BPI Responds to CFPB’s Advance Notice of Proposed Rulemaking Reconsidering Section 1033 Rule

Dear Acting Director Vought:

The Bank Policy Institute^[1] appreciates the opportunity to comment on the Advance Notice of Proposed Rulemaking on Personal Financial Data Rights ("ANPR")^[2] issued by the Consumer Financial Protection Bureau pursuant to Section 1033 of the Dodd-Frank Act.^[3] We support innovation and the underlying principle of Section 1033 that individual consumers have the right to their financial information in standardized formats that makes it easy to use. We also agree that consumers should have the ability to control with whom their data is shared and the terms on which it is shared.

The 2024 Personal Financial Data Rights Rule ("PFDR Rule") issued under prior CFPB leadership far exceeds the authority granted it by Congress in Section 1033 and puts consumers and their data at risk. The CFPB now has an opportunity to correct that overreach. As the current CFPB leadership has recognized, Section 1033 "was intended simply to ensure that [individual] consumers would have access to their own information," and there is "no evidence that Congress in 2010 authorized (or even contemplated) a comprehensive open-banking regime or the scale of data-sharing the Rule mandates when it enacted this relatively concise provision in Section 1033 . . . "^[4] Indeed, Barney Frank, one of the key architects of the Dodd-Frank Act, recently confirmed that Section 1033 was never intended to support the kind of expansive data sharing mandate adopted in the PFDR Rule.^[5]

Section 1033 neither requires nor authorizes the CFPB to interfere with an innovative data sharing ecosystem in the United States. Current CFPB leadership found the PFDR Rule's requirements unlawful in several respects, including that the agency lacks the authority to mandate data sharing with commercial entities or prohibit data providers from charging fees to third parties for providing secure access to consumers' sensitive financial data.^[6]

Moreover, the PFDR Rule would disrupt the robust and competitive consumer permissioned data sharing ecosystem that exists today. Revising the PFDR Rule in line with a faithful reading of Section 1033 would still allow individuals to continue to access their financial information and to grant third parties access to that information as they do today but would do so in a way that protects the security and privacy of that data. As is the case today, fees, information security protections, liability, and privacy protections, among other things, would continue to be determined via arms-length negotiations between banks, fintechs, and data aggregators through normal market operations. Indeed, the market is functioning well without government regulation, as evidenced most recently by JPMorganChase and Plaid's announcement that they had reached an agreement under which Plaid will compensate the bank for the ability to access its secure data sharing API.^[7]

The PFDR Rule undermines this well-functioning marketplace and places consumers and their data at substantial risk. It mandates that banks and other data providers share a massive volume of sensitive consumer financial data with third-party commercial entities, thereby exposing that data to significantly more threats. Yet, the PFDR Rule hamstrings banks' ability to protect that data. For example, the PFDR Rule fails to establish robust data protection requirements or supervisory oversight for fintechs or data aggregators, prohibits banks from charging fees for providing secure data access or the data itself, and fails to allocate liability among data providers, fintechs, and aggregators. The PFDR Rule also limits banks' risk management discretion to deny third-party data access requests. Furthermore, the mere fact of the mass data sharing mandate will significantly reduce third-party fintechs' and data aggregators' incentives to protect consumer data and limit banks' ability to negotiate the terms of sharing consumers' sensitive data. Thus, the PFDR Rule will undermine the competitive and safe functioning of the consumer financial data sharing ecosystem.

The robust data sharing ecosystem that exists today has developed solely as a result of private sector efforts and without a government mandate. The CFPB lacks authority to interfere in this market, and such interference will disrupt the ecosystem and leave consumers more vulnerable to harm. Thus, we support the CFPB's substantial narrowing of the Rule, consistent with the authority Congress granted the agency in Section 1033. In addition, revising the Rule to align with the authority Congress granted would further the goals of Executive Order 14219 and the accompanying Memorandum, which directed agencies to identify and repeal regulations that are unlawful or that exceed the scope of their delegated authority.^[8]

[1] The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations and represents the financial services industry with respect to cybersecurity, fraud and other information security issues.

[2] Consumer Financial Protection Bureau, "Personal Financial Data Rights Reconsideration," Advance Notice of Proposed Rulemaking, 90 Fed. Reg. 40,986 (Aug. 22, 2025).

[3] 12 U.S.C. § 5533.

[4] Defendants' Memorandum in Support of Their Motion for Summary Judgment at 11, Forcht Bank v. Consumer Financial Protection Bureau, 5:24-cv-00304-DCR, May 30, 2025) [hereinafter CFPB Summary Judgment Memorandum].

[5] Evan Weinberger, Bloomberg Law, Jamie Dimon Is Right' on Data Access Fees, Barney Frank Says, (Sept. 9, 2025), 'Jamie Dimon Is Right' on Data Access Fees, Barney Frank Says.

[6] CFPB Summary Judgment Memorandum, supra n. 4 at sections I.A. and I.B.

[7] JPMorganChase Press Release: JPMorganChase and Plaid announce an extension to their data access agreement for sharing of consumer permissioned data (Sept. 16, 2025), JPMorganChase and Plaid announce an extension to their data access agreement for sharing of consumer permissioned data.

[8] Executive Order 14219 of February 19, 2025, Ensuring Lawful Governance and Implementing the President's "Department of Government Efficiency" Deregulatory Initiative. 90 Fed. Reg. 10583 (Feb. 25, 2025).