All signs had pointed to the Consumer Financial Protection Bureau (CFPB or “Bureau”) rolling back the open banking final rule implementing Section 1033 of the Dodd-Frank Act (12 U.S.C. § 5533) (“PFDR Rule”) promulgated by the Biden administration. In May, the CFPB filed a motion for summary judgment (MSJ) in the banking trades’ case challenging the PFDR Rule (Forcht Bank, N.A., et al. v. Consumer Financial Protection Bureau, et al. or the “Forcht Bank litigation”), asking the Court to vacate the PFDR Rule and detailing perceived legal and procedural insufficiencies of the PFDR Rule. However, on July 29, 2025, the CFPB pivoted and filed a motion to stay the Forcht Bank litigation indicating that the CFPB would initiate a new “accelerated rulemaking process” to reconsider and substantially revise the PFDR Rule.
This about-face may have been driven, at least in part, by the policy efforts of data aggregators and fintech industry groups, who mobilized in response to announcements from certain banks indicating their intent to impose substantial fees for access to consumer data in the absence of the PFDR Rule. True to its commitment in the July motion, the CFPB took its initial step in that accelerated rulemaking process, publishing an Advance Notice of Proposed Rulemaking (ANPR) on August 22, 2025 seeking input to inform its revisions to the PFDR Rule. Comments must be received within 60 days of publication of the ANPR in the Federal Register, or by October 21, 2025.
As further discussed below, the ANPR is specifically focused on select issues in the Forcht Bank litigation, including (i) who can access consumer data, (ii) fees for accessing data under the PFDR Rule, and (iii) information security and privacy concerns.
I. Scope of Who May Make a Request on Behalf of a Consumer
The Section 1033 statutory text allows consumers and their “agents, trustees, or representatives” to request data. The PFDR Rule as promulgated interprets “representative” broadly to include third parties authorized by consumers and does not limit the definition to fiduciaries.
The scope of this term and its interpretation will play a significant role in the future open banking and agentic payments landscapes. Bank industry groups have advocated for a more limited interpretation, which could exclude data aggregators or other third-party service providers (e.g., fintechs) that receive data through bank APIs to power consumer-requested services.
The ANPR seeks input on:
- The plain meaning and best statutory interpretation of “representative”;
- Whether representatives must have fiduciary duties;
- What the impacts are likely to be on consumer data portability and competition with the data provider if access is provided to the third party; and
- Any existing legal precedents and market practices.
II. Defrayment of Costs in Exercising Rights Under Section 1033
While the statutory language is silent on cost-sharing, the PFDR Rule as promulgated prohibits banks from charging fees for consumer or authorized third-party data access. There has been significant debate over this prohibition, and the CFPB’s MSJ in the Forcht Bank litigation indicated that the CFPB erred in not considering a “reasonable fee.”
As noted above, while the implementation of the PFDR Rule’s fee prohibition was stayed during the Forcht Bank litigation, it has been reported that some banks have taken action to charge fees from data aggregators or fintechs in the bilateral agreements governing the banks’ provision of consumer data. This development has prompted concern from data aggregators and fintech industry groups and appears to have factored into the CFPB’s decision to reconsider the PFDR Rule.
As it relates to fees, the ANPR requests input on:
- Whether the PFDR Rule’s prohibition on fees is the best statutory reading;
- Reasonable estimates of fixed and marginal costs for compliance;
- Cost impacts of verifying third-party authorization;
- Legal precedent for agency authority to set cost-sharing;
- Whether covered persons should recover costs, and if so, whether caps should apply; and
- Whether costs should be shared by all consumers or only those exercising data request rights.
III. Information Security and Privacy Concerns
The ANPR acknowledges the risk of breaches and malicious access, as well as the importance of ensuring consumer privacy, and highlights the provisions of the PFDR Rule that are meant to protect the security of data (e.g., requiring adherence to GLBA standards and permitting providers to deny access for security reasons) and consumer privacy (e.g., informed consent to access and data use limitations).
The ANPR requests input on:
- The adequacy of the PFDR Rule’s data security protections;
- Cost estimates for secure data architecture and large-scale breaches;
- How the PFDR Rule interacts with other legal obligations (e.g., BSA, AML, safety and soundness); and
- Screen-scraping risks and alternatives to such methods.
The CFPB’s questions regarding consumer privacy center on the adequacy of the PFDR Rule’s privacy protections, the prevalence of the licensure/sale of consumer data, and consumer awareness of and engagement with privacy notices and agreements.
Compliance Dates
The PFDR Rule initially established compliance dates for data providers based on entity size, but these compliance dates have been delayed by court order, with the first compliance date currently set for June 30, 2026. As part of its reconsideration of the PFDR Rule, the CFPB indicated its intent to issue an additional Notice of Proposed Rulemaking to extend the compliance dates and seek comments on the appropriateness of the current timeline and potential extensions. The ANPR specifically requests feedback regarding any unexpected difficulties or costs entities have encountered in implementing the PFDR Rule, the time needed to comply with a revised rule (particularly if substantial revisions are made), and how implementation time should vary based on the size of the entity.
Thoughts and Next Steps
As expected, the ANPR is focused on select issues from the Forcht Bank litigation, including the impact and appropriateness of fees and the data privacy and security aspects. These issues have been hotly debated and are central to the Forcht Bank litigation challenging the PFDR Rule.
That said, other key issues are not expressly addressed in the ANPR, including questions regarding third-party and data aggregator secondary use of consumer data. While the first issue regarding the interpretation of “agents, trustees, or representatives” raises questions of whether access can be granted at all to third parties, the ANPR does not focus on how such third parties can use permissioned data thereafter. Additionally, the lack of any direct questions regarding standard-setting bodies and how standards will be set under a new PFDR Rule is notable, notwithstanding that those issues featured prominently in the Forcht Bank litigation. As a result, it is unclear that the CFPB’s accelerated rulemaking will address all of the key issues raised in the Forcht Bank litigation.
Moving forward, we expect industry groups and stakeholders to move quickly to submit comments to the CFPB, given the accelerated ANPR process. Following the comment period, we expect that the CFPB will review comments quickly and move to the next stages of the rulemaking process, including by issuing the anticipated NPRM on compliance dates.
