CFPB’s PFDR Rule Reconsideration – Questions 2; 3; 4; 5; 6; and 7.

The CFPB’s reconsideration of the Personal Financial Data Rights Rule raises several questions about how Section 1033 of the Dodd-Frank Act should be implemented. In particular, Questions 2 through 7 focus on the meaning of the term “representative”—whether it should be limited to fiduciaries such as agents and trustees, or whether it can also include non-fiduciary third parties like data aggregators, fintech firms, or other commercial actors authorized by consumers. This debate directly affects consumer privacy, statutory protections under existing laws, and the balance of power between community banks, large financial institutions, and Big Tech.

Issue 1: Forced Data Sharing Architecture - Questions 2-7

Response

Issue: Whether the PFDR Rule's mandatory data sharing violates existing consumer privacy rights and fiduciary duty principles.

Statutory Authority

Congress has consistently required fiduciary duty or explicit consumer consent before third parties may handle sensitive financial data:

• Federal Trade Commission Act (15 U.S.C. § 45): Declares unlawful “unfair or deceptive acts or practices.” Though banks are exempt, Congress established a baseline principle that consumer data cannot be exploited for commercial convenience without accountability. The Act requires prevention of systemic harms to consumers that result from unfair or deceptive use of financial information.

  
  

• Fair Credit Reporting Act (15 U.S.C. § 1681): Congress found that inaccurate or unfair reporting undermines the banking system, and imposed “grave responsibilities” on consumer reporting agencies to respect privacy, accuracy, and fairness. These duties operate as fiduciary-like obligations, ensuring that financial data is never handled casually or without statutory safeguards.

  
  

• Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.): Requires financial institutions to protect consumer information, give annual notice of privacy practices, and obtain explicit consumer consent (“opt-out” rights) before sharing data with unaffiliated third parties. GLBA also imposes safeguarding obligations and prohibits obtaining data under false pretenses.

Taken together, these statutes reflect a uniform legislative policy: consumer financial data may only be disclosed where there is fiduciary duty, explicit consumer authorization, or statutory safeguarding. Congress has never authorized broad, non-fiduciary access to such data for mere commercial convenience.The PFDR Rule’s interpretation of “representative” to include non-fiduciary third parties is therefore inconsistent with this statutory framework, diluting existing protections and compelling disclosures that Congress never sanctioned.

Analysis

Building on our Question 1 submission establishing fiduciary duty requirements, Questions 2-7 expose how the PFDR Rule destroys existing consumer protections:

Question 2 Response: No federal statute permits non-fiduciary commercial entities to access consumer data under representative authority. The Federal Trade Commission Act (15 U.S.C. § 45), Fair Credit Reporting Act (15 U.S.C. § 1681), and Gramm-Leach-Bliley Act all require either consumer consent OR fiduciary relationships for third-party access—never mere commercial convenience.

Question 3 Response: The statutory trilogy "agent, trustee, or representative" employs the legal principle of noscitur a sociis (known by associates). When Congress places fiduciary terms together, all carry fiduciary meaning. See Yates v. United States, 574 U.S. 528 (2015) (statutory terms must be read in context). An "agent" without fiduciary duties is a contractor; a "representative" without fiduciary duties is merely a vendor.

Questions 4-5 Response: The rule's interpretation eviscerates existing consumer privacy rights. Under GLBA § 6805, financial institutions cannot disclose consumer information except to affiliates or with explicit consent. The PFDR Rule mandates disclosure to any "authorized third party"—creating forced waiver of GLBA protections. This violates the constitutional principle that Congress cannot delegate authority to abolish existing statutory rights. See Whitman v. American Trucking Assns., 531 U.S. 457 (2001).

Question 6 Response: Section 1033(d)'s standardization mandate was intended to ensure data portability for consumers, not to create government-controlled market infrastructure. The rule perverts this consumer protection into institutional control, forcing consumers into government-designed systems that primarily benefit data aggregators.

Question 7 Response: If representatives need not be fiduciary, the CFPB must explain why Congress used that specific term rather than "any third party." Under basic statutory construction, Congress chooses words deliberately. See Russello v. United States, 464 U.S. 16 (1983). The rule's interpretation renders "representative" meaningless surplusage.

Conclusion

The forced sharing architecture at the heart of the PFDR Rule impermissibly rewrites the statutory design of Section 1033. Congress employed the trilogy “agent, trustee, or representative” in deliberate company with fiduciary terms. Under canons of construction, a “representative” cannot mean “any commercial vendor” without fiduciary obligation. To say otherwise is to drain the statute of meaning and replace it with bureaucratic fiat. That move offends both statutory text and the consumer privacy protections Congress preserved in GLBA.

From the consumer’s perspective, the Rule subverts agency. Transaction data is not abstract; it reveals medical diagnoses, financial vulnerability, and personal behaviors. To force its transfer to non-fiduciary actors transforms privacy from a right into a risk, and consent into a pretext. That is not empowerment; it is exposure.

From the perspective of community banks, the Rule converts fiduciary obligations into unfunded mandates. Small banks would be forced to subsidize non-fiduciary third parties, bearing disproportionate compliance and liability costs, while megabanks and data aggregators leverage scale to entrench their dominance. The result is not competition, but consolidation.

Big Tech and data aggregators, for their part, stand to capture consumer data under the banner of “representation” without the duties that true representation entails. That inversion of trust principles privileges commercial convenience over legal obligation. The law does not—and should not—license such a regime.

The Constitution forbids agencies from extinguishing statutory rights under the guise of implementing them. Congress gave consumers the right to access their own data—not a mandate to surrender it to any commercial entity claiming to act “on their behalf.” A rule that erodes fiduciary duty and compels disclosure to non-fiduciaries violates both statutory construction and consumer protection. It transforms a right to privacy into a pipeline for institutional harvesting. That is neither faithful to the text nor protective of the people.

Recommendation

To address these concerns, Safe Passage Strategies urges the CFPB to revise the PFDR Rule to require third-party representatives to demonstrate fiduciary duty or obtain explicit, revocable consumer consent, consistent with GLBA and other statutes. Additionally, implementing tiered access controls would ensure data portability empowers consumers without compromising privacy or creating unfunded mandates for community banks. This approach aligns with Congress’s intent, preserves consumer sovereignty, and fosters competition without sacrificing statutory protections.