Personal Financial Data Rights Reconsideration

CONSUMER FINANCIAL PROTECTION BUREAU <CFR>12 CFR Part 1033</CFR> <DEPDOC>[Docket No. CFPB-2025-0037]</DEPDOC> <RIN>RIN 3170-AB39</RIN> <SUBJECT>Personal Financial Data Rights Reconsideration</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Consumer Financial Protection Bureau. <HD SOURCE="HED">ACTION:</HD> Advance notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Consumer Financial Protection Bureau (CFPB or Bureau) is seeking comments and data to inform its consideration of four issues related to implementation of section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). These issues are: the proper understanding of who can serve as a “representative” making a request on behalf of the consumer; the optimal approach to the assessment of fees to defray the costs incurred by a “covered person” in responding to a customer driven request; the threat and cost-benefit pictures for data security associated with section 1033 compliance; and the threat picture for data privacy associated with section 1033 compliance. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments must be received on or before October 21, 2025. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> You may submit responsive information and other comments, identified by Docket No. CFPB-2025-0037 by any of the following methods: • <E T="03">Federal eRulemaking Portal: https://www.regulations.gov.</E> Follow the instructions for submitting comments. • <E T="03">Email: 2025-ANPR-PersonalFinancialDataRights@cfpb.gov.</E> Include Docket No. CFPB-2025-0037 in the subject line of the message. • <E T="03">Mail/Hand Delivery/Courier:</E> Comment Intake—Personal Financial Data Rights Reconsideration, c/o Legal Division Docket Manager, Consumer Financial Protection Bureau, 1700 G Street NW, Washington, DC 20552. <E T="03">Instructions:</E> The CFPB encourages the early submission of comments. All submissions should include the agency name and docket number. Additionally, where the Bureau has asked for specific comment on a topic, commentors should seek to highlight the topic to which its comment is applicable. Because paper mail is subject to delay, commenters are encouraged to submit comments electronically. In general, all comments received will be posted without change to <E T="03">https://www.regulations.gov.</E> All submissions, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Proprietary information or sensitive personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Submissions will not be edited to remove any identifying or contact information. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Dave Gettler, Paralegal Specialist, Office of Regulations, at 202-435-7700 or at: <E T="03">https://reginquiries.consumerfinance.gov/.</E> If you require this document in an alternative electronic format, please contact <E T="03">CFPB_Accessibility@cfpb.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Background</HD> Technology has made it possible to store, analyze, and share personal financial data electronically, and interest has grown within the financial services industry and among policymakers in the potential benefits of bolstering consumers' rights to access personal financial data. Consistent with this desire to increase consumers' access to their financial information, section 1033(a) of the Dodd-Frank Act provides that, subject to rules issued by the CFPB, consumers shall have access to requested information in the control or possession of financial entities relating to the products or services obtained from those financial entities. Section 1033 of the Dodd-Frank Act, codified as 12 U.S.C. 5533, outlines the requirement for “covered persons” to make financial transaction data available to consumers and authorized third parties upon request, under rules prescribed by the Bureau. The statutory text of section 1033 is quite sparse and does not specifically address several important questions that arise from the rights it creates, in particular: (a) precisely who may act on behalf of the consumer; (b) how the costs of effectuating such rights may be defrayed by the “covered person” providing the data; (c) the potential negative consequences to the consumer of exercising this right in an environment where there are tens of thousands of malign actors regularly seeking to compromise data sources and transmissions; (d) the potential negative consequences to the consumer in exercising this right where the data contains information that the consumer may not want disclosed, but does not fully understand or realize may be disclosed by the third party through which it has made a request; and (e) the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties. The structure of section 1033 consists of the following: • A general articulation of the scope of the information that may be obtained by the consumer. (Sub-section A) • An explicit list of exceptions laying out information a covered person is not required to provide. (Sub-section B) • An explicit statement that section 1033 does not impose any duty on a covered person to maintain or keep any information about a consumer. (Sub-section C) • Authorization for the CFPB to prescribe standards for how information will be transmitted to consumers. (Sub-section D) • The inter-agency consultation requirements when prescribing rules implementing section 1033. (Sub-section E) On November 18, 2024, the Bureau published the Personal Financial Data Rights final rule (PFDR Rule) under section 1033. <SU>1</SU> <FTREF/> In general, the PFDR Rule applies to financial institutions, which it describes as “data providers,” that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services. The rule generally requires these financial institutions to provide information about transactions, costs, charges, and usage to consumers upon request. And the rule contains additional provisions regulating how covered data are to be made available and the mechanics of data access, and provisions establishing authorization procedures and obligations for third parties seeking to access covered data from data providers. A bank, a national trade association representing banks, and a State trade association representing banks filed a lawsuit challenging the PFDR Rule in the United States District Court for the Eastern District of Kentucky. <SU>2</SU> <FTREF/> On July 29, 2025, the court granted a motion to stay proceedings in the case, following the Bureau's announcement that it “seeks to comprehensively reexamine this matter alongside stakeholders and the broader public to come up with a well-reasoned approach . . . that aligns with the policy preferences of new leadership and addresses the defects in the [PFDR Rule].”  <SU>3</SU> <FTREF/> <FTNT> <SU>1</SU>  89 FR 90838 (Nov. 18, 2024). In June 2024, the Bureau finalized a portion of the proposal, regarding attributes a standard-setting body must possess to receive CFPB recognition and establishing the application process for CFPB recognition. 89 FR 49084 (June 11, 2024). The June 2024 rule was then incorporated into the November 2024 final rule. </FTNT> <FTNT> <SU>2</SU>   <E T="03">Forcht Bank, N.A.</E> v. <E T="03">CFPB,</E> No. 5:24-cv-00304 (E.D. Ky. 2024). </FTNT> <FTNT> <SU>3</SU>  Order Granting Motion to Stay, No. 5:24-cv-00304 (July 29, 2025) (ECF No. 83). </FTNT> <HD SOURCE="HD1">II. Executive Order 12866</HD> The Office of Information and Regulatory Affairs within the Office of Management and Budget (OMB) has determined that this action is a “significant regulatory action” under Executive Order 12866, as amended. Accordingly, the OMB has reviewed this action. <HD SOURCE="HD1">III. Questions</HD> <HD SOURCE="HD2">Scope of Who May Make a Request on Behalf of a Consumer</HD> As the term is used in section 1033 of the Dodd-Frank Act, a “consumer” is defined as an individual or an agent, trustee, or representative acting on behalf of an individual. 12 U.S.C. 5481(4). At common law, an agent has fiduciary duties such as those of care, loyalty, good faith, and confidentiality. Also at common law, a “trustee” has these fiduciary duties as well as any specific duties that are required by the terms of the trust. The PFDR Rule interpreted the phrase “representative acting on behalf of an individual” to include third parties that access consumers' data pursuant to certain authorization procedures and substantive obligations. <SU>4</SU> <FTREF/> The Bureau estimated that “more than 100 million consumers have used consumer-authorized data access” in the U.S. via third parties as of 2024. <SU>5</SU> <FTREF/> The Bureau is seeking comments generally on the proper scope of how the term “representative” should be interpreted. Specifically, the Bureau requests comments on the following questions: <FTNT> <SU>4</SU>   <E T="03">See</E> 12 CFR part 1033, subpart D. </FTNT> <FTNT> <SU>5</SU>   <E T="03">See</E> 89 FR 90838 at 90958. </FTNT> 1. What is the plain meaning of the term “representative?” Does the PFDR Rule's interpretation of the phrase “representative acting on behalf of an individual” represent the best reading of the statutory language? Why or why not? 2. Are there other provisions in Federal statutes or financial services market practice in which third parties authorized to act on behalf of an individual encompass, on an equivalent basis, bot ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 27k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━