Consumer group warns against changes to CFPB rule on personal financial data
As the Consumer Financial Protection Bureau mulls changes to the rule that gives the public more control over their personal financial data, a leading advocacy group is urging the agency to not go backwards on privacy and accessibility.
In a letter sent Tuesday to the CFPB, Consumer Reports made the case that the agency’s rulemaking on personal financial data rights should strengthen privacy and security protections in data-sharing “while addressing implementation challenges.”
“Consumers deserve strong privacy and security protections without having to give up access to beneficial services,” Delicia Hand, Consumer Reports’ senior director of digital marketplace, wrote in the letter. “These safeguards are critical and shouldn’t be used to limit competition or access to services that improve their financial lives.”
Under section 1033 of the 2010 Dodd-Frank Act, banks and other financial institutions are required to make transaction data available to consumers upon request, as well as information about financial products or services a consumer obtained from a “covered entity.”
In October 2024, the rule expanded no-cost consumer access to data on their credit cards, payment apps, digital wallets, checking accounts and prepaid accounts. If a customer chooses to share such data with other financial firms, the third parties in question are required to obtain consumer consent. Those third parties are also limited in how they can use consumer financial data.
As part of its “reconsideration” of the rule, the CFPB said it is seeking an “optimal approach” with “fees to defray the costs incurred” by entities fulfilling consumer data requests. The agency also said it would assess “the threat and cost-benefit pictures for data security” associated with compliance with the rule.
Consumer Reports bristled at the possibility of the agency reversing course on the rule’s no-fee component.
“Consumers should never have to pay to access their own financial information,” Hand wrote. “Allowing financial firms to charge customers to access their personal data would undermine the whole purpose of the open banking rule and prevent many people from seeking out better deals and services with other providers.”
The rulemaking comes at a time when the agency is operating with a bare-bones staff. Russell Vought, the Office of Management and Budget director, has moonlighted as the CFPB’s acting director since February, following the Trump administration’s gutting of the agency. Vought said during an appearance last week on The Charlie Kirk Show that he’d like to completely shut down the agency in the next few months.
Changes to the personal financial data rights rule have broad support from industry. The Bank Policy Institute, a powerful lobbying group that represents dozens of major financial institutions, said Tuesday in a letter to the CFPB that it supports the “underlying principle of Section 1033 that individual consumers have the right to their financial information” and that consumers “should have the ability to control with whom their data is shared and the terms on which it is shared.”
But BPI said the 2024 expansion to the rule “far exceeds the authority granted it by Congress … and puts consumers and their data at risk.”
“The CFPB now has an opportunity to correct that overreach,” BPI wrote.
