WASHINGTON--The CFPB has published an advance notice of proposed rulemaking (ANPR) to revise its personal financial data rights (PFDR) rule, associated with Section 1033 of the Dodd-Frank Act, America's Credit Unions reported.
This ANPR was expected, as announced by the Bureau in July, and marks the start of an “accelerated rulemaking process,” ACU noted.
The rule, as finalized in 2024, would require financial institutions with more than $850 million in assets to provide access to certain consumer data upon receiving a request from an authorized third party. It presents numerous compliance and privacy concerns that America’s Credit Unions has raised with policymakers, including the administration in a letter sent last month. In addition, the current rule is facing a legal challenge in Kentucky and the case is pending.
Under the Trump Administration, the CFPB argued that the rule is “unlawful and should be set aside,” in a May 2025 court filing.
Through the ANPR, the Bureau is soliciting stakeholder feedback as it works on finalizing revisions to the rule. Topics of interest to the Bureau include:
- Who should be allowed to act on a consumer’s behalf when requesting their financial data, and the statutory interpretation of the term “representative” in the Dodd-Frank Act?
- How should fees be handled when providers charge for the costs of responding to these requests?
- What is the threat and cost-benefit of securing consumer financial data both in storage and in transit by consumers, including any information security developments that might justify modifying the PFDR rule’s provisions?
- What are the risks for consumer privacy under these rules?
- Are the PFDR rule's compliance timelines appropriate? Do they vary based on the size or complexity of a covered entity?