October 21, 2025

Sent via: Regulations.gov
Consumer Financial Protection Bureau
1700 G Street NW
Washington, DC 20552

RE: Docket No. CFPB-2025-0037; RIN 3170-AB39 Consumer Financial Protection Bureau, Advance Notice of Proposed Rulemaking on Reconsideration of Personal Financial Data Rights Rule

The Securities Industry and Financial Markets Association (“SIFMA”)¹ appreciates the opportunity to submit this comment letter on the above-referenced advance notice of proposed rulemaking (“ANPR”) issued by the Consumer Financial Protection Bureau (“CFPB”).²

The ANPR invites comment and information to assist the CFPB in its consideration of four issues related to Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “CFPA”) and its implementing rulemaking (the “Rule”). In relevant part, Section 1033 establishes, subject to rules to be prescribed by the CFPB, a consumer’s right to access information
in the control or possession of a “covered person,”³ “including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data,” and further provides that this information “shall be made available in an electronic form usable by consumers.”

The ANPR specifically seeks comment on the proper understanding of who can serve as a “representative” making a request on behalf of a consumer; the optimal approach to the assessment of fees to defray the costs incurred by a “covered person” in responding to a customer-driven request; the threat and cost-benefit pictures for data security associated with Section 1033 compliance; and the threat picture for data privacy associated with Section 1033 compliance. SIFMA addresses each of the CFPB’s concerns herein.

As stated in its previous comment letters addressing the Rule,⁴ SIFMA reiterates its support for a consumer’s right to access financial information in a safe and secure format and in a way that is designed to ensure responsibility and accountability for data aggregators and other parties that access such data, consistent with SIFMA’s Data Aggregation Principles.⁵ Moreover, SIFMA expresses its continued support for the CFPB’s initiatives aimed at fostering innovation and competitive practices that benefit consumers in financial markets. But the current Rule’s broad definition of “representative” and prohibition on access fees exceed the CFPB’s statutory authority and the intent of Congress when it enacted the CFPA. Further, questions remain surrounding the Rule’s applicability to entities that are outside the CFPB’s jurisdiction as provided in the CFPA or to data providers acting as trustees or with other fiduciary obligations to consumers. Concerns also remain regarding the Rule’s potential prohibition of valuable secondary uses of de-identified consumer data.

Executive Summary

In response to the ANPR, SIFMA recommends that the CFPB:

• Interpret “representative” narrowly—as limited to individuals or entities with fiduciary duties to the consumer—to ensure accountability and prevent unauthorized third-party access to sensitive data.
• Define “consumer” as a current customer to avoid requiring the release of outdated or irrelevant data from former accounts.
• Respect jurisdictional boundaries by clarifying that the Rule does not apply to SEC-regulated entities or business lines outside the CFPB’s authority.
• Clarify fiduciary duties by confirming that data providers acting as trustees or in similar capacities are not required to disclose information in conflict with those obligations.
• Allow reasonable access caps to protect data security, preserve system integrity, and balance operational demands.
• Maintain regulatory harmony with the Gramm-Leach-Bliley Act (GLBA) as the governing framework for financial data security and privacy.
• Confirm that secondary uses of de-identified or anonymized data—which support valuable market research and systemic stability—are not restricted by the Rule.
• Permit reasonable access fees so that data providers may recover the substantial costs of building and maintaining secure interfaces, consistent with long-standing banking principles.
• Adopt realistic compliance timelines—specifically, the later of two years after qualified industry standards are issued or two years following final publication—to ensure orderly and secure implementation.

Taken together, these recommendations would realign the Rule with the statutory text and intent of Section 1033, promote responsible data access, safeguard consumer and market stability, and foster innovation without imposing unnecessary risks or costs.

1. SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s nearly 1 million employees, we advocate on legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed-income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). For more information, visit http://www.sifma.org. SIFMA would like to thank Caitlin Mandel and Dan Chaudoin of Winston & Strawn for their work on this letter. [↩]
2. 90 Fed. Reg. 40986 (Aug. 22, 2025). [↩]
3. A “covered person” is defined in Section 1002(6) of the Dodd-Frank Ac, in part, as an entity engaged in offering or providing consumer financial products or services. 12 U.S.C. § 5481(6). [↩]
4. SIFMA has previously provided comments on February 4, 2021, in response to the advance notice of proposed rulemaking published by the CFPB on November 6, 2020; on January 23, 2023, in response to the Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights Outline of Proposals and Alternatives Under Consideration for the Personal Financial Data Rights Rulemaking; and on December 20, 2023, in response to the notice of proposed rulemaking published by the CFPB on October 19, 2023. [↩]
5. See SIFMA Data Aggregation Principles (last accessed Sep. 15, 2025), available here. [↩]