Protecting Members and Their Data in the CFPB’s Proposed PFDR Rule

The MD|DC Credit Union Association recently submitted comments on the CFPB's Personal Financial Data Rights Rule. The bureau is reconsidering four issues related to implementation of section 1033 of the Dodd-Frank Act (Open Banking Rule). A final rule was established in 2024, but the CFPB reopened the rule for public comment.

In a letter to the CFPB, the Association addressed those key areas:

Keeping Member Information Safe
The Association urged the CFPB to clearly define who can act as a member's "representative" when requesting financial data. Today, scammers and companies that profit from selling personal information pose serious risks. By limiting who can access member data, we can help prevent fraud.

Fairness in Covering Costs
The proposal would prohibit credit unions from charging even small service fees to process member data requests. The Association believes that's unfair. Because credit unions are cooperatives, any new mandate affects all members. Allowing reasonable cost recovery ensures that funds can continue to support lower loan rates, dividends, and better services for everyone.

Stronger Data Security Standards
Credit unions already meet some of the highest cybersecurity standards in the financial industry. Forcing them to share sensitive data with third parties that may not have the same protections increases the risk of breaches and fraud. Once data leaves a credit union's control, it's much harder to safeguard.

Time to Comply
The Association also asked the CFPB to give credit unions more time to implement these complex changes. Building secure technology systems takes time and resources.