CFPB Reconsiders Section 1033 Rule Signaling Potential Overhaul Of Personal Financial Data Rights Framework

On August 22, 2025, the Consumer Financial Protection Bureau (CFPB) published an advance notice of proposed rulemaking (ANPR) seeking public comment on four substantive aspects of its Section 1033 rulemaking under the Dodd-Frank Act. The CFPB seeks input on:

1. The definition of a third-party “representative” permitted to access data on a consumer’s behalf.
2. Whether a data provider should be permitted to impose fees for access to consumer data and, if so, the optimal approach for doing so.
3. Whether current data security standards are adequate given the cost-benefit trade-offs.
4. Whether the Gramm-Leach-Bliley Act (GLBA) and other privacy protections are adequate.

This move follows the CFPB’s June request to vacate the existing Personal Financial Data Rights (PFDR) final rule, citing legal deficiencies and a desire to align with new leadership’s policy preferences. In July, the CFPB announced that it would initiate a new rulemaking to reconsider the rule implementing Section 1033.

The ANPR invites feedback on four core substantive issues:

1. Definition of a “representative” authorized to access consumer data. The PFDR embraced a broad interpretation of “representative acting on behalf of an individual,” enabling fintechs and other third parties to access consumer data with informed consent. The CFPB is now exploring whether the statutory language implies that only fiduciary relationships qualify, such as trustee relationships, and whether this interpretation would materially restrict consumer choice and innovation in financial services.
2. Fees for data access. While the PFDR barred data providers from imposing fees, the ANPR reopens the debate, asking whether cost recovery should be allowed and whether caps or shared cost models are appropriate. The CFPB is seeking data on both fixed and marginal costs of compliance, and whether permitting fees would obstruct the data access right Congress contemplated. It also raises the possibility of allowing covered persons to recover costs at a “reasonable rate.” This is notable in light of several banks’ announcements indicating plans to assess fees for access to consumer financial data.
3. Security risks and cost-benefit trade-offs. The PFDR discouraged screen scraping and required GLBA compliance. The ANPR probes whether these measures are sufficient, especially in light of recent data breaches, and whether stronger safeguards or new standards are needed.
4. Privacy risks associated with third-party data sharing. The ANPR asks whether the PFDR provides adequate consumer privacy protections, especially against risks from inadvertent licensing or sale of sensitive personal information. The CFPB highlights the low rate of consumer engagement with privacy policies – especially when consent is embedded in standard user agreements. The CFPB seeks comments on whether the PFDR’s informed consent and disclosure requirements are sufficient to mitigate these privacy risks.

These areas suggest a significant shift from the PFDR finalized in 2024, which broadly defined “representative” to include third parties authorized via consumer consent, prohibited fees for data access and relied heavily on existing GLBA standards for security and privacy.

What is not addressed in the ANPR?

The ANPR does not invite comment on key aspects of open banking for the PFDR, including who is a data provider, what data must be provided, data use and sharing limitations, allocation of liability for unauthorized use of data, for example, and the existence of “standard setting” bodies to assess compliance with the rule.

What’s next?

In light of the new rulemaking, a Kentucky court denied all parties’ summary judgment motions without prejudice, and agreed on July 29 to stay litigation pending the new rulemaking. The PFDR set compliance dates from April 1, 2026, to April 1, 2030, based on entity size. These dates have now been stayed by 90 days pursuant to a court order, and the CFPB is considering further extensions. The ANPR seeks input on whether the original timeline remains feasible, especially if substantial revisions are made.

Comments are due by October 21, 2025. The CFPB is expected to issue a notice of proposed rulemaking following the comment period.

The CFPB’s decision to reopen the Section 1033 rulemaking reflects a broader trend of the CFPB reassessing its regulatory initiatives in response to legal challenges and market feedback. Make no mistake, however, that open banking continues to remain a focus, as stakeholders reconsider how potential revisions to the rule may impact data access, compliance costs and competitive dynamics. The rule’s reopening could significantly reshape the open banking framework originally envisioned by the PFDR. It provides opportunities for banks, fintechs and data aggregators to reengage with the CFPB on key issues, such as the scope of third-party access and introducing cost barriers that could shift the balance between traditional financial institutions and fintech innovators.