10 minute read | October.30.2025
The Consumer Financial Protection Bureau (CFPB) is once again at the center of a heated debate as it reconsiders its Personal Financial Data Rights (PFDR) Rule under Section 1033 of the Dodd-Frank Act. The Bureau’s Advance Notice of Proposed Rulemaking (ANPR) sought public input related to its reconsideration of four pivotal questions at the heart of the PFDR Rule:
Below, we summarize feedback submitted by a broad range of commenters, including (1) banks and their trade associations, (2) fintechs, data aggregators, merchants and their respective trade associations, and (3) consumer advocates and public interest groups. We also note a few other issues raised by the comments and explain what the industry might expect next.
Section 1033 of the Dodd-Frank Act requires covered persons to “make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person.” The term “consumer” is defined, in turn, to include “an individual or an agent, trustee, or representative acting on behalf of an individual.” The existing PFDR Rule considers any third party who has complied with the Rule’s authorization procedures to be a “representative acting on behalf of an individual” consumer.
Major banks and their trade associations urged the CFPB to adopt a narrower understanding of the term “representative acting on behalf of a consumer.” Echoing arguments advanced in pending litigation challenging the PFDR Rule, these commenters contend that Section 1033’s reference to “an agent, trustee, or representative acting on behalf of an individual” should be limited to those with a fiduciary duty to the consumer, such as legal guardians or court-appointed representatives, and should not be extended to commercial entities tied only to the consumer through a contractual relationship. These comments also argue that the PFDR’s broader data access right is unnecessary, as the market has developed a data sharing ecosystem that supports beneficial use cases. As the American Bankers Association put it, “[w]hile the statutory scope of 1033 is narrow, the permissioned data sharing market in the US is robust and thriving, and has been in the absence of CFPB rulemaking.”
Fintechs, data aggregators, blockchain companies, merchants and their trade associations, by contrast, urged the CFPB to maintain the existing PFDR Rule’s interpretation of “consumer” to include “authorized third parties.” These commenters maintain that both the plain text of the statutory definition and the presumption against surplusage suggest that a “representative acting on behalf of an individual” must mean something other than a fiduciary and warn that a narrower reading would inhibit competition and stifle innovation, including in the emerging cryptocurrency space. For example, a joint trade letter submitted on behalf of several fintech, crypto and merchant trade associations warned that large data providers “have every incentive to limit who can access consumer data,” and that a “strong 1033 rule” is needed to ensure safe and secure consumer data sharing.
Consumer advocates and nonprofits were generally supportive of the existing PFDR Rule’s broader data access right. For example, the Financial Health Network opined that the obligations of authorized third parties under the existing Rule were, in some respects, “more demanding, and in other respects, less demanding” than the obligations of fiduciaries, and that this is both a “lawful exercise of the CFPB’s rulemaking authority and a resolution well calibrated to achieve a secure, well-functioning data sharing ecosystem.”
Banks and their trade associations oppose the PFDR Rule provision that prohibits data providers from imposing fees for data access. Consistent with arguments it has raised in the pending litigation over the Rule, the Bank Policy Institute (BPI) contends that Section 1033 is silent regarding “whether banks may charge fees for providing secure access to consumers’ sensitive data” and that this “silence is telling” because, when Congress has intended to prohibit fees, it has done so expressly. In the banks’ view, the prohibition is also bad policy, as it removes incentives for third parties to limit data calls to what is strictly necessary and allows data aggregators to charge fees for access that banks provide free of cost.
Fintechs, data aggregators, blockchain companies, merchants and their trade associations support the existing prohibition on fees. They argue that consumers have a statutory right to access their data and that, as a statutory matter, data providers cannot condition this right on the payment of fees. They also argue that permitting fees could, as data aggregator MX put it, provide banks with a “gatekeeping mechanism” that could impede data access and create a “cascading negative impact on established technology companies and the burgeoning cryptocurrency sector, both of which rely on seamless, low-cost bank account links to function.”
Consumer advocates and nonprofits were divided on the issue of fees. Consumer Reports urged the CFPB to maintain the prohibition on data access fees. The Center for Responsible Lending, by contrast, advocated “for a fair and balanced cost division between data providers and data aggregators.” Finally, FinRegLab took a middle tack, suggesting that the issue bears more empirical study, but “recommend[ed] that the Bureau not hold up the broader rulemaking while this work is ongoing, given the urgency of providing stability to the market and strengthening incentives for industry to resume more rapid API adoption.”
Banks and their trade associations emphasized the critical importance of robust data security, warning that the proliferation of third-party access increases the risk of data breaches, fraud and cyberattacks. They argued that data providers must retain the ability to conduct risk management, deny access to risky third parties, and require strong due diligence on aggregators and recipients. Many called for the CFPB to coordinate with the prudential regulators and the Federal Trade Commission, and to require that all participants — including fintechs and aggregators — be subject to the same security standards as banks. For example, BPI argued that “all third parties should be required to maintain an information security program that satisfies the standards set forth in the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook on Information Security.” Banks also urged the CFPB to ban or strictly limit screen scraping, arguing that it is inherently insecure and should be phased out in favor of secure APIs.
Fintechs, data aggregators, blockchain companies and their trade associations agreed on the importance of robust, risk-based data security but cautioned against using security concerns as a pretext to impede access to consumer data. They generally supported the PDFR Rule’s incorporation of rules implementing the Gramm-Leach-Bliley Act’s (GLBA’s) data security provisions, supplemented with other recognized frameworks as appropriate. They also supported third-party certification of adequate data security to, as the Financial Data and Technology Association put it, “provide accountability and limit the burden on financial institutions to undertake third party risk management reviews for each requesting third party accessor of data.” Fintechs generally support eliminating screen scraping, but caution that it should be available when secured API access is unavailable.
Consumer advocates and nonprofits also support strong data security in the ecosystem and urged the CFPB to continue engaging with both fellow regulators and private industry to provide appropriate guidance. They also noted comparable regimes in which data security measures are certified by third parties, such as the PCI Data Security Standards applicable to payment data.
Banks and their trade associations were generally supportive of the existing PFDR Rule’s requirements related to the collection, use and retention of data, though urged the CFPB to further tighten those rules in certain respects. For example, the Consumer Bankers Association urged the CFPB to require greater specificity in third parties’ disclosures about their data use and a frictionless right to revoke access. It also suggested that data aggregators should be prohibited from retaining copies of consumer data or monetizing it without consumer knowledge and consent.
Fintechs, data aggregators, blockchain companies and their trade associations urged the CFPB to loosen the secondary-use limitations imposed by the existing PFDR Rule. Like many fintechs, data aggregator Plaid voiced support for strong disclosure obligations and revocation rights, but stated that the PFDR Rule’s data use restrictions exceeded the CFPB’s authority and were unnecessary given the existence of other applicable privacy laws, including the GLBA and state privacy laws. Mastercard voiced similar concerns and urged the CFPB to rely on existing privacy regimes or, at a minimum, permit the use of de-identified data, the use of data for model validation and testing, and the right of consumers to opt in to additional uses.
Consumer advocates and nonprofits were generally supportive of the existing data privacy protections but urged the CFPB to permit the use of data for product development and of anonymized data for research purposes.
Commenters raised a few other issues worth noting:
On the morning of Wednesday, Oct. 29, 2025, approximately one week after the comment period closed, the district court overseeing the challenge to the PFDR Rule granted the plaintiffs’ motion to stay the compliance dates pending the CFPB’s reconsideration of the Rule.
While this ruling provides large data providers and other market participants breathing room — the existing compliance date for the largest data providers was fast approaching and is now put off indefinitely — it could potentially impact the CFPB’s rulemaking discretion. The district court held that the plaintiffs were likely to succeed on their arguments that the PFDR Rule misinterpreted the term “consumer,” their argument that the CFPB acted arbitrarily and capriciously by failing to consider the cumulative impact of the Rule on consumers’ data security, and their argument that the compliance deadlines were arbitrary and capricious for failing to make them contingent on the development of relevant industry standards. Although the district court described the arguments for and against the prohibition on fees, it did not actually issue a ruling on the issue.
Assuming no further developments in the litigation, which the court stayed again, the CFPB could still decide to maintain the existing interpretation of “consumer” in any revised rule, and could defend that interpretation in court. The district court is not bound by its recent ruling and could subsequently decide, on a motion for summary judgment, to reach a different conclusion. The CFPB could also attempt to address the other deficiencies in the original Rule identified by the district court’s order.
Another possibility is that the Financial Technology Association, which was permitted to intervene, could appeal the court’s preliminary injunction to the Sixth Circuit. The Sixth Circuit could affirm the district court’s injunction — with or without resolving the question regarding the proper interpretation of “consumer” — or reverse the injunction (in theory, it could do so without reaching the “consumer” issue, but that is unlikely). Any such appeal would have to be filed within 60 days.
Finally, it is always possible for Congress to intervene and resolve the dispute over the proper interpretation of Section 1033 in a manner that binds both courts and the CFPB.
In short, the ultimate resolution of these important policy disputes is uncertain, but the one confident prediction we can make is that it will likely take years to resolve.