« Back to The Blog

Personal Financial Data Rights Reconsideration

On August 22, 2025, the CFPB published an Advance Notice of Public Rulemaking on its plan to revise the open banking rule. This starts the accelerated rulemaking process to replace the cancelled 2024 rule.

The ANPR asks the following questions:

Scope of Who May Make a Request on Behalf of a Consumer

  1. What is the plain meaning of the term “representative?” Does the PFDR Rule’s interpretation of the phrase “representative acting on behalf of an individual” represent the best reading of the statutory language? Why or why not?
  2. Are there other provisions in Federal statutes or financial services market practice in which third parties authorized to act on behalf of an individual encompass, on an equivalent basis, both those having fiduciary duties and those who do not?
  3. Does the statutory reference to an “agent, trustee, or representative” indicate that “representative” is intended to encompass only those representatives that are serving in a fiduciary capacity? If a “representative” under 12 U.S.C. 5481(4) is interpreted to be an individual or entity with fiduciary duties, what are the distinctions between an “agent” and a “representative” for purposes of section 1033?
  4. In seeking the best reading of the statutory language, what evidence or interpretive principles should the Bureau consider with respect to the term “representative?”
  5. If a “representative” under 12 U.S.C. 5481(4) is interpreted to mean an individual or entity with fiduciary duties, to what extent would it limit customers’ ability to transfer their transaction data to third parties under section 1033 or the ability of financial technology and other third-party service providers to compete with incumbent market participants?
  6. Does the requirement in section 1033 for the Bureau to prescribe standards promoting the development and use of standardized formats for information made available under section 1033 illuminate the types of entities that should be considered “consumers” or have any other implications for how “representative” under 12 U.S.C. 5481(4) should be interpreted?
  7. If a “representative” under 12 U.S.C. 5481(4) is interpreted not to be required to have fiduciary duties, what elements are required in establishing that the individual is a “representative” acting on behalf of the consumer?
  8. Are there any legal precedents or other considerations relevant to the above questions based on the applicability of the same definition of “consumer” to other Dodd-Frank Act provisions?

Defrayment of Costs in Exercising Rights Under Section 1033

  1. Does the PFDR Rule’s prohibition on fees represent the best reading of the statute? Why or why not?
  2. Was the PFDR Rule correct to conclude that permitting fees “would obstruct the data access right that Congress contemplated”? Why or why not?
  3. What is a reasonable range of estimates regarding the fixed costs to “covered persons” of putting in place the standards required by sub-section D of section 1033 and the operational architecture to intake, document, and process requests made by consumers, including natural persons and persons acting on behalf of a natural person (i.e., an agent, trustee, or representative)? How do these estimates vary by the size of the covered financial institution?
  4. What is a reasonable range of estimates regarding the marginal cost to covered financial institutions of responding to requests made under the auspices of section 1033? How do these estimates vary by the size of the covered financial institution?
  5. How is the range above affected by the need of the “covered person” to confirm that an agent, trustee, or representative acting on behalf of an individual has actually been authorized by the consumer to act on their behalf?
  6. Is there any legal precedent from other Federal statutes, not involving Federal criminal law or provision of services by the U.S. Government, where there is a similar omission of explicit authorization to the agency to set a cost sharing balance in effectuation of a new statutory right and, if so, what principles has the court allowed the agency to use in establishing a proper balance?
  7. Absent any legal precedent from other laws, should covered persons be able to recover a reasonable rate for offsetting the cost of enabling consumers to exercise their rights under section 1033? Why or why not?
  8. If covered persons should be able to recover a reasonable rate for offsetting the costs of enabling consumers to exercise their rights under section 1033, should the Bureau place a cap on the upper bounds of such rates that can be charged? If so, what should the cap be on such rates, and why? If not, why not?
  9. If consumers ought to bear some of the cost in implementing requirements under section 1033, should that be shared by every consumer of a covered person, including those who may not wish to exercise their rights under section 1033?

Information Security Concerns in the Exercise of Section 1033 Rights

  1. Does the PFDR Rule provide adequate protections for the security of consumer’s data? Why or why not?
  2. What are the fixed costs of establishing an information security architecture that is capable of ensuring, in the absence of compromise of operational protocols, that customer financial information can be securely acquired, stored, and transmitted, by the consumer, from a “covered person” to the consumer?
  3. How do the fixed costs above relate to the number of clients serviced by the covered person or a person acting on behalf of an individual consumer? Is the market providing reasonably priced solutions to meet the provisions of the PFDR Rule for covered persons with few customers?
  4. In what way does the existence or non-existence of a fiduciary relationship affect the incentives in doing cost-benefit analysis regarding the level of information security established?
  5. Are there any peer-reviewed studies discussing whether levels of information security materially vary between those businesses that have fiduciary duties to their clients and those that do not?
  6. In the case of large-scale data breaches, what is the general cost per client in protecting such clients from the risks created by the breach, and how well-cushioned must working capital reserves be to respond to such breaches?
  7. What has been the experience of covered persons with secure storage and transmission of consumer financial data and how effective have such institutions been in establishing controls and information security protocols?
  8. Covered persons are subject to several legal obligations regarding risk management, such as safety and soundness standards, Bank Secrecy Act (BSA) requirements, and Anti-Money Laundering (AML) regulations. What should covered persons consider under these legal obligations when making information available to consumers? How could the PFDR Rule’s interface access provision better allow covered persons to satisfy these legal obligations?
  9. What are the costs and benefits of the PFDR Rule’s reliance on existing information security standards in the GLBA?
  10. To what information security standards ought entities adhere when accessing consumer financial data held by a covered person, and who is best positioned to evaluate whether these entities are adhering to such standards?
  11. What are the costs and benefits of the PFDR Rule’s provisions designed to reduce the use of screen scraping? What changes would better protect the security of consumer credentials?
  12. Does the PFDR Rule provide adequate protections for consumers and covered persons to ensure that the request for a consumer’s information is in fact knowingly authorized by the individual consumer and that the information is in fact being made available to the consumer as opposed to a malicious actor?

Privacy Concerns in the Exercise of Section 1033 Rights

  1. Does the PFDR Rule provide adequate protection of consumer privacy? Why or why not?
  2. How prevalent is the licensure or sale of consumer financial data by bank and non-bank financial institutions, where customers either have the right to opt into or opt out of having their data licensed or sold? What is the approximate balance between such regimes where the customer is given a choice?
  3. How prevalent is the licensure or sale of consumer financial data by bank and non-bank financial institutions where consent to license or sale is part of a standard user agreement or privacy notice?
  4. What is the prevalence of licensure or sale of consumer data by companies with a fiduciary duty to their clients?
  5. What estimates exist on the percentage of financial service platform users who actually read and/or understand user agreements and privacy notices in their entirety?

Compliance Dates

  1. Have entities encountered unexpected difficulties or costs in implementing the PFDR Rule to date?
  2. If the Bureau were to make substantial revisions to the PFDR Rule, how long would entities need to comply with a revised rule? How would the necessary implementation time vary based on the size of the entity covered by the rule?

Responses are due back to the CFPB by October 21, 2025.

 

Please be advised that CSG provides financial services compliance audit and consulting services to our clients.  The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers.  Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services.  Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest.  Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.

   

Compliance Services Group Copyright 2026.© All Rights Reserved | Privacy Policy

No Legal Advice Intended

The information on this website is provided as a service to our clients and visitors. The contents of this website, and the posting and viewing of the information on this website may convey information that can be characterized as “law related services” as defined by Rule 5.7 of the Rules of Professional Conduct (“RPC”) governing lawyers, but should not be construed as, and is not intended to be legal services, legal advice, or forming a client-lawyer relationship. Since CSG is not engaged in the practice of law, neither our services nor our relationship will be governed by the RPCs governing lawyers including, but not limited to, specific RPC rules applicable to privileged communications and prohibitions of conflicts of interest. While CSG uses reasonable efforts to include accurate, up-to-date information on this website, CSG makes no warranties or representations as to its accuracy and assumes no liability or responsibility for any errors or omissions in the content of this website or any third-party websites accessed through links from this website.

Formal Agreement Required for Services

You cannot engage CSG to render services for you through e-mail. CSG is not committed to provide services of any kind to you unless a formal services agreement has been executed by both you and CSG. CSG makes no commitment to you to maintain the confidentiality of any e-mail you send to us nor to respond to any e-mail.

Copyrights

Except for information in the public domain, or whether other ownership is acknowledged, CSG owns the copyright to this web site and all of its content. You may not copy or distribute materials from this web site except for personal, noncommercial use.

Links

Links provided by this web site are to assist our clients and visitors in identifying other useful resources and are not intended to state or imply that CSG sponsors or is associated with these resources or endorses or recommends any of the third party information, products, or services found there.

Compliance Services Group
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.