BPI Supports Stronger Customer Protections and End to Exploitative Data Harvesting in Section 1033 Rulemaking

Washington, D.C. — The Consumer Financial Protection Bureau proposed a new rule today to govern how consumer personal financial data is shared and secured. This rulemaking, sometimes referred to as “open banking,” is part of a requirement under Section 1033 of the Dodd-Frank Act.

What BPI is saying:

Paige Pidano Paridon, BPI senior vice president and senior associate general counsel, issued the following statement in response:

BPI supports innovation and welcomes competition in financial products and services and the ability of bank customers to securely connect their bank accounts to third-party apps. The CFPB must prioritize data security in its rulemaking process, put an end to unsafe practices like screen scraping and require fintechs to adhere to the same data privacy and security standards that already apply to banks.

What is BPI’s position?

Put simply: customers must have transparency and control over their data. Around 80% of consumer respondents were unaware that third-party app providers gather users’ financial data and 78% were unaware that aggregators have access to personal data even when the app is closed or deleted, according to a recent survey.

The final rule must:

  • Advance the adoption of secure APIs and set a date to phase out the use of screen scraping;
  • Require any entity with access to sensitive consumer data to establish and maintain strong data security safeguards and subject those entities to CFPB oversight;
  • Limit the type and amount of data shared to what is necessary for the desired product or service;
  • Require transparency so that customers understand how their data is being used, who it is being used by and for how long the data is being saved; and
  • Require any entity that causes harm to a consumer be responsible for remedying the harm. For example, if a data aggregator is hacked and a consumer’s data is accessed and used to engage in fraudulent activity, the data aggregator should be liable for that breach.

What’s the background?

The proposed rule issued today is part of the CFPB’s obligations under Section 1033 of the Dodd-Frank Act. The rule will establish a framework under which consumers can authorize third parties to safely collect their personal financial data to enable consumers to access products and services provided primarily by third-party fintechs.

The CFPB initiated this effort in October 2016 after issuing a request for information. Since then, it has hosted several symposia, published principles, issued an advanced notice of proposed rulemaking and convened a panel of small businesses, as required under the Small Business Regulatory Enforcement Act, in February 2023.

What comes next?

The issuance of a proposed rule today is the start of the formal rulemaking process. A final rule is expected in 2024.


About Bank Policy Institute.

The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

Media Contact

Austin Anton


Media Inquiry

  • This field is for validation purposes and should be left unchanged.