Skip to main content
September 22, 2025 GT Alert

CFPB Reopens Its Open Banking Rule for Comment

Related Professionals
Noah N. Gillespie Timothy A. Butler Lisa M. Lanham Shane Foster Matthew M. White Tessa L. Cierny
Capabilities
Financial Regulatory & Compliance Banking & Financial Services
Offices
Washington, D.C. Atlanta Miami Phoenix Silicon Valley New York
Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) issued an advanced notice of proposed rulemaking (ANPR), soliciting public comment to reconsider the implementation of Section 1033 (Open Banking Rule), which may signal potential shifts in regulatory expectations for consumer-authorized data sharing.
  • The CFPB intends to revisit the Personal Financial Data Rights Rule, which initially empowered consumers to demand transaction data from card issuers, account-holding institutions, and select payment processors, potentially altering the scope and enforcement framework of these rights.
  • The ANPR focuses on four primary areas: (1) defining who may act as a consumer-authorized recipient of financial data; (2) allocating the costs of data access; (3) managing information security risks; and (4) safeguarding consumer privacy. The industry should note that these focal points may presage additional modifications beyond the four areas explicitly listed.
  • The CFPB will accept public comments through Oct. 21, 2025.

Various stakeholders, including financial institutions and technology companies, are involved in developing open banking frameworks and the technical standards for financial data sharing. These developments may enable new insights, products, and services based on a more comprehensive view of consumers’ financial information. The Dodd-Frank Act sought to give consumers an active role in open banking by requiring financial institutions to share consumer financial data at the consumer’s request, subject to CFPB rulemaking (the Open Banking Rule). Former CFPB Director Kathy Kraninger launched a rulemaking process in 2016 to implement a long-dormant provision of the Dodd-Frank Act, resulting in the 2024 Final Rule. Now, the CFPB is seeking comment on whether to revisit and potentially reshape the 2024 Final Rule based on the evidence it collects and its new policy priorities.1

The 2024 Final Rule

The 2024 Final Rule implemented Section 1033 of Title X of the Dodd-Frank Act.2 Section 1033 provides that:

Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.3 

The 2024 Final Rule did not implement this right across all consumer financial products and services. Instead, the 2024 Final Rule applies to a narrower scope of entities and products:

  • Coverage is limited to: (1) a “financial institution” that provides an “account” as defined in Regulation E; (2) a “credit card issuer” that provides a “credit card” as defined in Regulation Z; and (3) anyone else engaged in the “facilitation of payments from a Regulation E account or Regulation Z credit card, excluding products or services that merely facilitate first party payments,” meaning transfers initiated by a loan servicer, a payee, or an agent of the payee.4 However, depository institutions with $850 million in assets or less are exempt.5
  • Covered persons may not charge any fee to anyone for consumer-authorized access to covered data from covered persons.6
  • The 2024 Final Rule incorporates the information security standards from GLBA § 501. For most nonbank financial services companies, this means the FTC’s Safeguards Rule.7
  • The 2024 Final Rule creates an “authorized third party” category, allowing third parties to submit data access requests on a consumer’s behalf, based on Dodd-Frank’s definition of “consumer” to include a representative.8
  • The 2024 Final Rule limits such third-party authorizations. Consent is capped at one year; use of consumer data must be limited to what is reasonably necessary for the consumer’s requested product or service; and separate express consent is required for targeted advertising, cross-selling, or data resale.

The 2024 Final Rule set compliance dates ranging from April 1, 2026, for the largest institutions to April 1, 2030, for the smallest institutions. The ANPR states that the CFPB intends to issue a proposed rule extending these compliance dates and also requests comment on the amount of time industry would need to come into compliance.

Questions for Comment

The ANPR lists 34 questions on which the CFPB is seeking comments and data, organized under four major headings:

  • Who is a “representative” of a “consumer” who can be an authorized third party who can request a consumer’s financial data. The CFPB is considering whether “representative” should be limited to persons with a fiduciary duty, which might narrow the scope of who may access consumer data. Even under the broader definition of the 2024 Final Rule, questions remain about how covered persons may reliably confirm that a third party has valid consumer authorization.
  • How to allocate the costs of providing consumer financial data at consumers’ request. Section 1033 is silent on cost allocation, and the CFPB is seeking data on fixed and marginal compliance costs, including security investments, interface development, and recordkeeping. The questions explore:

– Whether to cap fees, and if any fee should be limited to cost recovery;

– How costs should be divided among consumers, third parties, and covered persons; and

– Whether non-requesting consumers should bear costs indirectly, or whether fees should only apply to those opting in, potentially signaling a consumer-choice model for fee    imposition.

  • How the rule should account for the information security threat environment. Given repeated major breaches, the CFPB highlights the potential risks of even small failures in security protocols. It seeks comment on:

– Which standards should govern and who should enforce them;

– Whether fiduciary status affects the level of security provided;

– The costs of achieving robust protection versus the costs of breaches;

– How to address screen scraping; and

– How these issues intersect with BSA/AML obligations.

  • How to ensure consumers understand what they are authorizing so they have a say in their data privacy. The CFPB appears focused on making sure consumers do not unknowingly consent to broad or ongoing data sharing, including the resale or licensing of sensitive financial data. It seeks input on how to present authorization terms clearly enough for consumers to make informed choices about their privacy and data use.

Although the ANPR also references “the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties,” it does not pose any specific questions on this theme. This may suggest that the subject matter of these questions might be driven more by the additional evidence the CFPB seeks to further develop the Open Banking Rule than a decision to make changes to the 2024 Final Rule in these areas.

Finally, the ANPR makes no mention of standard-setting bodies. Section 1033 directed the CFPB to issue rules setting standards for the transmission of consumer financial data in response to access requests.9 The CFPB issued a final rule establishing the substance and procedure by which the CFPB can approve companies to set these standards, which it later incorporated into the 2024 Final Rule.10 It is therefore unclear whether the CFPB will make changes to the standard-setting process.

Key Takeaways

The CFPB has begun a rulemaking process to reconsider the Open Banking Rule, announcing its intent to extend the compliance deadlines established under the 2024 Final Rule. The CFPB’s questions place particular emphasis on four topics: (1) who can properly request the consumer’s financial data under the Open Banking Rule, (2) how to allocate the costs of access requests, (3) how to secure consumer financial data, and (4) how to respect consumers’ privacy. These questions seem to highlight the CFPB’s focus on defining boundaries for consent, cost allocation, and data security, signaling potential refinements to the Open Banking Rule that may materially affect both large institutions and fintech entrants.

Stakeholders should consider taking the opportunity to comment, to help influence the potential impact of any changes on their compliance obligations, as well as the possible strategic implications of how the resulting access rights and security standards may shape competition and consumer trust. The public has until Oct. 21, 2025, to submit comments.

1 Personal Financial Data Rights Reconsideration, 90 Fed. Reg. 40986 (Aug. 22, 2025).

2 Required Rulemaking on Personal Financial Data Rights, 89 Fed. Reg. 90838 (Nov. 18, 2024) (finalized Oct. 22, 2024).

3 12 U.S.C. § 5533(a).

4 12 C.F.R. § 1033.111(b).

5 12 C.F.R. § 1033.111(d).

6 12 C.F.R. § 1033.301(c).

7 12 CFR § 1033.311(e)(2).

8 Dodd-Frank defines “consumer” to include “an individual or an agent, trustee, or representative acting on behalf of an individual.” 12 U.S.C. § 5481(4).

9 12 U.S.C. § 5533(d).

10 Appendix A to 12 C.F.R. § 1033; 89 Fed. Reg. 49084 (June 11, 2024).

Attachments
You May Also Be Interested In:
September 25, 2025, 1:00 PM - 2:00 PM ET Event
FinTech Working Group Meeting: AI, Bias & Fairness
September 18, 2025 Blog
Federal Reserve Rate Cut Prompts Demand for Derivative Hedging Solutions 1 min read
Financial Services Observer
September 12, 2025 GT Alert
Nasdaq Proposes Rule Changes to Enable Trading of Tokenized Securities 2 min read