The first step in the future of open banking under the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank" or the "Act") is here: in a notice posted August 22, 2025 (the "Notice"), the Consumer Financial Protection Bureau ("CFPB") invited comments on its open banking rule, through which the CFPB implements the requirements of Section 1033 of the Act. The CFPB intends to move quickly and intentionally, as the notice provides for a 60-day comment period and focuses its feedback requests in four specific areas ranging from who should pay for the costs of consumer requests to data privacy. In short, the CFPB is seeking stakeholder input to ensure that convenient and meaningful access to customer data is balanced with financial burdens and the challenges of limiting improper exposure of data in an "open banking" environment.
What You Need to Know:
- The CFPB has opened a 60-day comment period for stakeholders to provide input on a new open banking rule that will implement Section 1033's requirement that consumer financial services providers make consumer information in their control or possession available to consumers.
- The prior Section 1033 rule, issued under President Biden in late 2024, was criticized harshly by industry groups. Several groups sued, alleging the CFPB exceeded its statutory authority. Following President Trump's election, the CFPB stated it was withdrawing the rule, then announced it would write a replacement rule.
- The new advance notice of proposed rulemaking seeks comments in four key areas: (1) the scope of who may make a request on a consumers behalf; (2) how to defray costs associated with requests; (3) ensuring information security; and (4) protecting the privacy of data.
In November 2024, the CFPB published the Personal Financial Data Rights final rule ("PFDR Rule") requiring financial institutions to provide information about transactions, costs, charges, and usage to consumers upon request. Two trade associations and a bank sued the CFPB seeking to enjoin the rule in Forcht Bank, N.A. v. CFPB, No. 5:24-cv-00304 (E.D. Ky. 2024). The court stayed the case on July 29, 2025, after the CFPB announced it was seeking to "comprehensively reexamine this matter alongside stakeholders and the broader public to come up with a well-reasoned approach . . . that aligns with the policy preferences of new leadership" under the Trump Administration. Notice, at 4.
According to the CFPB, its intent for the new rule is to fill in the gaps in the statutory text of Section 1033, which it called "quite sparse." In particular, the CFPB lamented the statute's failure to adequately address:
a) precisely who may act on behalf of the consumer;
b) how the costs of effectuating such rights may be defrayed by the "covered person" providing the data;
c) the potential risks to consumers who make information requests from bad actors seeking unauthorized data access;
d) the potential negative consequences to the consumer in exercising Section 1033 rights where requested data contains information that the consumer may not want disclosed, but does not fully understand or realize may be disclosed by the third party through which it has made a request; and
e) the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties.
Notice, at 3. In order to create an open banking rule that clarifies these key areas, the CFPB's Notice seeks comments from the public in four categories. How stakeholders respond to these questions and to what extent the CFPB will incorporate that input remains to be seen, but the CFPB's primary concerns are identified below.
1. Scope of Who May Make a Request on Behalf of a Consumer
The first question arises from Section 1033's definition of "consumer," which states the term means an individual or an agent, trustee, or representative acting on behalf of an individual. 12 U.S.C. § 5481(4). The Notice largely focuses on the term "representative," seeking input as to whether representatives are limited to only those serving in a fiduciary capacity (in light of the duties typically expected of agents and trustees), and the impacts, positive and negative, of limiting the term in that manner. In addition, the CFPB seeks comment on what elements would qualify one as a "representative" of a consumer if the definition is not limited to those with fiduciary duties. Beyond how the definition might limit or increase access to information by consumers, the CFPB is also considering the impact on financial services providers, including in the FinTech sphere, as the Notice solicits viewpoints on how the scope of who is considered a "representative" might "limit . . . the ability of financial technology and other third-party service providers to compete with incumbent market participants." The CFPB appears concerned with striking a balance between access to information and expanding the competitive landscape with assurances that those accessing a consumer's data on their behalf will act in the consumer's best interest.
2. Defrayment of Costs in Exercising Rights Under Section 1033
The second question is one likely to draw considerable feedback from banks and industry groups. The PFDR Rule finalized provisions prohibiting data providers from imposing any fees on a consumer or an authorized third party in connection with establishing or maintaining required consumer and developer interfaces, receiving requests, or making covered data available in response to requests. But as the CFPB points out, Section 1033 is "silent on the question of how the burden of consumers' exercise of the rights it creates should be shared between the consumer and the 'covered person.'" Notice, at 6. Thus, the CFPB is asking the public how to best deal with that silence and "whether costs, benefits, or market forces might justify modifying the PFDR Rule's provisions." Id., at 7. The CFPB's request for information is heavily data-focused, seeking ranges of estimates for costs to financial institutions in complying with the PFDR Rule provisions' operational requirements.
Commentary from the consumers' perspective is also requested, as the Notice questions whether "permitting fees 'would obstruct the data access right that Congress contemplated,'" as the PFDR Rule concluded. Id. In what will likely inspire many contributions, the CFPB also asks how, if consumers can be required to bear some of the Section 1033 compliance costs, the cost should be borne among consumers. This is an important issue of balance. Spreading the costs among all consumers will reduce individual financial outlay and theoretically promote data access. However, allocating costs in this manner may discourage consumers who wish to exercise their rights from doing so, or frustrate consumers who have no desire to exercise their rights and don't want to pay for others' requests. Alternatively, limiting the scope of who pays fees would result in increased individual costs and could lead some consumers to avoid exercising their rights altogether. The Notice also asks whether financial institutions should be able to recover a reasonable rate to offset the costs of Section 1033 compliance and if so, whether a cap should be established. These are important questions, as some may assert that charging customers burdensome fees would be antithetical to a consumer protection regulation, while others assert the compliance costs will be too significant in the absence of a reimbursement mechanism.
3. Information Security Concerns in the Exercise of Section 1033 Rights
The CFPB notes that information security is paramount due to multiple types of covered persons retaining and transmitting consumer financial data and the ever-increasing number of data breaches. While noting the PFDR Rule's information security provisions, the CFPB states it is now seeking comments and data generally on the threat and cost-benefit of securing consumer financial data both in storage and in transit by consumers, including any information security developments that might justify modifying the PFDR Rule's provisions." Notice, at 9. In particular, the CFPB's Notice seeks information on the costs of establishing information security architecture, how the costs relate to the number of consumers served by an institution, and whether "the market [is] providing reasonably priced solutions to meet the provisions of the PFDR Rule for covered persons with few customers." Id. The information security concerns raised by the CFPB also relate back to its initial question about the definition of "representative," as the CFPB seeks input as to what ways in which "the existence or non-existence of a fiduciary relationship affect the incentives in doing cost-benefit analysis regarding the level of information security established." Id. Notably, the CFPB's considerations about the cost-benefit analysis of information security measures focuses on the costs to institutions, and does not seek information regarding the costs or harms to individual consumers with respect to data breaches.
4. Privacy Concerns in the Exercise of Section 1033 Rights
Given the amount of information that can be gleaned from transactions and other financial data, data privacy is a primary concern for consumers. While the privacy of consumer data can be compromised in many ways, the CFPB states its Notice is focused on gaining information regarding "threats to data privacy as a result of unwitting licensing or sale of sensitive personal financial information, and on any modifications to the PFDR Rule's provisions," which required third parties to secure express informed consent to access covered data, prescribed what a third party must disclose to a consumer, and limited a third party's collection, use, and disclosure of covered data. Notice, at 11. Here, the CFPB again seeks raw data as well as opinions on appropriate measures, particularly with respect to opt-in setups for data sharing. For example, the Notice asks both how prevalent licensure or sale of consumer financial data by bank and non-bank financial institutions is, as well as what "estimates exist on the percentage of financial service platform users who actually read and/or understand user agreements and privacy notices in their entirety." Id. at 12. The aim appears to craft a rule that adequately balances data privacy, ease of authorized access to information, consumer consent, and cost of implementing security measures. Given the prevalence of large-scale data breaches, this topic will also likely draw considerable commentary from the industry and privacy advocates.
Conclusion
Although the CFPB managed to boil down its major concerns for the new rule into just four questions, the considerations are complex and impactful. Areas such as access, cost, information security, and data privacy raise weighty concerns for consumers and the industry alike, so the CPFB will have to carefully consider the feedback it receives. Given the accelerated rulemaking process, stakeholders will have to organize their thoughts and consider potential consequences quickly as the CPFB seeks to close the loop on open questions regarding open banking under the Act.
