The financial services industry generally, and data aggregators specifically, have watched intently as the Trump administration has altered the course of the Consumer Financial Protection Bureau (CFPB or “Bureau”), in an effort to understand what impact such actions will have on the open banking ecosystem and on the CFPB’s open banking rule (the “1033 Rule”), which implements Section 1033 of the Dodd-Frank Act (12 U.S.C. § 5533).
On May 30, 2025, the CFPB took a significant step toward unwinding the 1033 Rule when it filed its motion for summary judgment (MSJ) in the banking trades’ case challenging the 1033 Rule (Forcht Bank, N.A., et al. v. Consumer Financial Protection Bureau, et al.). In its MSJ, the CFPB makes a 180-degree turn, arguing that the agency exceeded its statutory authority in issuing the 1033 Rule, and calls for the court to vacate the rule. The impact of this reversal could have significant implications for data providers (such as banks), data aggregators, fintechs, and consumers.
Background
The lawsuit challenging the final 1033 Rule was filed against the CFPB by Forcht Bank, the Bank Policy Institute (BPI), and the Kentucky Bankers Association on October 22, 2024, the day that the CFPB released the 1033 Rule. Plaintiffs argued that the 1033 Rule, among other things, unlawfully (i) delegates compliance standard-setting to private organizations known as Standard-Setting Bodies (SSBs); (ii) forces banks to oversee, and be responsible for, the security practices of third parties in receipt of covered data; and (iii) prohibits banks from collecting any fees from third parties in exchange for the newly mandated service.
Motivated by concerns that the CFPB, amid leadership changes and operational uncertainties, may not adequately defend this challenge to the 1033 Rule, the Financial Technology Association (FTA), an industry group representing fintechs and data aggregators, among others, sought to intervene in the suit on February 12, 2025. The FTA motion to intervene argued that the 1033 Rule promotes competition, innovation, and consumer choice in the financial services market, and that vacating it would directly affect its member companies. The court ultimately granted FTA’s motion to intervene following a stay of the proceedings at the request of the CFPB. FTA is currently working on its own motion for summary judgment and has indicated that “[a]s an intervening party in this lawsuit, FTA will continue to defend this right and work to uphold Americans’ financial freedoms.”
CFPB Motion for Summary Judgment
The CFPB’s Memorandum in Support of its MSJ (“Memorandum”) argues that the 1033 Rule exceeds the statutory authority granted in the Dodd-Frank Act by requiring banks and other data providers to share consumer data with third parties, and that the 1033 Rule is arbitrary and capricious and should be set aside under the Administrative Procedure Act (APA). The CFPB contends that Section 1033 of the Dodd-Frank Act is intended to ensure that consumers have access to their own information, not to regulate open banking by mandating data sharing with third parties. The agency also argues that the 1033 Rule unlawfully prohibits data providers from charging fees to offset burdens imposed by the rule, which the CFPB asserts is beyond its authority. The CFPB argues that Congress’s silence on fees does not form a firm foundation for the rule’s absolute fee prohibitions. While it is unclear how the court will rule on the MSJ, it is important for industry participants to game plan what may happen if the court vacates the 1033 Rule.
Next Steps for the CFPB
If the 1033 Rule is vacated, the CFPB will still have a statutory obligation to rewrite the 1033 Rule, albeit likely with a narrower scope. Given the breadth of the arguments made in the CFPB’s Memorandum, it is not clear whether the CFPB will try to create a rule that only governs direct consumer access (i.e., the data provider’s obligations to provide data directly to a consumer) or will expand the scope to cover consumer-permissioned third-party access (i.e., require data providers to provide consumer data to fintechs or third parties at the consumer’s direction). The CFPB Memorandum could be read to close the door on a future rule that touches on third-party access; however, a close read of the filing leaves open the possibility that the CFPB will engage in rulemaking that preserves some third-party access rights, but perhaps with secondary-use restrictions.
The Memorandum cites the statutory definition of “consumer,” which includes “an individual or an agent, trustee, or representative acting on behalf of an individual.” 12 U.S.C. § 5481(4). The CFPB takes a limited view of what an agent, trustee, or representative is, arguing that “representative” should be defined similarly to “agent” and “trustee,” which involve fiduciary relationships and duties of loyalty. This position seems to indicate that a representative could be a third party that is authorized under the rule to “just collect data on behalf of that individual consumer,” and not to “use it for the improvement of its own products to serve all of their customers as a collective whole.” It may follow that a rewritten 1033 Rule that acknowledges third-party access would limit third-party access to data usage that more directly benefits the interests of the individual consumer.
The Path Forward for Open Banking
Even if the rewritten 1033 Rule only mandates that data providers create digital portals for consumers to view their accounts or access their data, in our view, the third-party access/data aggregator model is here to stay. Prior to promulgation of the 1033 Rule, data providers and data aggregators—faced with security concerns regarding screen scraping—began negotiating and executing data access agreements to govern third-party access to consumer data. So even in absence of regulation, a patchwork of bilateral agreements emerged to govern the exchange of covered data between data providers and data aggregators (on behalf of third parties) through Application Programming Interfaces (APIs).
Given the maturity of this market, in our view, consumer demand for using third-party service providers is too significant to simply shut off the aggregation model. Instead, it seems more likely that the CFPB and courts would endeavor to avoid the adverse market impact that would result from cutting off third-party access.
Nonetheless, while the market awaits a new rule implementing Section 1033, vacating the existing 1033 Rule could affect bilateral negotiations among data providers and data aggregators, which underpin the current third-party access ecosystem, including with respect to applicable technical standards, secondary use rights, and the potential for access fees.
[View source.]
