CBA Statement on CFPB’s Section 1033 Final Rule on Personal Financial Data Rights

CBA’s Johnson: “This final rule severely misses the mark”
WASHINGTON, DC – Consumer Bankers Association (CBA) President and CEO Lindsey Johnson today released the following statement after the Consumer Financial Protection Bureau (CFPB) issued a final rule implementing Section 1033 of the Dodd-Frank Act, which requires data providers, including banks, to create and maintain developer interfaces that enable third parties authorized by consumers to access consumer data held by those data providers:
“CBA fully supports consumers having access to their own personal financial information, as required under Section 1033 of the Dodd-Frank Act. The CFPB, though, has contorted this very clear and limited statute into enabling thousands of third parties to access consumers’ data. In doing so, the CFPB far exceeds its statutory authority. We have long argued that the CFPB does not have the statutory authority to use this rulemaking to prescribe an open banking regime.
“Moreover, CBA continues to strongly object to the CFPB’s inaccurate assertions that this rulemaking is needed to increase competition in the marketplace. Indeed, the consumer credit card and deposit account markets specifically are highly competitive and the CFPB should not rely on mischaracterizations of the marketplace to justify the necessity of this rulemaking.
“Many CBA members support an open-banking framework. Nevertheless, even if the Bureau has the statutory authority to utilize this rulemaking to introduce an open banking framework, this final rule severely misses the mark as it failed to incorporate much of the critical feedback provided by industry through the comment period. This has created an even less durable final rule that does not reflect market, technological, and practical realities.”
Background
Under Section 1033 of the Dodd-Frank Act, covered persons are required to “make available to a consumer, upon request, information in the control or possession of the covered person… including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.” Such information is to “be made available in an electronic form usable by consumers.”
On Oct. 19, 2023, the CFPB released its notice of proposed rulemaking (NPRM) to implement Section 1033 of the Dodd-Frank Act. The NPRM built off of the Small Business Regulatory Enforcement Fairness Act (SBREFA) outline on consumers’ personal financial data rights that the CFPB released in October 2022.
The comment period for the NPRM closed on Dec. 29, 2023. On June 11, 2024, the CFPB finalized part of the rule regarding the minimum attributes a standard-setting body must possess to receive CFPB recognition and to issue consensus standards when the full rule is finalized.
CBA Advocacy
- To read our most recent blog post on what to expect in the Section 1033 final rule, click HERE.
- CBA, along with other industry trades, submitted a letter to the CFPB reemphasizing anticipated complications with the compliance dates in the NPRM on July 16, 2024.
- CBA has frequently commented on the NPRM in the press. CBA was extensively quoted in an American Banker article published on Aug. 23, 2024 regarding the NPRM’s failure to sufficiently outline liaiblity. CBA has previously published an op-ed urging the CFPB to revise the rulemaking on May 3, 2024.
- CBA submitted comments on the NPRM on Dec. 29, 2023.
- In October 2023, CBA – along with 14 other trade associations – submitted a letter to the CFPB urging the agency to extend the comment deadline for the NPRM in light of the complexity of the issues. The CFPB failed to grant an extension.