Comment to Consumer Financial Protection Bureau on Advance Notice of Proposed Rulemaking on Personal Financial Data Rights Reconsideration
- Author(s):
- Todd J. Zywicki
- Posted:
- 03-2026
- Law & Economics #:
- 26-05
- Availability:
- Full text (most recent) on SSRN
ABSTRACT:
On August 22, 2025, the Consumer Financial Protection Bureau announced an Advance Notice of Proposed Rulemaking on Personal Financial Data Rights Reconsideration, aka, the “1033 Rulemaking.” This Comment, filed on October 21, 2025, addresses the four questions posed by the CFPB.
This Comment argues that the rulemaking provides an opportunity to enact a regulatory structure that can benefit consumers, competition, innovation, and financial inclusion, especially for consumers historically underserved by the traditional financial system. In addition, by creating an efficient, workable regulatory structure, the rule can increase consumer data privacy and security by eliminating the need for cumbersome workarounds like screen-scraping practices that impose costs on financial institutions and increase the risk of data breaches for consumers.
The Comment starts by observing that the data in question is not “owned” by either consumers or banks but instead is jointly produced by consumers and providers. As a result, instead of focusing on who “owns” the data, regulatory policy should focus on consumer’s decision-making over how their data is used and preventing misuse of their data, instead of unsolvable questions of data “ownership.”
Regarding the four specific questions posed by the CFPB, the Comment advocates for a broad definition of “representative” that includes third-party data aggregators and fintech providers, noting that narrow interpretations ignore the benefits consumers derive from seller-driven competition. It criticizes the high access fees demanded by large banks as a manifestation of an “anticommons” problem designed to extract monopoly rents and stifle rivals, suggesting instead that fees should be limited to marginal costs or ideally remain at a baseline of zero. On the issue of data security, clear, API-based sharing protocols are far safer than the ad hoc workarounds, such as “screen scraping,” that emerge when consumer demand for portability is blocked. Finally, the Comment urges the CFPB to move away from archaic “notice and consent” models toward a “tort approach” that focuses on preventing the actual misuse of information while facilitating legitimate uses that increase consumer welfare.