CFPB Rulemaking on Personal Financial Data Rights: 11K+ Industry Comments, 10 Common Themes

The Consumer Financial Protection Bureau’s (CFPB) notice of proposed rulemaking (NPRM) for personal financial data rights under Dodd-Frank Act Section 1033 generated more than 11,000 comments from banks, credit unions, fintechs, industry groups, and other third parties. 

As part of the comment period, MX also shared its perspective on the proposed rule. We applaud the CFPB for advancing the cause of financial empowerment by proposing a rule that would make enforceable the Congressional directive that consumers have access to data regarding their financial products and services, and to do so in a way that mitigates financial risks and reduces potential consumer harm. 

Learn more about MX’s recommendations to enhance the proposed rule and what it means for our clients, partners, and the consumers we collectively serve. Read the whitepaper. 

We believe that the success of the financial industry, future innovation, and the financial health of Americans can all be greatly enhanced by increased clarity of data rights and the implementation of this rulemaking. But there is still much work to be done. We can expect more engagement and questions over the next 6 or more months as the CFPB evaluates comments and makes revisions ahead of a final rulemaking likely in late Fall 2024. 

Here’s our summary of 10 key themes based on these industry responses: 

Scope of Data. Is it Enough? 

The proposed rule contemplates applying to a small subset of covered entities, including those that provide asset accounts subject to Regulation E, credit cards subject to Regulation Z, and payment facilitators. This leaves a majority of the financial ecosystem and significant amounts of consumer financial data outside the scope of the rule, including loans, investments, retirement accounts, and more.

Restrictions on Secondary Use Cases. Will This Hamstring Consumer Benefits?

Proposed limitations on secondary use cases would prevent companies from using consumer-permissioned data in a manner that would benefit the consumer and support increased competition and innovation. 

Risks and Liability. Who’s on the Hook? 

Ambiguity in liability definitions could create varying interpretations that lead to more confusion. Many comments call for more explicit statements related to third party risk management and liability for mishandling of data or data breaches. 

Fees. Should Reasonable Fees Be Allowed? 

The current proposed ruling does not allow for financial institutions to charge for data access, at this point in time. Comments from the industry are split amongst FIs who want to charge and industry groups who believe costs will negatively impact consumers. 

Technical and Interface Standards. Does a Named SSO Need to Come Before the Final Rule? 

Many responses agree with the premise of an industry standards-setting body (SSO) but worry about the practicalities and timing. For instance, several ask the CFPB to designate an SSO prior to the final rulemaking to ensure little disruption to the data sharing environment and avoid delays in the industry’s ability to implement this rule. 

Transitioning from Screen Scraping. How Do We Do This Most Effectively?  

The proposed rule doesn’t provide guidance on how to manage the transition from screen scraping to an API without disrupting operations or consumer access to data. Comments ask for clarity to ensure data providers don’t simply shut off access to comply with the rule but find a way to keep data flowing during this transition. 

Consent and Authentication. How Do We Keep it Safe and Easy for Consumers? 

While there is universal support for strong authorization and authentication protocols to keep consumer data safe, comments encourage the CFPB to look for ways to streamline consumer consent to avoid creating added friction and placing additional undue burden on the individual and to clarify authentication processes to minimize risks. 

Tokenized Account Numbers. Too Soon? 

TANs can provide some security and privacy advantages. But, they lack standardization today, which creates increased risks for consumers, merchants, and financial services providers. 

FCRA and Data Broker Rules. How Do We Manage the Overlap? 

Many comments ask the CFPB to clarify how Section 1033 rules overlap with other rules like the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Several regulations overlap significantly, and the combined impact on financial providers is not yet fully understood.

Implementation Timeline. Is There Enough Time to Become Compliant?

Many are raising concerns about the proposed compliance timelines citing the need for more time to meet requirements and operationalize an API — without interrupting consumer access in the meantime.