The Consumer Bankers Association (CBA) has urged the Consumer Financial Protection Bureau (CFPB) to overhaul the Biden-era Personal Financial Data Rights (PFDR) Rule, warning that it overstepped its statutory bounds, introduced security risks, and failed to reflect market realities. In a detailed comment letter sent Tuesday to Acting CFPB Director Russell Vought, the CBA called on the agency to “restore balance” to Section 1033 of the Dodd-Frank Act by crafting a rule that protects consumer data while preserving free-market innovation
The Biden-era rule gives consumers the right to access and share their financial data. Banks and other data providers criticized the rule as overbroad and technologically impractical. The Trump Administration’s CFPB reopened the rulemaking this year, seeking public input on whether to revise or suspend the regulation.
In a press release, CBA said the reconsideration “is an opportunity to restore balance by establishing a framework that is grounded in law, safeguards consumer data, and allows the free market to continue driving progress.” The group warned that the previous rule “introduced uncertainty and potential security risks to a system that has long worked effectively for consumers and innovators alike”
The letter urged the CFPB to clarify that third-party data aggregators and fintechs are not “representatives acting on behalf of a consumer” under Section 1033. Those firms, it argued, operate under commercial, not fiduciary, relationships with consumers and often monetize personal data for their own benefit. A “representative,” CBA wrote, should bear fiduciary-like duties of loyalty and care, consistent with the Dodd-Frank Act’s plain meaning and statutory structure
The CBA also sharply criticized the rule’s ban on fees for third-party data access, calling it “unsupported by statute” and harmful to competition. The association said the prohibition would force banks to provide costly API infrastructure for free, while aggregators could continue to charge downstream clients.
CBA urged the Bureau to limit secondary uses of consumer data and require explicit, revocable consent for data access. Fintechs and aggregators, it said, should be required to assume liability for data misuse or breaches and demonstrate adequate capitalization or insurance coverage. These obligations, the group argued, would ensure that “the party responsible for loss is responsible for redress”
The filing is part of a broader campaign by the CBA against the Biden-era rule. CBA President and CEO Lindsey Johnson previously testified before Congress that the original rule “stretched the definition of ‘consumer’ past its breaking point” and failed to incorporate industry input. The trade group has also clashed with fintech associations that support the rule, accusing them of “double standards” for promoting open banking while resisting equivalent regulatory oversight
The CFPB’s reconsideration of the PFDR rule marks one of the first major regulatory reversals under the new administration. The Bureau’s next steps—particularly whether it delays compliance and redefines who qualifies as a “consumer representative”—could reshape the open banking landscape.
CBA’s position underscores a growing divide between banks and fintechs over control of consumer financial data. While both claim to champion consumer empowerment, their visions differ sharply: banks emphasize fiduciary duty and data security, while fintechs argue for frictionless innovation. The CFPB’s response will determine which of these priorities defines the next phase of U.S. open banking policy.
