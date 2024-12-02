The Financial Data and Technology Association (FDATA) has submitted a response to the OCC regarding its RFI on consumer-permissioned data access and third-party service providers.

The OCC’s Request for Information (RFI) was in relation to community banks’ engagement with core service providers and other third-party service providers.

FDATA’s response

In its comment, FDATA pushed for the OCC to offer supervisory clarity separating consumer-permissioned financial data access under Section 1033 of the Dodd-Frank Act from traditional, bank-initiated third-party outsourcing arrangements subject to prudential third-party risk management (TPRM) frameworks. Additionally, the association underlined that data access directed by a consumer in accordance with the statute is legally and operationally different from discretionary vendor relationships started by financial institutions.

Furthermore, FDATA’s letter provides information on how to handle consumer-permissioned data access, as a conventional third-party relationship can lead to inconsistent supervisory results, especially for community banks. If a clear regulatory definition does not exist, institutions may implement overly cautious interpretations of non-binding guidance. This can negatively impact data access, scale compliance complexity, and minimise participation in consumer-directed financial services.

The association encouraged the OCC to view the RFI process as an opportunity to restate clear lines of regulatory responsibility and to closely collaborate with the Consumer Financial Protection Bureau (CFPB) and other regulators as consumer-permissioned financial data rights are operationalised across the US. FDATA intends to continue to engage with the OCC as it takes into account feedback submitted in response to the RFI.

Expanding on this, Steve Boms, Executive Director of FDATA, who also provided his opinion of the CFPB’s actions from summer 2025, now noted that, as when a financial institution facilitates consumer-permissioned data access, it is responding to a consumer’s instruction and complying with a statutory obligation, applying traditional TPRM frameworks leads to regulatory ambiguity that can unintentionally restrict consumer choice, as well as innovation, and undermine consumer financial data rights.