With the opportunity now before it, the Trump Administration should adhere to a narrow interpretation of Section 1033.

Tweet

The deceptively named Consumer Financial Protection Bureau (CFPB), created via the even more broadly defective Dodd-Frank Act of 2010, stands as a monument to the dangers of government excess and counterproductive intervention into our market economy.  

Its checkered record of restriction by our judicial system testifies to that fact.  

Poor regulatory implementation during the Biden Administration only amplified its defects.  Specifically, an otherwise obscure provision of Dodd-Frank titled Section 1033 illustrates that problem perfectly.  

Fortunately, an opportunity now exists for the Trump Administration to correct course.  

Section 1033 purported to facilitate something outwardly straightforward and sensible:  ensure that consumers can access their personal financial information from institutions with which they interact.  If consumers have bank accounts, credit cards or digital wallets, so the logic went, they should be able to obtain transaction histories and account data more easily.  

Predictably, however, that narrow directive metastasized into something more bureaucratically ambitious.  

In October 2023, the Biden Administration’s CFPB Director Rohit Chopra proposed a regulation to implement Section 1033 that became a sweeping mandate requiring banks, credit unions, credit card issuers and others to transfer customer data to data aggregators (e.g., Plaid) without meaningful regard to cost allocation, security architecture or commonsense contractual negotiation.  

A court subsequently froze that rule pending new CFPB rulemaking, however, offering the CFPB under President Trump an opportunity to implement Section 1033 within its statutory limitations rather than cement an arbitrary and capricious regulation.  

The intent of Section 1033 is to allow consumers to access their own data from business entities offering consumer financial products or services.  The statute does not consider data aggregators and other financial technology businesses that intend to monetize that information to count as “consumers.”  

Yet that’s effectively what Director Chopra’s regulation sought to accomplish.  By blurring the distinction between consumers and corporate intermediaries, the Biden Administration’s rule would’ve transformed a consumer access privilege into a government-directed data transfer mechanism.  

With the opportunity now before it, the Trump Administration should adhere to a narrow interpretation of Section 1033.  A “consumer” subject to its protections is an individual engaging in financial activity, not a tech company seeking bulk access to consumer data.  By the same token, entities subject to Section 1033 should include the tech companies that actually hold consumer financial data.  Simply stated, if entities possess consumer data as part of the financial products or services they offer, they should be subject to the same obligations to provide the data to individual consumers.  

Importantly, the underlying statute also requires consultation between the Federal Trade Commission (FTC) and federal banking regulators before issuing a final regulation.  That inter-agency coordination is not a mere technicality or courtesy, but rather an important safeguard, since financial data security, competition policy and prudential regulation are not within the CFPB’s exclusive domain.  

There’s another glaring omission in the Biden Administration’s prior approach related to financial data security.  

Mandating broad data sharing without clearly aligning liability with the procedural flow of that data would’ve invited confusion and risk.  If financial data moves from a bank to a data aggregator and then a third-party app, for instance, responsibility for any security breach should match that chain.  Private contracts and assignments of risk negotiated between the parties already address those issues with precision, and a poorly crafted federal regulation would override those negotiated arrangements and sow uncertainty.  

That’s no way to safeguard sensitive consumer financial information.  

In crafting a new rule, the Trump Administration should also avoid inserting the government into private fee negotiations between involved parties.  If banks and data aggregators can reach mutually beneficial agreements acceptable to all, then there’s no reason for bureaucrats to dictate pricing structures.  To do otherwise by imposing fee prohibitions would risk discouraging investment in secure systems, and distorting incentives across the consumer financial ecosystem.  

The consumer financial services market, meanwhile, has continued to advance apace despite the regulatory uncertainty.  Banks and fintech firms have for years negotiated bilateral data-sharing agreements.  Consumers routinely link their accounts to payment platforms, budgeting apps, rent portals and other platforms, while firms like data aggregators have built business models around facilitating those connections – often pursuant to private agreements that voluntarily allocate costs, define liabilities and set security standards.  

The Biden Administration’s regulation, however, would’ve required banks to construct application programming interfaces (APIs) to enable standardized data transfers, while simultaneously restricting their ability to charge fees in order to offset the significant investments required for cybersecurity, compliance and infrastructure for those interfaces.  

In other words, financial institutions would’ve been required to build and maintain the “plumbing,” but prohibited from recovering the costs of building and maintaining it from the outside companies profiting from that access.  

That’s not “consumer protection,” it’s a wealth transfer from regulated banks to data intermediaries.  

Along the way, the Trump Administration should also end the antiquated practice known as “screen scraping,” in which third parties collect user credentials to access account data.  If standardized APIs are encouraged, they should replace, not coexist alongside, less-secure legacy methods.  

All of this raises a more overarching institutional question.  Namely, for years conservatives and libertarians have argued that the CFPB either shouldn’t exist or has strayed far beyond its purpose.  Acting Director Russell Vought has even signaled an intent to curtail the Bureau’s funding.  Against that backdrop, it would be curious to hand the CFPB sweeping new authority through an overextended Section 1033 regulation.  Why implement a new regulatory edifice for an agency whose future remains questionable, especially when doing so would create a new unfunded mandate and invite future expansion under a different, more activist administration?  

Additionally, the fact that the market continues to function amid the CFPB’s legal limbo shows that it is not broken or in need of the heavy-handed intervention contemplated by the Biden Administration’s original Section 1033 proposal.  Consumers continue to obtain their financial information, third parties continue to partner with banks and the sky hasn’t somehow fallen.  

Accordingly, a more narrowly tailored rule that clarifies consumers’ access rights, consults appropriate regulatory partners, preserves contractual freedom, assigns liability more fairly and enhances system security would better balance statutory mandates and market realities.  In contrast, the Biden Administration’s sweeping mandate that reimagined Section 1033 as a tool for compulsory data transfers would do the opposite – expand bureaucratic power even more, raise compliance costs and potentially expose consumers and market participants alike to greater risk.  

None of this constitutes an argument for limiting consumer access to financial data.  Rather, it’s an argument for applying the statute as written and passed, and resisting the perennial Washington, D.C., impulse to maximize regulation regardless of consequence.