The CFPB recently published an Advance Notice of Proposed Rulemaking (ANPR) to reconsider four key issues related to its “Personal Financial Data Rights” rules, which were finalized at the end of 2024 but have been mired in controversy ever since. So what exactly does this latest effort mean for the future of open banking regulations in the U.S.?
This article provides a brief background on the saga of the CFPB’s open banking rules and key takeaways from the ANPR on where open banking regulations in the U.S. are heading. For those seeking an in-depth assessment of the ANPR, a detailed summary of the questions posed and why they matter follows.
CFPB’s Open Banking Rules Saga: A Brief Background
After an eight-year rulemaking journey, the CFPB published its final Personal Financial Data Rights rules in the fall of 2024, pursuant to a directive in Section 1033 of the Dodd-Frank Act. The rule was one of former CFPB Director Rohit Chopra’s last achievements at the agency. Immediately after the rules were finalized, two banking trade associations filed suit to block them from taking effect, claiming the rules should be vacated for being both arbitrary and capricious and in excess of the agency’s statutory authority.
When leadership at the CFPB changed in early 2025, the agency became unwilling to defend the rule in court, so a FinTech trade association sought and was granted intervenor status in the litigation, essentially stepping into the shoes of the CFPB to defend the rule. The CFPB’s new leadership then filed a motion for summary judgment in the litigation, asking the court to vacate its own rules – agreeing with the banking trade associations that the rules are improper and should be completely vacated.
When the rules seemed destined for evisceration, some large banks stated publicly that they would begin imposing fees for third-party access to data – fees that would be expressly prohibited by the current 1033 rules once the compliance date arrives to bring them into force. This caught the ire of many FinTechs and non-bank financial services companies that rely on open banking to develop services, including crypto companies that use open banking tools to assist with fiat money movement. After these companies waged a short but seemingly effective advocacy campaign, the CFPB shifted its position again, asking the court to stay the litigation so it could conduct an accelerated rulemaking to modify the rules. (Read more about that decision here.)
The ANPR: Many Questions, Few Proposals
The ANPR does not actually include a “proposed rulemaking.” Instead, the ANPR poses a series of questions that are intended to inform the CFPB’s consideration of four issues related to the implementation of section 1033 of the Dodd-Frank Act:
- Who can serve as a “representative” of a consumer when making a request for data;
- The optimal approach for data providers to assess fees that will defray their costs from responding to requests for data;
- The data security “threat picture” and “cost-benefit” considerations; and
- The data privacy “threat picture.”
CFPB’s Open Banking Approach: ANPR Takeaways and Clues
1) Lots of questions and no proposed changes – yet. The ANPR’s 36 questions provide insight into the areas of the rule the CFPB might change – the definition of a “representative” and scope of third parties that can access data, data providers’ recovery of fixed and variable costs involved, and information security and privacy risks and expectations. These are early days in drafting revised rules. The questions indicate that the agency is still learning and does not have steadfast views on the changes it will make.
2) Retreat from general opposition to third-party access rights. Just a few months ago, the CFPB stated in the 1033 litigation a general opposition to the use of 1033 “as a hook to establish a comprehensive open-banking regulation.” Indeed, this was a key reason the CFPB asked the court the vacate the entire rule. But the ANPR indicates that the revisions the CFPB now contemplates are on the margins rather than a comprehensive elimination of the rules.
3) Open banking issues – and the 1033 rules – aren’t going away. The ANPR indicates that the CFPB may refine who can qualify as an authorized third party, what data security requirements apply, what data use and disclosure limits are appropriate, and what costs can be recovered. But the ANPR doesn’t appear to be an effort to eliminate or even significantly revise the structure of the existing rule.
4) The items not addressed by the ANPR are most telling. The ANPR does not address several critical and controversial aspects of the final rule, including: the need for a “developer interface” (e.g., APIs) as a whole; the data elements to be disclosed; consumer disclosures and consent; third party access denials, risk management criteria, and the need for bilateral agreements; allocations of liability; and reliance on “Recognized Standard Setters” (e.g., FDX) to develop consensus standards. That said, the CFPB could still seek to change some or all of these components of the rule, and an NPRM (Notice of Proposed Rulemaking) would need to detail such changes and their rationale.
5) An “accelerated rulemaking” still takes a long time. Comments on the ANPR are due October 21, 2025. The CFPB will need time to ingest those comments before developing proposed revisions. The CFPB would then likely need to confer with small businesses prior to issuing the proposal, following the appropriate procedure under the Small Business Regulatory Enforcement Fairness Act (SBREFA). With those steps completed, then the CFPB could propose a rule, provide 30 to 90 days for the public to provide comments, ingest those comments, and then issue a final rule. All of this takes time and resources. The last time around, the CFPB published its ANPR on Consumer Access to Financial Records in November 2020 and it took four year to publish its final rule, though the scope of issues here seems significantly narrower.
6) The pending 1033 litigation, and the potential for new litigation, will continue to cast a shadow. While the CFPB is conducting this accelerated rulemaking process, the 1033 litigation is still active. The CFPB promised to provide updates to the court every 90 days, and whether the court decides to weigh in on the sufficiency of the process is to be seen. Given the polarized view of these rules by the banking and FinTech sectors, if either constituency objects to the substance of the CFPB’s revisions, additional litigation could ensue.
7) Companies should not wait for regulatory clarity to develop an open banking strategy. Open banking activity continues at an increased pace. Banks, FinTechs, and nearly all other financial institutions need a strategy to identify and manage the risks and capture the opportunities that open banking presents. Companies should develop their ideal approach and adjust to meet 1033 regulatory obligations as minimum compliance requirements rather than drivers of business decisions. Read more about no-regrets strategic actions that companies can take now here.
The Details: ANPR’s questions and what they mean in practice
Who can act on behalf of an individual consumer to access data?
The ANPR recites the statutory definition of a “consumer” in the Dodd-Frank Act as an “individual, agent, trustee, or representative acting on behalf of an individual,” but questions the scope of third parties that should be considered a “representative acting on behalf of an individual.”
This issue is at the center of the banking industry lawsuit, with the banks and the current CFPB claiming that these “representatives” are a narrow group of actors with “fiduciary-like” characteristics, comparable to those of an agent or trustee. Indeed, the CFPB’s own motion for summary judgment in the case says that the “best reading” of the statute is the Merriam-Webster definition of a “representative” as “someone who represents another as agent, deputy, substitute, or delegate usually being invested with the authority of the principal.”
The final rule discusses this issue in depth, explaining that an “authorized third party”: captures a consumer’s agent, trustee, or representative; “has a duty to act for the principal’s benefit in its collection, use and retention of data”; and must limit its collection, use and retention of covered data “to what is reasonably necessary to provide the consumer’s requested product or service.”
The final rule also indicates that targeted advertising, cross-selling of other products or services, and data sales are not typically “reasonably necessary” to deliver a product or service, and thus would require explicit consumer consent. It also addressed comments claiming that “only a narrow class of certain fiduciaries should be recognized as authorized third parties” and rejected that approach, concluding that a person meeting the conditions set forth, including that the authorized third party “act on behalf of the consumer,” should be entitled to access.
Notwithstanding this history, the ANPR asks for comments on the “plain meaning” and “best reading” of the term “representative.” It seeks feedback on comparable federal laws and financial services practices where third parties act on behalf of consumers, and whether “fiduciary” obligations ought to be required of third parties.
The ANPR also asks for consequences that would arise if the term “representative” were narrowed to only include fiduciaries, including whether it would limit consumers’ ability to transfer their transaction data or for FinTechs to compete with incumbent financial institutions, and what elements would be required to show that a “representative” is in fact acting on behalf of a consumer if the term is not limited to fiduciaries.
What it means: Some “authorized third parties” are likely to remain, with or without fiduciary status, meaning that the general structure and vast majority the rule’s requirements for data providers to make data available are also likely to remain. If the scope of a “representative” is narrowed to only include third parties with a “fiduciary” obligation to the consumer on whose behalf data is collected, revised rules could place further limitations on how the third party can achieve that status and then collect, use and retain data. For example, an authorized third party’s use of data to improve their products or services could be prohibited.
What costs exist and how should they be allocated?
The ANPR seeks comments and data on “whether costs, benefits, or market forces might justify modifying” the prohibition on data providers’ charging fees for access to data. It asks whether the final rule correctly concluded that such fees would “obstruct the data access right that Congress contemplated.”
The CFPB appears to acknowledge complaints that data providers absorb a significant amount of costs in supporting the open banking ecosystem, requesting data on both the “fixed costs” and “marginal costs” of responding to requests for data, including costs to confirm whether a third party “has actually been authorized by the consumer to act on their behalf.” Lastly, the ANPR asks whether data providers should “be able to recover a reasonable rate for offsetting the cost of enabling consumers to exercise their rights” under Section 1033, whether a “cap on the upper bounds of such rates” might be appropriate, and when consumers should bear any of these costs.
What it means: The emphasis on identifying data providers’ costs, and ways to recoup those costs, indicates that the CFPB is likely amenable to revising the prohibition on data provider fees. However, regulatory efforts to set prices in the U.S. have historically been difficult to execute. For example, the CFPB’s effort to cap credit card late fees and the Federal Reserve’s debit interchange fee cap have resulted in litigation and debatable consumer benefits. The CFPB is in an unenviable position, as almost any revised approach to data provider fees is likely to anger one constituency or another and risks triggering additional litigation.
On the other hand, some foreign countries have developed approaches to enable compensation for financial data access. The European Union’s framework for Financial Data Access permits data sharing schemes with “reasonable compensation” for data providers, requiring fees to be: directly related to making data available and attributable to the request; based on an objective, transparent and non-discriminatory methodology; based on comprehensive market data on the costs to be considered; periodically reviewed and monitored to consider technological progress; devised towards the lowest levels possible; and capped for small businesses. The CFPB would be wise to consider the approaches that have been developed and tested around the globe as it devises a new approach here in the US.
What additional information security concerns should be considered?
Pointing to past high-profile data breaches, the ANPR notes how data security risks underscore the need to ensure that data security safeguards are in place. It outlines several information security provisions in the final rule – including discouraging the use of screen scraping, requiring adherence to Gramm-Leach-Bliley Act information security standards, and permitting data providers to deny access when third parties fail to meet those standards – before asking whether those security protections are adequate, and whether data security expectations might differ for third parties that are fiduciaries versus those who are not. The ANPR also asks if different information security standards should be followed, and who would be in the best position to evaluate adherence to those standards.
Regarding screen scraping, the ANPR asks for information regarding the costs and benefits of the rule’s approach, which prohibits data providers from relying on screen scraping to make data available and encourages but does not ban third parties from screen scraping. It also asks for information about alternatives.
Additional information security questions focus on a variety of costs, including the fixed costs to develop information security architecture and whether “the market is providing reasonably priced solutions” for smaller data providers to make data available.
A few inquiries veer beyond areas ordinarily within the CFPB’s purview, including requests for information regarding the general cost of large-scale data breaches, the working capital reserves needed to respond to such breaches, and how safety and soundness standards, Bank Secrecy Act (BSA), and Anti-Money Laundering (AML) obligations impact data providers’ risk management considerations.
What it means: The scrutiny of applicable information security standards indicates that the CFPB may consider additional, enhanced information security requirements for data providers and third parties. Data regarding the cost of information security breaches could be factored into the agency’s consideration of costs and fees to be imposed by data providers on recipients of data discussed above. Information regarding impacts on safety and soundness, BSA and AML obligations could be helpful as the CFPB considers when data access denials are appropriate. And to the extent the CFPB coordinates with prudential regulators on these issues, it could encourage additional guidance from the prudential regulators on the impact of open banking data sharing.
What additional privacy considerations should be considered?
The ANPR asks whether the final rule adequately protects consumer privacy. It identifies several privacy concerns with unauthorized access to and disclosure of sensitive financial information, focusing on the “unwitting licensing or sale” of such data as a “major privacy threat.” More specifically, the ANPR seeks information regarding the prevalence of: licensing and sales of consumer financial data; licensing and sales of such data as part of standard terms and condition, and when consumers are given opt-out rights; and licensing and sales of such data by companies with a fiduciary duty to their clients. Lastly, it seeks estimated figures of the number of customers that “read and/or understand user agreements and privacy notices in their entirety.”
What it means: The ANPR’s focus on the sale and licensing of data is curious, given that the final rule already includes significant constraints on such activity. For example, Section 1033.421(a)(2) states that “the sale of covered data” is “not part of, or reasonably necessary to provide, any other product or service.” A meaningful exception discussed in the preamble of the rule indicates that the sale of covered would be permitted if the consumer expressly consents to that use as part of a “standalone product or service.” The questions here indicate that this exception could be narrowed, such that downstream licensing or sale of data by a recipient would be prohibited in all cases, even if the customer were to provide consent – given the apparent skepticism as to whether consumers read and understand terms and conditions and privacy notices.
Forthcoming rule to delay compliance dates
The ANPR also includes a statement that the CFPB intends to issue a Notice of Proposed Rulemaking (NPRM) to extend the final rule’s compliance deadlines, which require the largest data providers to comply with the current rules by June 30, 2026. The agency also seeks comments and data on the appropriateness of the existing compliance dates, including whether entities have “encountered unexpected difficulties or costs” in implementing the rule and how much time entities of various sizes might need to comply with revised rules.
What it means: An NPRM to delay the compliance dates could be handled separately from and on a faster track than substantive revisions to the 1033 rules. But the CFPB will need to move quickly and precisely to provide data providers with regulatory certainty.
Moreover, revised compliance dates are closely linked to the scope of the substantive revisions contemplated by this ANPR. If the revisions are minor, then there would need to be some other justification to delay compliance, e.g., unexpected operational complexity. If the revisions are significant, then compliance could be expected to be delayed until sometime after the revised rules are finalized.
The ongoing 1033 litigation further complicates the matter. The plaintiffs asked the court to lift the currently issued stay precisely because the compliance deadlines – and the substance of the existing rule – remain in effect. They complain that data providers are left in the untenable situation of have a fast-approaching June 30, 2026 compliance deadline while simultaneously expecting the CFPB to issue substantial revisions to the rule, creating the unfortunate position of having to expend resources to comply with a rule that is likely to change.
