The Consumer Financial Protection Bureau (CFPB) published an Advance Notice of Public Rulemaking on August 22, 2025, reopening the rulemaking process for Section 1033 of the Dodd-Frank Act, which deals with how consumers can access and share their personal financial data. This move comes after a court put the previous version of the rule on hold (Forcht Bank, NA v. Consumer Financial Protection Bureau 5:24-cv-00304, (E.D. Ky.) Date Filed: Oct. 22, 2024) and new CFPB leadership signaled a shift in approach. The CFPB is now asking for public feedback on several key issues, with comments due by October 21, 2025, and the CFPB also plans to extend the current compliance deadlines, which were set to begin in mid-2026.
Key issues under review
1. Who can access consumer data on a customer’s behalf?
The CFPB is reconsidering who should be allowed to access consumer financial data as a “representative.” The previous rule allowed a wide range of third parties, including fintech companies, to access data with consumer permission. Now, the CFPB is asking whether this should be limited to those with a legal duty to act in the consumer’s best interest (like agents or trustees), or if it should remain open to non-fiduciary third parties. The decision here will impact how easily consumers can use new financial apps and services.
2. Who pays for data access?
The CFPB is reviewing whether financial institutions should be allowed to charge fees for providing data to consumers or their authorized third parties. The earlier rule generally banned such fees, but the law itself is silent on this point. The CFPB is now seeking input on whether reasonable fees should be allowed, if there should be limits on those fees, and how costs differ for large versus small institutions. This is especially important for community banks and smaller providers, who are concerned about the costs of building and maintaining secure data-sharing systems.
3. Data security and privacy
With more data being shared electronically, the risks of breaches and fraud are rising. The CFPB is evaluating whether current security requirements – such as those based on the Gramm-Leach-Bliley Act and restrictions on less secure practices like screen scraping – are strong enough. The CFPB wants to know if additional safeguards are needed to protect consumer data and ensure only authorized parties have access. Privacy is also a major concern, especially around the potential for third parties to sell or misuse sensitive financial information. The CFPB is asking for feedback on how common these practices are and whether current consent and disclosure requirements are effective.
4. Compliance timelines
The original rule set phased deadlines for compliance, with the largest institutions required to comply by April 2026 and the smallest by April 2030. Given the ongoing legal challenges and expected changes to the rule, the CFPB plans to extend these deadlines. The CFPB is seeking input on the challenges institutions have faced so far and how much additional time will be needed to comply with a revised rule.
Key takeaways
The CFPB’s new approach addresses many industry concerns about cost, security, and operational burden, while still aiming to give consumers more control over their financial data. The outcome will affect banks, fintechs, and any business involved in handling consumer financial information. Industry participants are encouraged to closely monitor this process and consider submitting comments and preparing for potential changes in compliance requirements, data-sharing practices, and customer consent protocols. The final rule will be instrumental in shaping the future of open banking and data rights in the US financial sector.
[View source.]
