CFPB’s PFDR Rule Reconsideration – Questions 18 & 28 Response

In August 2025, the Consumer Financial Protection Bureau (CFPB) reopened its Personal Financial Data Rights Rule (PFDR Rule) under Docket No. CFPB-2025-0037. Safe Passage Strategies, LLC submitted this response to Questions 18 and 28, which concern information security and the costs and benefits of restricting screen scraping.

I. No Empirical Basis for Prohibition

The Bureau prohibited credential-based screen scraping on the ground it is “inherently less secure” than API access. Yet the Bureau acknowledged that it had no empirical evidence to quantify risks of account takeover or to establish by controlled study that APIs are categorically safer. A prohibition built on assumption is a preference, not a standard.

II. Comparative Risks

Both scraping and APIs entail vulnerabilities. Scraping requires third parties to store consumer credentials, creating risk of compromise if vaults are breached. APIs expose multiple endpoints and rely on token stores, which can themselves be exploited. Neither architecture is immune; both rest upon secure data management. The distinction lies not in security itself but in supervision. APIs produce logs, scopes, and revocation paths regulators can oversee; scraping does not. That is a difference in administrative convenience, not in inherent safety.

III. Impact on Consumers

The prohibition also operates directly on the consumer. For decades, consumers lawfully chose to share their own credentials with services of their choice. The final rule forecloses that option, compelling consumers to use only those access channels approved by the Bureau and controlled by banks.

This shift alters the balance of agency. It no longer suffices for a consumer to authorize a third party by contract; authorization must be filtered through the CFPB’s prescribed method. In practice, the Bureau has interposed itself between consumer and data, monitoring not merely the institutions but the individual’s own means of access.

IV. Economic Costs and Market Consequences

The ban also transforms the economics of consumer data access. Scraping was costless to the consumer, with engineering costs absorbed by aggregators, and collateral costs (such as system strain) absorbed by banks.

APIs impose explicit obligations: banks must build and maintain developer interfaces; third parties must integrate and comply with certification standards. While consumers are told these APIs are “free,” the costs are real borne by banks and fintechs, and ultimately passed through to consumers in the form of higher fees or diminished innovation.

The burden falls heaviest on smaller entrants. Large banks and well-capitalized fintechs can absorb the expense of API compliance; smaller innovators cannot. The rule thus tilts the market toward incumbents. The effect is to reduce consumer choice, restrain competition, and consolidate market power under the banner of security.

V. Institutional Credibility

The Bureau itself suffered a data breach in 2023. That fact underscores what its own list of historic breaches makes plain: no system is impregnable. To label scraping “inherently insecure” while conceding universal vulnerability diminishes credibility and risks misrepresenting the problem to the public.

VII. Conclusion

The Bureau should in its reconsideration:

1. Acknowledge that no empirical record establishes scraping as less secure than APIs.

2. Recognize that both models involve risks, which differ in form but not in kind.

3. Reassess the prohibition, which strips consumers of their ability to authorize access by the means of their choosing.

4. Weigh the true economic costs of shifting to APIs, including barriers for small innovators and diminished competition.

5. Accept that “standards” must rest on evidence, not preference, and that consumers—not regulators—are the rightful arbiters of how their data are shared.

Respectfully submitted,

Safe Passage Strategies, LLC