StacksVerified U.S. regulatory reference

12 CFR §1033.321

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)Denials related to risk management. A data provider does not violate the general obligation in § 1033.201(a)(1) by denying a consumer or third party access to all elements of the interface described in § 1033.301(a) if:
    1. (1)Granting access would be inconsistent with policies and procedures reasonably designed to comply with:
      1. (i)Safety and soundness standards of a prudential regulator, as defined at 12 U.S.C. 5481(24), of the data provider;
      2. (ii)Information security standards required by section 501 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801; or
      3. (iii)Other applicable laws and regulations regarding risk management; and
    2. (2)The denial is reasonable pursuant to paragraph (b) of this section.
  2. (b)Requirements for reasonable denials. A denial is reasonable pursuant to paragraph (a)(2) of this section if it is:
    1. (1)Directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and
    2. (2)Applied in a consistent and non-discriminatory manner.
  3. (c)Indicia bearing on reasonable denials. Indicia bearing on the reasonableness of a denial pursuant to paragraph (b) of this section include:
    1. (1)Whether the denial adheres to a consensus standard related to risk management;
    2. (2)Whether the denial proceeds from standardized risk management criteria that are available to the third party upon request; and
    3. (3)Whether the third party has a certification or other identification of fitness to access covered data that is issued or recognized by a recognized standard setter or the CFPB.
  4. (d)Conditions sufficient to justify a denial. Each of the following is a sufficient basis for denying access to a third party:
    1. (1)The third party does not present any evidence that its information security practices are adequate to safeguard the covered data; or
    2. (2)The third party does not make the following information available in both human-readable and machine-readable formats, and readily identifiable to members of the public, meaning the information must be at least as available as it would be on a public website:
      1. (i)Its legal name and, if applicable, any assumed name it is using while doing business with the consumer;
      2. (ii)A link to its website;
      3. (iii)Its Legal Entity Identifier (LEI) that is issued by:
        1. (A)A utility endorsed by the LEI Regulatory Oversight Committee, or
        2. (B)A utility endorsed or otherwise governed by the Global LEI Foundation (or any successor thereof) after the Global LEI Foundation assumes operational governance of the global LEI system; and
      4. (iv)Contact information a data provider can use to inquire about the third party's information security and compliance practices.