As promised, the CFPB is issuing an Advance Notice of Proposed Rulemaking soliciting comments on the agency’s open banking rule.
In the notice, scheduled to be published in the Federal Register on August 22, 2025, the CFPB lists four areas it wants addressed and then provides a list of questions that commenters might answer.
Those four areas are:
- The proper understanding of who may serve as a “representative” of the consumer.
- The “optimal” approach to the assessment of fees to defray the costs incurred by a “covered person” in responding to a request from a customer.
- The threat and cost-benefit pictures for data security associated with compliance with Section 1033—the section of Dodd-Frank that requires so-called “open banking.”
- The threat of data privacy issues associated with Section 1033 compliance.
Comments are due 60 days after the publication in the Federal Register.
When the Section 1033 final rule was issued on October 22, 2024—during the Biden Administration—it was immediately met with criticism from industry groups. Forcht Bank, the Bank Policy Institute and the Kentucky Bankers Association filed a lawsuit the day the Rule was released, seeking injunctive relief, alleging that the CFPB exceeded its statutory authority.
The Trump Administration agreed and said it was simply withdrawing the Rule. However, more recently, the administration said it would write a new rule through an expedited process and that it intends to issue a Notice of Proposed Rulemaking soon.
This Advance Notice of Proposed Rulemaking initiates that process.
The CFPB said, “The statutory text of section 1033 of Dodd-Frank provides that, subject to rules issued by the CFPB, consumers shall have access to requested information in the control or possession of financial entities relating to the products or services obtained from those financial entities.”
However, the CFPB further stated that Section 1033 is “quite sparse and does not specifically address several important questions that arise from the rights it creates.”
For instance, section 1033 does not specify who may act on the consumer’s behalf, nor does it address the costs associated with providing the requested information, according to the CFPB. It also does not address “the potential negative consequences to the consumer of exercising this right in an environment where there are tens of thousands of malign actors regularly seeking to compromise data sources and transmissions,” the CFPB said.
Section 1033 also is silent about the potential negative consequences to the consumer in exercising the right where the data may contain information the consumer might not want disclosed but the consumer may not realize that data might be disclosed by the third party through which the consumer made the request, according to the CFPB.
“A consumer’s financial transactions reveal an enormous amount of information about their habits and lifestyle,” the CFPB said. “Even for those who are comfortable with the existence of an extensive digital record that can often accurately be used to predict their behavior, there is certain information that [a] few individuals may not want revealed to everyone and anyone, sometimes even those closest to them.”
Finally, the CFPB said the law does not address “the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties.”
The CFPB is seeking comments on the threats to data privacy as a result of the licensing or sale of sensitive financial information.
The CFPB also said it plans to issue a Notice of Proposed Rulemaking to extend the current rule’s compliance dates and is seeking comments on the appropriateness of the compliance dates.
The Section 1033 rule finalized under the Biden Administration is scheduled to go into effect on June 30, 2026. Forcht Bank and banking trade groups that sued, challenging that rule, said the CFPB will not be able finalize a new rule by that date. As a result, they contend that financial institutions must prepare for the implementation of the Biden Administration’s rule. Consequently, they asked U.S. District Judge Danny C. Reeves of the Eastern District of Kentucky to issue a stay further delaying the effective dates.
Banking trade groups said they welcome the opportunity to comment on a possible new proposal.
“The Bureau’s decision to reopen this rulemaking process is a welcome step toward restoring accountability, consumer protection, and the rule of law,” Lindsey Johnson, President and CEO of the Consumer Bankers Association said. “The prior Administration’s rule stretched far beyond what Congress intended in Section 1033, mandating broad data sharing that created real risks of fraud, breaches, and consumer harm.”
Rebecca Romero Rainey, President and CEO of the Independent Community Bankers of America, said she hopes that any new rule contains the provisions of the old rule “exempting small community banks from the requirement to create and maintain a third-party developer interface, allow banks to charge reasonable fees for third parties to access bank customers’ data, and enhance bureau oversight of third-party data privacy protections. The nation’s community banks should not be required to bear the costs of establishing and maintaining developer portals to allow third-party companies to access consumer data.”
She said the ICBA hopes that the CFPB focuses on promoting data security at third-party entities. “Enhancing data security and oversight at these third-party entities will help ensure community banks are not faced with the impossible task of vetting the security protocols of potentially thousands of fintech companies seeking to access their customers’ data,” she added.
“Stakeholders from every part of the data sharing chain have significant concerns with the current rule, and we look forward to engaging with the new leadership at the CFPB to address critical issues important to consumers including the need for a robust liability regime for resolving unauthorized activity or data breaches; preserving data providers’ ability to safeguard data; ending once and for all the dangerous practice of screen scraping that puts consumer personal information at greater risk; the government-mandated subsidization of other companies’ business models; and how long covered entities will have to come into compliance with the regulatory requirements,” said Rob Nichols, President/CEO of the American Bankers Association.
He added that ABA members also hope the new Personal Financial Data Rights Rule will retain the positive aspects of the existing regulation, such as the role of industry standard setting for data formats and strong privacy protections to prevent the unwitting sale of consumers’ sensitive personal financial information by data aggregators.”
We will continue to monitor the issuance of any stay of the compliance dates in the litigation and the CFPB’s new rulemaking proceeding.
[View source.]
