
The validity of the Current PFDR Rule has been challenged in litigation initiated by Forcht Bank, the Kentucky Bankers Association and the Bank Policy Institute. [2] In a motion to stay that litigation, the CFPB has previously signaled that it would be initiating new rulemaking reexamining the Current PFDR Rule.
The ANPR seeks public input on various questions raised by the CFPB relating to Section 1033 and the Current PFDR Rule, such as the following:
1. Who is a “Representative”?
Section 1033 defines a “consumer” to mean “an individual or an agent, trustee, or representative acting on behalf of an individual.” Under the ANPR, the CFPB seeks to clarify what is meant by “representative” and how varying interpretations of that term may impact a consumer’s ability to share and transfer data.
2. Defrayment of Costs
The Current PFDR Rule prohibits a data provider from imposing any fees or charges on a consumer or authorized third party in connection with making available covered data in response to data requests, or maintaining/establishing interfaces to make such transfers of covered data possible. The ANPR notes that Section 1033 is silent with regards to how the costs associated with a consumer’s exercise of rights under the law should be shared.
Among other things, the CFPB is seeking comments on (a) whether the prohibition on fees under the Current PFDR Rule is consistent with the language of Section 1033; (b) whether permitting fees would obstruct the data access rights that Congress contemplated when it passed Section 1033; (c) the estimated range of costs that would be incurred by data providers in complying with Section 1033; and (d) whether a data provider should be able to recover a “reasonable rate” to offset Section 1033 compliance costs and, if so, should the CFPB be able to set a cap on such rates.
3. Data Security
The Current PFDR Rule addresses security concerns in several ways, including restricting the use of screen scraping and requiring adherence to applicable information security standards under the Gramm-Leach-Bliley Act (“GLBA”).
In the ANPR, the CFPB asks whether the measures in the Current PFDR Rule are adequate, and seeks information on the costs of establishing security programs to protect customer financial information in its acquisition, storage and transmission. The CFPB also seeks comments on whether the GLBA standards are the correct measuring stick for protecting consumer financial data accessed from a data provider, and what other measures should be considered.
4. Data Privacy
In addition to data security, the ANPR raises questions relating to data privacy, given that financial transactions open a window into a consumer’s “habits and lifestyle.” The Current PFDR Rule requires third parties to obtain a consumer’s express informed consent to access covered data on behalf of the consumer and limits a third party’s collection, use and disclosure of such data.
In the ANPR, the CFPB seeks comments on whether the Current PFDR Rule provides sufficient consumer privacy protection. It also seeks information on the prevalence of licensing and selling of consumer financial data by financial institutions and other companies with a fiduciary duty to their clients. Additionally, the CFPB asks for estimates on the percentage of consumers that actually read/understand user agreements and privacy notices, and how the method of receiving consent for data licensure/sale (e.g., opt-in or opt-out) impacts the prevalence of such licensure or sale.
In addition to raising the above questions, the CFPB announced in the ANPR that it plans to issue a Notice of Proposed Rulemaking to extend the compliance dates under the Current PFDR Rule as well.[3]
Conclusion
The CFPB’s reopening of rulemaking on Section 1033 is not surprising, given the agency’s lack of effort in defending the pending lawsuit challenging the Current PFDR Rule[4] and its pause on enforcement efforts across the board earlier this year. The ANPR does not signal a complete 180° from the Current PFDR Rule, but does show that the CFPB may be looking to alter that rule in key ways including with respect to fees, the entities that may be able to request and access consumer data and the security and privacy measures that should apply with respect to consumer data accessed pursuant to Section 1033.
[1] MVA blog post
[2] See Forcht Bank, N.A. v. Consumer Financial Protection Bureau, Case No. 5:24-cv-00304-DCR, Defendants’ Status Report (filed May 23, 2025) (ECF No. 57). https://storage.courtlistener.com/recap/gov.uscourts.kyed.106299/gov.uscourts.kyed.106299.57.0.pdf; Plaintiff’s Brief In Support of Their Motion for Summary Judgment (filed May 30, 2025) (ECF No. 59-1) https://storage.courtlistener.com/recap/gov.uscourts.kyed.106299/gov.uscourts.kyed.106299.59.1.pdf.
[3] The compliance dates for the Current PFDR Rule run from April 1, 2026 through April 1, 2030 (depending on the size of the data provider/financial institution).
[4] In the pending litigation, the CFPB asked the Court to grant the plaintiff’s motion for summary judgment, arguing that the Current PFDR Rule is unlawful. See Forcht Bank at note 1 above..
