CFPB Reconsiders Section 1033 Rule Signaling Potential Overhaul of Personal Financial Data Rights Framework

On August 22, 2025, the Consumer Financial Protection Bureau (CFPB) published an advance notice of proposed rulemaking (ANPR) seeking public comment on four substantive aspects of its Section 1033 rulemaking under the Dodd-Frank Act. The CFPB seeks input on:

1. The definition of a third-party “representative” permitted to access data on a consumer’s behalf.
2. Whether a data provider should be permitted to impose fees for access to consumer data and, if so, the optimal approach for doing so.
3. Whether current data security standards are adequate given the cost-benefit trade-offs.
4. Whether the Gramm-Leach-Bliley Act (GLBA) and other privacy protections are adequate.

This move follows the CFPB’s June request to vacate the existing Personal Financial Data Rights (PFDR) final rule, citing legal deficiencies and a desire to align with new leadership’s policy preferences. In July, the CFPB announced that it would initiate a new rulemaking to reconsider the rule implementing Section 1033.

The ANPR invites feedback on four core substantive issues:

1. Definition of a “representative” authorized to access consumer data. The PFDR embraced a broad interpretation of “representative acting on behalf of an individual,” enabling fintechs and other third parties to access consumer data with informed consent. The CFPB is now exploring whether the statutory language implies that only fiduciary relationships qualify, such as trustee relationships, and whether this interpretation would materially restrict consumer choice and innovation in financial services.
2. Fees for data access. While the PFDR barred data providers from imposing fees, the ANPR reopens the debate, asking whether cost recovery should be allowed and whether caps or shared cost models are appropriate. The CFPB is seeking data on both fixed and marginal costs of compliance, and whether permitting fees would obstruct the data access right Congress contemplated. It also raises the possibility of allowing covered persons to recover costs at a “reasonable rate.” This is notable in light of several banks’ announcements indicating plans to assess fees for access to consumer financial data.
3. Security risks and cost-benefit trade-offs. The PFDR discouraged screen scraping and required GLBA compliance. The ANPR probes whether these measures are sufficient, especially in light of recent data breaches, and whether stronger safeguards or new standards are needed.
4. Privacy risks associated with third-party data sharing. The ANPR asks whether the PFDR provides adequate consumer privacy protections, especially against risks from inadvertent licensing or sale of sensitive personal information. The CFPB highlights the low rate of consumer engagement with privacy policies – especially when consent is embedded in standard user agreements. The CFPB seeks comments on whether the PFDR’s informed consent and disclosure requirements are sufficient to mitigate these privacy risks.

These areas suggest a significant shift from the PFDR finalized in 2024, which broadly defined “representative” to include third parties authorized via consumer consent, prohibited fees for data access and relied heavily on existing GLBA standards for security and privacy.

What is not addressed in the ANPR?

The ANPR does not invite comment on key aspects of open banking for the PFDR, including who is a data provider, what data must be provided, data use and sharing limitations, allocation of liability for unauthorized use of data, for example, and the existence of “standard setting” bodies to assess compliance with the rule.

What’s next?

In light of the new rulemaking, a Kentucky court denied all parties’ summary judgment motions without prejudice, and agreed on July 29 to stay litigation pending the new rulemaking. The PFDR set compliance dates from April 1, 2026, to April 1, 2030, based on entity size. These dates have now been stayed by 90 days pursuant to a court order, and the CFPB is considering further extensions. The ANPR seeks input on whether the original timeline remains feasible, especially if substantial revisions are made.

Comments are due by October 21, 2025. The CFPB is expected to issue a notice of proposed rulemaking following the comment period.

The CFPB’s decision to reopen the Section 1033 rulemaking reflects a broader trend of the CFPB reassessing its regulatory initiatives in response to legal challenges and market feedback. Make no mistake, however, that open banking continues to remain a focus, as stakeholders reconsider how potential revisions to the rule may impact data access, compliance costs and competitive dynamics. The rule’s reopening could significantly reshape the open banking framework originally envisioned by the PFDR. It provides opportunities for banks, fintechs and data aggregators to reengage with the CFPB on key issues, such as the scope of third-party access and introducing cost barriers that could shift the balance between traditional financial institutions and fintech innovators.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.