The Bank Policy Institute (BPI) has expressed support for the Consumer Financial Protection Bureau’s (CFPB) recent move to reconsider its Personal Financial Data Rights Rule, which falls under Section 1033 of the Dodd-Frank Act. The CFPB’s decision follows criticism that the current rule poses risks to consumer data security and disrupts established data-sharing systems between banks and fintech companies.
BPI’s submission to the CFPB highlights what it describes as fundamental issues with the existing rule and claims that the Bureau, under the Biden Administration, exceeded its legal authority. According to BPI, even current CFPB leadership has acknowledged these concerns.
“Individual consumers should have secure and easy access to their financial data, and decades of investments from banks and fintechs have delivered exactly that. The evidence is on every phone and personal device across America. The Biden Administration didn’t deliver open banking; it disrupted it by introducing regulatory uncertainty and security risks to a system that already works. The CFPB should right this wrong and deliver a free-market solution that follows the law and places consumers’ financial data security first,” said Paige Pidano Paridon, Executive Vice President & Co-Head of Regulatory Affairs at BPI.
Section 1033 of the Dodd-Frank Act was enacted by Congress to ensure consumers could access their financial data easily. While technology has evolved in the years since the law’s passage, BPI maintains that the law’s original intent remains unchanged. The organization supports the CFPB’s choice to revisit and potentially narrow the rule so that it aligns with congressional intent. BPI’s letter urges the CFPB to protect secure consumer data access and remain within its statutory authority.
In October 2024, BPI, along with the Kentucky Bankers Association and Forcht Bank, filed a lawsuit challenging the Section 1033 rule. The lawsuit argued that the CFPB had exceeded its legal mandate and that the rule endangered consumer privacy and security. Specific concerns included mandatory sharing of sensitive data with third-party fintech firms without proper oversight, increased risks of fraud, and inadequate safeguards against data breaches.
On May 23, 2025, the CFPB stated in a court status report that it considered the Section 1033 rule unlawful. A week later, it requested that the court vacate the rule. While the court did not immediately rule on this request, it did grant a stay in the litigation as the CFPB began a new rulemaking process. The Bureau issued its latest advance notice of proposed rulemaking on August 21, 2025.
The Bank Policy Institute represents a range of banks operating in the United States and focuses on policy research, regulatory analysis, and advocacy related to cybersecurity and information security issues in the financial sector.