The American Bankers Association today shared a long list of recommendations for re-proposing the Consumer Financial Protection Bureau’s personal financial data rule, saying the rule finalized in 2024 is so broken that it “simply cannot stand.”
Section 1033 of the Dodd-Frank Act requires financial institutions to make a consumer’s financial information available in electronic form. The CFPB issued a final rule last year to implement the law, but it was challenged in federal court. The bureau requested a stay in the lawsuit to give it time to issue new rulemaking, which the court granted.
In a letter to the CFPB, ABA said the 2024 rule was overbroad, built on a dubious legal foundation, and favored financial technology firms and data aggregators over banks and consumers. The association urged the bureau to re-propose the rule and postpone all compliance dates with the current rule until a new rule is finalized.
Among ABA’s recommendations:
- The CFPB must limit itself to its narrow statutorily-prescribed duties and allow the market to continue solving for other aspects of data sharing.
- The CFPB must consult transparently and coordinate with the federal banking agencies and the Federal Trade Commission as required on safeguarding data shared pursuant to the re-proposed rule to ensure all attendant issues are addressed.
- Sunset screen scraping and specifically designated as an Unfair, Deceptive, or Abusive Act or Practice (UDAAP) violation. To ensure compliance with the prohibition, data providers must be able to block screen scraping without fear of reprisal.
- The re-proposed rule must allow for a free and fair market by being silent on the question of fees—as is the 1033 statute.
- If the re-proposed rule includes provisions on data sharing throughout the ecosystem, it should include a clear liability framework requiring a responsible party to notify others of potential data breaches or unauthorized activities, with a methodology for restitution.
