On Thursday, June 5, 2025, at 10:00 a.m., the Subcommittee on Financial Institutions held a hearing in Room 2128 of the Rayburn House Office Building, entitled “Framework for the Future: Reviewing Data Privacy in Today’s Financial System.” The witnesses were:
- Scott Talbott,Executive Vice President, Electronic Transactions Association
- Andrew Morris, Director of Innovation and Technology, America’s Credit Unions (ACU)
- Rebecca Kuehn,Partner, Hudson Cook, LLP
- Jennifer Huddleston, Fellow in Technology Policy, Cato Institute
- Zoë Strickland,Senior Fellow, Future of Privacy Forum (FPF)
We watched this hearing very carefully. We are sharing copies of a detailed hearing report and our proprietary transcript.
Data privacy is an increasingly important issue given how the economy has evolved into a data-driven digital economy. Related, minimizing the use and sharing of data could help limit the damage that arise from cyberattacks, which have increased and become more elaborate. For example, in 2017, Equifax had one of the largest data breaches that exposed the personal information of approximately 147 million Americans. Analysis has shown the financial sector is one of the top ones to be targeted for cyberattacks, an issue the Financial Stability Oversight Council (FSOC) has routinely highlighted in their annual reports to Congress to be a perennial financial stability risk.
Section 1033 of the Dodd-Frank Act provides consumers with a right of access to their financial information. After an extensive rulemaking process, the CFPB issued a final rule last year implementing Section 1033 that includes online data interface requirements, the types of financial data covered, obligations for third-party financial institutions accessing consumer data, and data privacy safeguards. Former CFPB Director Rohit Chopra said that if consumers can more easily share their financial information in electronic formats, they will find it easier to switch financial institutions, access credit, and use innovative new financial products and services, increasing competition in consumer financial services.
For example, these open banking standards could allow a consumer to more easily share bill pay information with another financial institution to switch to another bank, bank account transaction information with a lender to qualify for a loan, or credit card transaction information with a financial technology provider that analyzes spending behavior to help spend less. The CFPB has estimated that, as of 2022, at least 100 million consumers had authorized a third party to access their account data. The number of individual instances in which third parties accessed or attempted to access consumer financial accounts is estimated to have exceeded 50 billion and may have been as high as 100 billion, figures that vastly exceed other jurisdictions’ open banking systems, and were expected to grow as consumer engagement continues and use cases expand.
Beginning in 2016, the CFPB would conduct an extensive process to gather stakeholder input and develop the rules to implement Section 1033. For example, the CFPB requested stakeholder feedback and information on consumer data sharing between financial institutions, which resulted in a report outlining nine principles, based in part on the feedback in 2017.
Under Trump-appointed former Director Kathy Kraninger’s leadership, the CFPB continued developing the rules by convening a symposium with experts and stakeholders and issuing an Advanced Notice of Proposed Rulemaking (ANPR) in 2020. On July 9, 2021, former President Biden signed Executive Order 14036, “Promoting Competition in the American Economy,” which, among other things, encouraged the CFPB to finalize the Section 1033 rules, which they did in 2024. Below is a full chronology of the rule’s development
The hearing underscored the complex landscape of financial data privacy and the urgent need for comprehensive, thoughtful federal legislation.
As Sima Gandhi, President and Founder of AltonStrategies, pointed out in a recent article, consumers now expect these choices—research shows 91% of consumers have connected their accounts to third-parties. Established players will continue on, even in the absence of a formal rulemaking. Many big banks and data networks already have bilateral contracts in place to govern access, so most consumers won’t see a change when they connect their bank accounts to the TurboTaxes or Paypals of the world.
Key takeaways from the hearing included:
- Need for a Uniform Federal Privacy Standard
- Current patchwork of state privacy laws creates complex, costly compliance challenges
- Witnesses strongly advocated for a national, consistent data privacy framework
- Emphasized the burden on smaller financial institutions navigating multiple state regulations
- Open Banking and Consumer Data Control
- CFPB’s Section 1033 rule was seen as a critical step in empowering consumers to control their financial data
- Discussions highlighted the importance of allowing secure data sharing with third-party financial tools
- Concerns raised about potential rescission of the rule by the Trump administration
- Modernizing GLBA for the Digital Age
- Recognition that the Gramm-Leach-Bliley Act is outdated given technological advances
- Need to balance consumer privacy protections with financial innovation
- Calls for updating definitions of financial institutions and non-public personal information
- Challenges of State Regulators and Privacy Laws
- State laws create significant compliance challenges, especially for smaller institutions
- California’s privacy law was frequently cited as creating particularly complex requirements
- Witnesses argued that state-level regulations risk creating de facto national standards without congressional oversight
- Risks of Private Right of Action
- Strong consensus against broad private right of action provisions
- Concerns that such provisions would:- Encourage frivolous lawsuits – Increase litigation costs – Potentially stifle innovation, especially for smaller financial institutions
- Balancing Innovation and Consumer Protection
- Consistent theme of maintaining a delicate balance between:- Protecting consumer data privacy – Enabling financial innovation – Maintaining access to financial services – Supporting competition in the financial technology sector