Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · CFR · Title 12 — Banks and Banking · Part 1033 — Personal Financial Data Rights · § 1033.321

§ 1033.321. Interface access.

430 words·~2 min read·/us/cfr/t12/s§ 1033.321·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

(a)Denials related to risk management. A data provider does not violate the general obligation in § 1033.201(a)(1) by denying a consumer or third party access to all elements of the interface described in § 1033.301(a) if:
(1)Granting access would be inconsistent with policies and procedures reasonably designed to comply with:
(i)Safety and soundness standards of a prudential regulator, as defined at 12 U.S.C. 5481(24), of the data provider;
(ii)Information security standards required by section 501 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801; or
(iii)Other applicable laws and regulations regarding risk management; and
(2)The denial is reasonable pursuant to paragraph
(b)of this section.
(b)Requirements for reasonable denials. A denial is reasonable pursuant to paragraph (a)(2) of this section if it is:
(1)Directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and
(2)Applied in a consistent and non-discriminatory manner.
(c)Indicia bearing on reasonable denials. Indicia bearing on the reasonableness of a denial pursuant to paragraph
(b)of this section include:
(1)Whether the denial adheres to a consensus standard related to risk management;
(2)Whether the denial proceeds from standardized risk management criteria that are available to the third party upon request; and
(3)Whether the third party has a certification or other identification of fitness to access covered data that is issued or recognized by a recognized standard setter or the CFPB.
(d)Conditions sufficient to justify a denial. Each of the following is a sufficient basis for denying access to a third party:
(1)The third party does not present any evidence that its information security practices are adequate to safeguard the covered data; or
(2)The third party does not make the following information available in both human-readable and machine-readable formats, and readily identifiable to members of the public, meaning the information must be at least as available as it would be on a public website:
(i)Its legal name and, if applicable, any assumed name it is using while doing business with the consumer;
(ii)A link to its website;
(iii)Its Legal Entity Identifier
(LEI)that is issued by:
(A)A utility endorsed by the LEI Regulatory Oversight Committee, or
(B)A utility endorsed or otherwise governed by the Global LEI Foundation (or any successor thereof) after the Global LEI Foundation assumes operational governance of the global LEI system; and
(iv)Contact information a data provider can use to inquire about the third party's information security and compliance practices.
Connectionstraces to 2
Citation graph
cites case law
§ 1033.321
Interface access.
U.S.C.§ 5481
U.S.C.§ 6801
Cites 2Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.