The CFPB Reconsiders Personal Financial Data Rights: Critical Implications for Financial Services?

Written By John V. Levonick

The Consumer Financial Protection Bureau issued an Advance Notice of Proposed Rulemaking (ANPR) on Personal Financial Data Rights Reconsideration, signaling a comprehensive reexamination of the Section 1033 framework. Published on August 22, 2025 in the Federal Register, this ANPR reopens fundamental questions about consumer data access rights, cost allocation, and security standards that financial institutions and technology providers believed were settled by the November 2024 Final Rule, known as the Personal Financial Data Rights Financial Regulation (PFDR) Rule.

The Bureau's statement that it seeks to align the rule “with the policy preferences of new leadership and address[] the defects in the PFDR Rule” indicates substantial revisions are forthcoming.  With comments due October 21, 2025, stakeholders have a limited window to influence a regulatory framework that will govern consumer financial data sharing for years to come.

The Significance of This Reconsideration

Following a successful legal challenge to the PFDR Rule by banking trade associations and a subsequent court stay of the Rule, the Bureau has chosen to reconsider rather than defend its original approach. This decision affects over 100 million consumers who currently use third-party financial applications dependent on data access rights. The regulatory uncertainty created by this reconsideration impacts implementation timelines, technology investments, and fundamental business models across the financial services ecosystem.

The ANPR specifically requests input on four critical areas: 1) the definition of authorized representatives; 2) cost recovery mechanisms; 3) information security standards; and, 4) privacy protections. Each area presents distinct challenges and opportunities for different market participants.

Redefining “Representative” Access Rights

In defining the scope of who may make a request for a consumer’s information, the Final Rule interpreted the term “representative” broadly, permitting consumers to authorize virtually any third party to access their financial data, provided the entity certified compliance with specified security and use restrictions. This interpretation enabled a diverse ecosystem of financial technology providers, data aggregators, and personal financial management tools.

The ANPR questions whether this expansive interpretation aligns with statutory intent. Specifically, the Bureau asks whether “representatives” should be limited to entities with fiduciary duties to consumers, such as attorneys-in-fact operating under power of attorney, court-appointed guardians, or trustees. The statutory reference to “agent, trustee, or representative” in Section 1033 may suggest that all three categories share common fiduciary characteristics.

This potential narrowing could fundamentally alter market dynamics. Financial institutions might face fewer third-party access requests, reducing operational complexity and security exposure. However, technology providers operating under commercial terms of service rather than fiduciary relationships could find themselves excluded from the regulatory framework entirely, regardless of their security capabilities or consumer benefits.

Cost Recovery and Fee Structures

The Final Rule prohibited covered institutions from charging any fees for data access, treating consumer data rights as absolute. The ANPR acknowledges the substantial costs of developing and maintaining secure data-sharing infrastructure and asks whether institutions should be permitted to recover “a reasonable rate for offsetting the costs of enabling consumers to exercise their rights under section 1033.”

This reconsideration raises complex questions about cost allocation. Should fees be charged to consumers exercising their rights, to third parties accessing data, or distributed across all customers through general pricing? The Bureau seeks data on both fixed costs (infrastructure development) and marginal costs (per-request processing) to inform its analysis.

Financial institutions should prepare detailed cost documentation to support their positions. Technology providers must consider how potential access fees would affect their business models and whether such costs would ultimately be passed to consumers. Any fee framework must balance cost recovery against the risk of creating barriers to legitimate data access.

Enhanced Security Requirements

While the Final Rule required adherence to standards under the Gramm-Leach Bliley Act (GLBA) and prohibited screen scraping, the ANPR suggests these baseline protections may be insufficient. Citing major breaches at Equifax, Yahoo, Marriott, LinkedIn, Facebook and government agencies, the Bureau is considering prescriptive technical standards including specific encryption protocols, authentication requirements, and audit obligations.

Significantly, the ANPR contemplates extending direct regulatory oversight to third parties that currently operate under contractual relationships with financial institutions. This would transform many technology providers from contract counterparties into regulated entities subject to CFPB examination and enforcement. Financial institutions accustomed to federal oversight may find the adjustment manageable, but technology companies would face new compliance obligations, examination procedures, and potential enforcement exposure.

Privacy and Sensitive Data Considerations

Transaction data can reveal intimate personal details about health conditions, political affiliations, and lifestyle choices. The ANPR expresses concern about “unwitting licensing or sale of sensitive personal financial information” and questions whether current consent mechanisms adequately protect consumers who rarely read detailed terms of service.

The Bureau is considering whether certain categories of sensitive data containing details about a consumer’s lifestyle and habits should be subject to enhanced protections or categorical restrictions. For example, the Bureau points out that such data could reveal whether a consumer has certain medical conditions, struggles with substance abuse, or is financially vulnerable. This data could also potentially include transactions revealing political contributions or religious practices. Such restrictions would require sophisticated data classification systems and could complicate the uniform treatment of transaction data.

The possibility of category-specific restrictions suggests the need for more granular data governance frameworks. Financial institutions and technology providers should evaluate their current data handling practices against potentially heightened privacy standards. They may also consider submitting comments to the Bureau, informing it of the real-life costs and technological limitations that must be taken into account.

Strategic Considerations for Market Participants

This ANPR represents more than a technical adjustment to implementation details. The Bureau's willingness to reconsider fundamental aspects of the Final Rule creates both opportunity and risk for market participants.

Financial institutions may welcome narrower representative definitions and cost recovery mechanisms but must balance these benefits against reputational risks and consumer expectations. Technology providers face potentially existential challenges if representative definitions narrow or compliance costs increase substantially. All parties must consider how different regulatory outcomes would affect their competitive positioning and strategic partnerships.

The comment period provides a critical opportunity to shape the regulatory framework with data and analysis rather than mere advocacy. Effective comments will include specific cost data, security incident analysis, consumer usage patterns, and documented market impacts of different regulatory approaches.

Next Steps and a Call to Action

The CFPB's reconsideration of personal financial data rights marks a pivotal moment in the evolution of open banking regulation. The Bureau's openness to fundamental changes in representative definitions, cost structures, and compliance obligations suggests that the Final Rule's framework will not survive intact.

Market participants should engage actively in the comment process while maintaining implementation momentum for core capabilities that will likely remain regardless of specific regulatory outcomes. The 60-day comment period ending October 21, 2025, represents the best opportunity to influence a regulatory framework that will shape competitive dynamics and consumer access to financial services innovation for the foreseeable future.

Our team is experienced not only in helping our clients stay ahead of regulatory changes, but also in shaping the regulatory landscape itself.  We have submitted numerous comment letters to regulatory agencies on behalf of our clients and are prepared to ensure your thoughts on this rulemaking are heard. 

To discuss how the ANPR could affect your business or for assistance in submitting a comment letter to the Bureau, please contact jlevonick@garrishorn.com.

John V. Levonick

John Levonick is a seasoned lawyer who focuses on consumer finance, capital markets, and technology.

With insight gained from years of experience as Chief Executive Officer, General Counsel and Chief Compliance Officer, John understands the dynamic and everchanging finance and technology markets. He has extensive experience drafting and negotiating commercial agreements, complex financial instruments, launching of digital products and services, deploying secure cloud infrastructures, and supporting global technology companies within the heavily regulated U.S. financial markets.

Next

Why Did Federal Court Deny Class Certification in Fair Lending Case Against Large Bank?