Every time you connect your bank account to a budgeting app or crypto exchange, you risk letting a hidden middleman silently steal your financial data—sometimes forever. Firms like Plaid, Yodlee, and MX aren’t just helping apps work; they’re scraping your account details billions of times each month—often without you even asking—and selling that data to the highest bidder.
Worse, they do this through infrastructure banks built and secured—without paying a dime.
At the center of this problem is a 2024 rule from the Consumer Financial Protection Bureau (CFPB), issued under the Biden administration. Known as Section 1033, this rule goes well beyond what Congress authorized. It blocks banks from charging data middlemen fees to access sensitive customer financial information through APIs—secure digital pipelines that banks spent hundreds of millions of dollars developing.
This so-called “consumer access” rule shields data brokers’ unlimited access to bank systems, often at the expense of consumer privacy and security. Consumers are left in the dark about how much access they actually grant—or how long that access lasts.
A study by The Clearing House Association found that 78% of consumers didn’t know these aggregators kept pulling data even after the user deleted the app that originally requested it. Even more startling: banks report that nearly 90% of this data traffic happens without any direct user action or request. This isn’t innovation—it’s unchecked surveillance.
Some banks are fighting back. They charge data brokers small fees for excessive or unnecessary data pulls, while still providing free access when customers make real-time requests. Under this system, responsible access would cost aggregators less than 10 cents per customer, per month.
But rather than fixing the problem, the Biden-era CFPB doubled down. That’s now changing.
Earlier this month, the Trump administration’s CFPB took a major step to scrap the rule. The agency filed a motion to pause legal proceedings in the ongoing Bank Policy Institute v. CFPB lawsuit, announcing its intent to revisit and rewrite the regulation entirely. The motion promised a “comprehensive reexamination” alongside stakeholders to craft a new approach aligned with the administration’s policy goals.
The court granted this request, halting litigation and clearing the way for a new rulemaking process. The CFPB is expected to issue an Advanced Notice of Proposed Rulemaking soon.
This signals a long-overdue correction.
The Consumer Bankers Association warned that the Biden-Chopra rule “would pose significant risks to consumers’ privacy and data security while also creating new avenues for fraud and exploitation.” The Bank Policy Institute echoed these concerns, noting that defenses of the original rule by the Financial Technology Association “misinterpret the statute,” “distort its implications,” and advance a “flawed legal position” that benefits aggregators at everyone else’s expense.
This rule never aimed to help consumers. It protected the business model of middlemen who extract data without clear consent, accountability, or cost.
In July, JPMorgan Chase revealed that these aggregators scrape customer accounts thousands of times per month per user—often years after a single login. The bank told CNBC this level of traffic “massively taxes” its systems and bears little relation to what customers actually want.
This exacts a real price—borne by banks, consumers, and the entire financial system. Americans for Tax Reform called the original 1033 rule “unlawful” and praised the CFPB’s retreat as “a victory for rule of law and market integrity.”
As policymakers craft the new rule, they have a clear path forward. First, they must protect consumers’ privacy and security. At the same time, they should promote responsible, user-driven data sharing. Transparency is critical: consumers should know exactly what data is being accessed and why. Equally important, all parties involved—especially aggregators—need to have skin in the game, with real accountability for their actions.
Put simply: no more government-mandated, no-strings-attached access to private banking infrastructure. No more digital pickpocketing masquerading as innovation.
Fintech and consumer data sharing aren’t the problem. Many banks already offer secure, efficient ways for consumers to share data with trusted apps. But that’s not the same as letting third parties have unlimited, perpetual access to your account history and balance—often without your knowledge or consent.
The Trump-era CFPB now has a chance to fix a rule that undermined property rights, economic fairness, and informed consent. The original regulation favored invisible data profiteers at consumers’ expense and exposed them to risk.
A revised Section 1033 should empower consumers to control their data and hold all parties to clear standards of accountability and transparency.
The Biden-era rule acted as a regulatory subsidy for data brokers. It’s time for a model that prioritizes consumer choice and privacy. Let’s shut the loophole letting third parties raid your financial data unchecked. The government should protect you—not data middlemen.
