Recognizing that the current rule is deeply flawed, the CFPB has issued an ANPR (Advanced Notice of Proposed Rulemaking) to rewrite the current rule implementing Section 1033 of the Dodd-Frank Act, which relates to consumer access and portability of personal financial data. This ANPR is an opportunity to urge policymakers to adjust the rule to better protect consumers’ financial data. Comments are due by October 21, 2025.
Safeguarding consumer data and guaranteeing it is shared in a safe and secure manner should be central to the governing of a data-sharing ecosystem. Despite the current rule’s intent to establish this, significant gaps persist in guaranteeing privacy protections, risk management, and third-party accountability. In rewriting the rule, the CFPB should address the following gaps:
- Prohibiting banks from charging third parties for access to a consumer’s account data that a financial institution holds. In particular, community banks could face a disproportionate cost burden of paying for continuous API calls from core providers to provide third parties with the individual consumer data.
- No outright ban on screen-scraping, a method that allows third parties to log-in on consumers behalf to access their financial data and “scrape” the information
- Lack of a liability framework on the risks and responsibilities associated with data sharing and payment initiation
- Insufficient oversight and supervision of third parties and fintechs
Ask the CFPB to close these gaps and adjust these provisions.