Since the passage of the so-called Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, policymakers have grappled with how to create a regulatory framework within which personal data portability and sharing can occur safely and soundly within the U.S. financial system. In October 2024, the Consumer Financial Protection Bureau (CFPB) issued a sweeping, finalized rulemaking that was supposed to put an end to some 15 years of speculation on what this framework, under Section 1033 of Dodd-Frank, would look like.
However, many questions remain about how the CFPB’s rule could be implemented as it is currently written and whether financial institutions and their customers are prepared for such a significant shift. As the agency considers amending or rescinding and reissuing the rule, taxpayers and consumers still have many concerns about how exactly the rulemaking would translate to reality—and hundreds of billions, if not trillions, of dollars hang in the balance.
The changing landscape of finance has long required updates to laws and regulations. Millions of Americans now avail themselves of non-traditional banks in the “fintech” space for everything from retirement investments to personal loans. This innovation has been vital in driving America’s economic growth, upward mobility, and competitive leadership in the global economy.
A key factor in ensuring that innovation continues is the portability of data. How can consumers be made more aware of how their information is collected, stored, and exchanged when they make decisions involving banks, credit unions, fintech, and other financial providers? How can the security of this data be safeguarded as it moves among these entities? What government or private sector structures will be built to oversee each part of this custody chain? And how can the government encourage a fair apportionment of system security investments? Will the entities be able to recover costs for their security responsibilities through reasonable business negotiations, or will the government impose one-size-fits-all mandates?
Section 1033 of Dodd-Frank requires that certain financial institutions “shall make available to a consumer, upon request, information in the control or possession of the [institution] concerning the consumer financial product or service that the consumer obtained.” The CFPB’s rule outlines a process for how such information is shared with third parties, but concerns remain about its practical impact. The following are just a few examples of what consumers and taxpayers should know:
1. Americans value the peace of mind they get from knowing that their most sensitive financial information is managed with care and confidentiality. Banks, credit unions, and other providers have varying levels of private and public sector standards that they must follow to provide this protection, as well as enforcement consequences when they don’t. A key question remains: How will CFPB’s rules interact with the patchwork of existing financial regulations?
In a given transaction a customer wishes to initiate between financial providers, the CFPB, the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Federal Reserve, the Federal Trade Commission, the National Credit Union Administration, and numerous other federal or state agencies—or none at all—could be involved. For example, would a bank overseen by FDIC be left “holding the bag” for data-breach restitution simply because an unsupervised third-party receiving information on an accountholder’s request took poor security precautions? This is not an academic question.
In 2022, a Treasury Department analysis found “virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of data security” characteristic of banks. Clearer guidance is needed to ensure that financial institutions are not left with unfair regulatory liabilities. That guidance should move toward lighter overall burdens on the private sector, as President Trump’s recent Executive Orders have stipulated.
2. Furthermore, these services that give consumers financial peace of mind are hardly “free.” Banks invest billions of dollars in data and network security, which must somehow be financed through account fees, overdraft charges, fewer rewards for account holders, less attractive interest rates on deposits, etc. Bank and non-bank actors should be permitted to arrive at voluntary agreements that provide access to data with fair compensation and risk protection.
If the entire data-sharing network envisioned under the Section 1033 rulemaking is to take shape, how will all parties involved, including non-banks, shoulder their share of the network’s upkeep expense? These cost considerations deserve more attention before full implementation.
A similarly dangerous parallel long familiar to NTU exists in federal and state attempts to impose caps on “interchange” rates that payment network providers and users once negotiated among themselves with the usual hard-bargaining that the free market is supposed to facilitate.
In both cases, the government’s attempt to second-guess the free market leads to underinvestment in network security or, equally troublesome, squeezing the bubble elsewhere to recover costs (a proven problem with interchange price controls on debit cards).
CFPB’s rulemaking must take steps to clarify that all providers involved in data exchanges had the right to engage in arm’s length, good-faith negotiations, and arbitration over how transaction costs would be apportioned when data sharing occurs. The same could be said for the value of the data itself, which, in this case, is far from trivial. Tech developers often negotiate amongst themselves over fair use—and pricing—of such information. If disputes were to occur among any set of parties, various legal and administrative institutions could arbitrate them. Without flexibility, the government risks setting a precedent that strands a disproportionate share of costs on one part of the financial sector (consisting largely of traditional institutions).
3) As is all too often the case when one agency steps into an area of rulemaking where others have walked, some institutions will be put in an impossible legal position. For instance, some of CFPB’s dictates could put banks dangerously close to crossing the red line of the Gramm-Leach-Bliley Act, not to mention numerous other data security and privacy laws. This problem could easily translate into confusion for other areas of the financial sector, including credit unions. No wonder that other government agencies, including the U.S. Small Business Administration’s Office of Advocacy, filed comments with concerns over CFPB’s approach.
4) Despite all the feasibility aspects above, CFPB still expects the entire financial industry to adhere to its rules within six months of finalization. With the implementation clock ticking, tens of thousands of institutions serving millions of customers must make extensive updates to systems, databases, processing networks, and public-facing internet portals—affecting trillions of dollars. Due to the absence of adequate time and equitable cost-sharing, the rule threatens to penalize institutions that have already invested heavily in protecting consumer data—ironically, the very goal CFPB claims to advance.
Taxpayers and consumers have a major stake in how all these matters are addressed. Overregulate how the various financial services providers are supposed to interact, and the budgets of rulemaking entities get bigger while government revenues from innovation-driven economic growth begin to wither. Dictate network security price controls, and one part of the financial sector bears too heavy a share of the load, and the government, rather than consumers, will be picking winners and losers in the economy. Underappreciate the maze of “legacy” regulations that banks, credit unions, and others already must navigate, and government officials take their eyes off the need to clear away this expensive thicket that is entangling taxpayers and economy.
To chart a better way forward, NTU recommends three steps.
Provide the Time for Further Consideration. A six-month transition for a rule meant to address a 15-year-old area of law is unwise, given substantial disagreement within the financial sector over the rule’s basic tenets and CFPB’s constitutional authority.
Provide Space for Experimentation. Data-sharing conventions among providers in general, and the complexities of Section 1033 in particular, call for a tool that financial providers and governments here and abroad have already utilized to profound effect: the “regulatory sandbox.” Ryan Nabil, Director of Technology Policy and Senior Fellow for NTU’s research arm, provides this expert view of how a sandbox works:
‘Regulatory sandboxes’ are government-created programs through which companies can offer innovative products and receive support and advice from regulators. In 2016, the United Kingdom's Financial Conduct Authority (FCA) launched the world's first regulatory sandbox to promote financial technology (fintech) innovation. Since then, more than 50 countries have established similar fintech sandboxes to promote innovation.
In a previous capacity, Nabil further explained:
[R]egulatory sandbox programs allow companies to test innovative products and services under a modified and frequently lightened regulatory framework for a limited period. These programs allow companies to test new financial products and enable regulators to become more familiar with technological innovation and its impact on businesses. By allowing regulators to evaluate how different rules impact businesses, sandbox programs can provide crucial information to help regulators craft business- and innovation-friendly rules.
Whether administered through CFPB, the Office of Information and Regulatory Affairs (OIRA), or some other body, the Executive Branch should take steps now to construct a sandbox. Unlike the version children play with, this sandbox would be built for the serious work that would have to go into any comprehensive attempt to actualize Section 1033. This exercise would also offer the Trump Administration and its Department of Government Efficiency (DOGE) an important glimpse at how this powerful concept could be adapted to other approaches to smarter regulation.
Provide the Time and Space for Regulatory Reform That Benefits Everyone. This does not mean piling banking regulations onto fintech so that the current flaws of one part of the industry will have more company. Rather, it means taking a complete inventory and conducting a systematic evaluation of the impact that decades of banking, housing, tax, labor, and other laws, as well as rulemakings, have had on the financial sector.
Just a few areas that come to mind are the intrusive and arbitrary bank examination process, several agencies’ past regulatory crusades over what they called “junk fees” (even as they ignored governments’ own fees), the continued dominance of taxpayer-backed Fannie Mae and Freddie Mac over housing finance, state and federal price control schemes for credit and debit cards (see above), creation of the duplicative “FedNow” payment network, and mandates for credit-scoring models that create more paperwork for lenders and their customers.
These tasks would be ideal for OIRA, DOGE, or (in the legislative branch) the Government Accountability Office to undertake. Upon completion, both ends of Pennsylvania Avenue would have a better idea of how to adjust downward the bloated “regulatory baseline” that has squeezed the private sector for too long, all while preserving the safety and soundness that taxpayers and consumers’ demand.
Given the complexity of the issue, regulators and industry stakeholders should work together to ensure the rule is both practical and legally sound before full implementation moves forward. And there is no bigger or more important group of stakeholders than the nation’s taxpayers.