It has to be one of the driest policy topics ever in the banking and financial services space, and yet it’s caused a flood of controversy for 15 years: a small part of the massive Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 that requires financial institutions to provide consumers with access to their financial data and governs how that data is shared with other parties.
Now, this provision—Section 1033—is in the news again, after the Consumer Financial Protection Bureau (CFPB) recently wrapped up yet another public comment period on a new rulemaking to implement this part of Dodd-Frank and fix the Biden Administration’s flawed regulations issued in 2024. The central issue is how banks, the traditional stewards of sensitive consumer financial data, share these records with “fintech” institutions, data brokers, and other third parties.
Taxpayers are not out of this policy desert yet. How this relatively obscure part of Dodd-Frank—less than one page of an 849-page behemoth that failed in its stated purpose to protect taxpayers from financial sector bailouts—gets implemented still has serious implications for the economy and government finances.
Here are just three of the biggest problems:
Bureaucratic Bloat. The CFPB’s 2024 regulations outlined a process for how bank customer information is shared with third parties, but those rules never clarified how they would interact with all the federal agencies involved in banking and finance, including the CFPB, the Securities and Exchange Commission, the Federal Deposit Insurance Corporation, the Federal Reserve, the Federal Trade Commission, the National Credit Union Administration, and numerous other federal or state agencies.
Mixed Signals. Meanwhile, the private sector is left to wonder whether it will be left to navigate this government-mandate maze without a clear map. As a 2022 Treasury Department analysis found, there was “virtually no regulatory oversight of data aggregators’ storage of consumer financial information akin to the supervision of data security” characteristic of banks. This conundrum puts some institutions in an impossible legal position. For instance, some of CFPB’s dictates from the 2024 rule could have put banks dangerously close to crossing the red line of the Gramm-Leach-Bliley Act, not to mention numerous other data security and privacy laws. No wonder that other government agencies, including the U.S. Small Business Administration’s Office of Advocacy, filed comments with concerns over CFPB’s approach last year. When taxpaying companies have to divert resources to unnecessary regulatory compliance that they could be using to innovate and grow, their profitability shrinks, and with it their revenue contributions to the Treasury.
Economic Micromanagement. Banks, fintechs, data brokers, and others in this space are sophisticated actors capable of negotiating with each other over who pays (and how much) for data security and system upgrades to allow smooth, safe transfers of information when customers request them. Yet, CFPB’s 2024 rule lacked the flexibility to allow such free-flowing negotiations, and risked setting a precedent that strands a disproportionate share of costs on one part of the financial sector (consisting largely of traditional institutions). This is far from an academic concern: a similarly dangerous parallel exists in federal and state attempts to impose caps on “interchange” rates that payment network providers and users once set among themselves with hard-bargaining. Taxpayers suffer from such price controls in a variety of ways, including underinvestment in network security that could prompt government backfill costly upgrades that private companies would normally undertake.
There are better ways forward. Rather than a top-down approach where government dictates how everyone behaves, a “regulatory sandbox” could allow all stakeholders affected by Section 1033 to experiment and collaborate on crafting clear, pragmatic rules of the road that they can understand—and government can more easily enforce. Government price controls on data transfers should be off the table, allowing private parties to negotiate fair prices among themselves. Outside of CFPB, a complete inventory is necessary to determine the impact that decades of banking, housing, tax, labor, and other laws, as well as rulemakings, have had on the financial sector.
CFPB’s new rulemaking presents a vital opportunity to break from its recent past. President Trump’s recent Executive Orders have stipulated that government should be working to clear away parts of the regulatory thicket that serve no purpose except to trap taxpayers. CFPB can help to trim this thicket so that everyone— – banks, credit unions, fintechs, and others—have an equal chance to thrive.
