Consumer Financial Data Protection

What is Section 1033? 

Variously known as Section 1033, open banking, consumer-permissioned data sharing, and personal financial data rights, it has many names but all boils down to the same thing. As personal budgeting and investing apps become more popular, establishing guardrails around consumer personal financial data access and portability has become increasingly important. Access to their personal financial data is something that consumers want, and the market has generally worked to fulfill that demand.  Section 1033 of the Dodd-Frank Act requires the Consumer Financial Protection Bureau (CFPB) to set rules and guardrails around consumer access to financial data, but the sparse statute has created ambiguity around how much applies to third-party companies acting pursuant to the consent of consumers. This is a particularly important question for fintechs and other third parties such as data aggregators. 

The CFPB finalized a rule about access to financial data in October of 2024, but it unlawfully exceeded its statutory authority and failed to incorporate sufficient safeguards to ensure consumers are protected in a market of free-flowing data.  

Banks have long supported consumer access to their data in a safe and secure manner, but the current rule raises significant concerns around privacy, information security, risk management, and appropriate liability.  

Recognizing that the current rule is deeply flawed and may have failed in its purpose, the current CFPB has issued a Advanced Notice of Proposed Rulemaking (ANPR) with comments due October 21, 2025, giving interested parties and the public an opportunity to share concerns and provide recommendations.  

Which provisions could benefit from revision in 1033? 

Protecting consumers’ data while maintaining privacy and security should be central to a revised rule. The current rule as written left gaps in achieving this, which should be corrected by adjusting the following provisions to: 

• Allow data providers to charge third-parties for APIs – By not allowing data providers (i.e. the financial institution with which a consumer holds an account) to charge third parties (e.g. mobile apps and third-party programs like budgeting or financial planning tools) a fee to access a consumer’s data, all of the expense of making the data easily available to third parties is placed on the financial institution when it is the third-party program or app that will benefit from having access to that data.  Allowing financial institutions to charge for third-party access will help to ensure third parties are responsibly accessing and protecting consumer data. Allowing fees is consistent with common practices in other API-facilitated data sharing instances, including when data aggregators charge fees to downstream third parties to access the data collected from banks. 
• Explicitly ban screen-scraping – The CFPB should ban the dangerous practice of screen-scraping, which leaves consumers’ account credentials and information open to fraud and security risks. In financial services, screen scraping requires a user to provide the username and password to their accounts, which the screen-scraping tool then saves and uses to continuously pull consumer data from the financial institution. The current CFPB rule provides inadequate safeguards around this practice, putting consumer privacy and data at risk.  
• Establish a liability framework – The rule leaves the data provider responsible for investigation and restitution if there is an error or fraud rather than the party at fault. The risk is particularly pronounced in payment initiation use cases. This should be corrected, so that it’s transparent to consumers how their data is protected and equitable to the businesses operating in the chain.  
• Regulate third parties – The rule provides no oversight and supervision for third parties like non-financial institutions mobile apps and programs who play a major role in the data-sharing ecosystem.   

What can be done? 

The CFPB could refine the rule to follow the law while also establishing clear requirements and safeguards to protect consumer privacy and data security. Revisions to the concerns regarding screen-scraping, liability and third-party regulation and fees would ensure parties involved in the data-sharing ecosystem are held accountable, and consumers financial data is safe and secure.