Recommending revisions to the CFPB’s Section 1033 rule

October 22, 2025

Credit unions support consumer choice and secure data exchange but oppose the CFPB’s current personal financial data rights (PFDR) rule due to its burdensome, inequitable, and risky implementation. America’s Credit Unions addressed this concern and more when responding Tuesday to the bureau’s advance notice of proposed rulemaking seeking feedback on revisions to its PFDR rule, associated with Section 1033 of the Dodd-Frank Act. It outlines key concerns, detailing the excessive burdens, unfair risk allocation, market distortion, and risk management issues present in the rule as finalized in 2024.

Revision recommendations for the bureau as it reworks the rule include:

  • Allowance of reasonable fees for third-party data access;
  • Removal of overly granular application programming interface specifications;
  • Limited categories of covered data;
  • Establishment of a clear allocation of liability to third parties who mishandle covered data or abuse their consumers’ trust;
  • Liability protection for data providers relying on third-party security representations;
  • Establishment of centralized accreditation and whitelisting by the CFPB;
  • Accommodation for supervised financial institutions who offer legitimate secondary usage of covered data; and
  • Extended implementation deadlines, specifically for smaller credit unions.

“America’s Credit Unions is grateful for the CFPB’s willingness to revise the PFDR Rule and solicit public comment through the ANPR,” wrote America’s Credit Unions Director of Innovation and Technology Andrew Morris. “We are encouraged by the CFPB’s attention to rectifying flawed assumptions in the PFDR Rule which have contributed to an untenable expansion of section 1033.

“Safe and interoperable data exchange standards can help credit unions improve consumer experiences, but to achieve this outcome the CFPB must reexamine its prohibition on fees, the allocation of risk management responsibilities placed on data providers, and the guardrails needed to ensure strong data security and privacy protections for consumers,” Morris concluded.

The ANPR, issued in August, marks the start of an “accelerated rulemaking process.”  

Read the full letter