WASHINGTON– The Consumer Financial Protection Bureau has received 13,979 public comments, including from credit unions, on its plan to revise rules governing data sharing under Section 1033 of the Dodd-Frank Act.
“The flood of feedback, a flurry of which came in toward and on the Oct. 21 deadline, underscores how central open banking has become to both innovation and competition in financial services,” noted PYMNTS in its analysis of the comments. “It also highlights basic disagreements about who should control access to consumer financial data and what rules should govern its use.”
As the CU Daily has reported, the 2024 rule, which was revised by the Trump administration, would require financial institutions to give consumers and their authorized third parties access to their financial data through standardized, secure interfaces.
While the goal is to allow consumers to share account information more easily and use third-party services for payments, lending, and budgeting, the comment letters make clear that many do not agree.
What Commenters Said
According to the review by PYMNTS, some of the comments include:
• Suncoast Credit Union in Florida supported the idea of open banking but called for tighter controls. The credit union wrote that it “supports the ongoing efforts of the CFPB to foster collaboration in building a secure environment for safeguarding personal financial data.” It warned, however, that without uniform technical and security requirements, consumers could face new vulnerabilities, PYMNTS reported.
Suncoast recommended that the Bureau mandate use of secure communication standards such as FAPI 2.0 and Mutual Transport Layer Security, supported by independent audits like SOC 2 Type II or ISO 27001, and proposed that covered institutions be allowed to recover marginal costs of compliance, estimating that “the marginal cost for covered financial institutions to respond to individual consumer data access requests … falls within a reasonable range of $0.05 to $0.25 per request.”
• Apple Payments Services told the Bureau that the rule must not sweep in providers that do not actually maintain consumer accounts. The company wrote that “the Bureau should take care that rules under Section 1033 do not impose obligations on technology providers like Apple that do not maintain consumer financial accounts.”
Apple urged the CFPB to define “data providers” as account issuers such as banks and card networks, not digital wallets that act as secure conduits. It asked that any permitted fees be limited to cost recovery and that “use-case” surcharges tied to how data are used be banned.
• Axos Bank warned that broad data-sharing mandates expose institutions to higher risk. The bank wrote that “mandated data sharing means we have to open up more connection to outside parties, which makes us more vulnerable to fraud.” It argued that access should be restricted to entities with fiduciary responsibilities to ensure that consumers’ financial information is not misused, PYMNTS reported.
• Axos also stressed that community and regional banks would struggle to meet new response timelines and technology requirements without cost recovery.
• The American Fintech Council, representing fintechs (as the name implies), argued that access to consumer data must remain free, according to PYMNTS. The group wrote that Section 1033 “constitutes an absolute demand upon the covered entity to provide the data to the consumer, free from impingement,” the report stated.
• Plaid, one of the largest data aggregators, noted PYMNTS, called on the Bureau to mandate standardized application programming interfaces to replace outdated credential-sharing. The company said the CFPB should “codify APIs as the mandated access method to eliminate credential sharing” and align U.S. standards with international protocols such as OAuth 2.0, FAPI, and ISO 20022.
