ARTICLE
29 August 2025

CFPB Seeks Comments And Data On Revised Open Banking Rule

HK
Holland & Knight

Contributor

Holland & Knight logo
Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
Explore Firm Details
The CFPB published an advanced notice of proposed rulemaking (ANPR) on Aug. 22, 2025, seeking comments and data to aid in the agency's reconsideration of its Section 1033 Open Banking Rule
United States Finance and Banking
Eamonn Moran and Ashley Feighery
Your Author LinkedIn Connections

The CFPB published an advanced notice of proposed rulemaking (ANPR) on Aug. 22, 2025, seeking comments and data to aid in the agency's reconsideration of its Section 1033 Open Banking Rule. This notice follows the CFPB's recent decision to withdraw its request that a federal judge vacate the Rule, electing instead to reopen the rulemaking process.

The Open Banking Rule enables consumers to access, or authorize a third party to access, and share data associated with bank accounts, credit cards, mobile wallets, payment apps and other financial products free of charge. Though the CFPB recognizes the "desire to increase consumers' access to their financial information," the notice highlights how the "statutory text of Section 1033 is quite sparse and does not specifically address several important questions that arise from the rights it creates."

The CFPB, therefore, has identified the following four areas to address based on comments and data it seeks from the public and industry participants:

  1. the scope of who may make a request on behalf of the consumer
  2. defrayment of costs in exercising rights under Section 1033 (e.g., assessment of fees incurred by a "covered person" in responding to a customer-driven request)
  3. information security concerns in the exercise of Section 1033 rights
  4. privacy concerns in the exercise of Section 1033 rights

The CFPB's evaluation of the Open Banking Rule has been highly anticipated, as the Rule has faced significant criticism from financial institutions and trade groups since it was issued in October 2024. As previously reported by Holland & Knight, the Rule was challenged in the U.S. District Court for the Eastern District of Kentucky by Forcht Bank, the Bank Policy Institute and Kentucky Bankers Association, which sought injunctive relief based on the CFPB's attempt to exceed its statutory authority.

The CFPB initially requested that the court vacate the Rule in a motion for summary judgment, opining that "the Rule is unlawful under the APA because it exceeds the Bureau's statutory authority and is arbitrary and capricious." However, on July 29, 2025, the CFPB reversed the position taken in its motion for summary judgment, instead requesting the court to stay proceedings, as the agency "decided to initiate a new rulemaking to reconsider the Rule with a view to substantially revising it and providing a robust justification." After the motion to stay was granted, the CFPB began holding meetings with stakeholders to review the Rule. At that time, the CFPB stated that it planned to issue an ANPR within three weeks that will be the starting point for the accelerated process.

The notice outlines several concerns with the scope of the current Rule. Specifically, the Rule does not currently address "the potential negative consequences to the consumer of exercising this right in an environment where there are tens of thousands of malign actors regularly seeking to compromise data sources and transmissions," nor does it consider "the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties."

Such considerations are critical because "[e]ven for those who are comfortable with the existence of an extensive digital record ... there is certain information that ... individuals may not want revealed to everyone and anyone, sometimes even those closest to them."

The ANPR is the CFPB's next step in collecting expert analysis and data from the public and key industry stakeholders as it prepares to revise the Rule. In doing so, the CFPB has requested responses to "several important questions that arise from the rights" the Rule creates, particularly:

  • precisely who may act on behalf of the consumer
  • how the costs of effectuating such rights may be defrayed by the "covered person" providing the data
  • the potential negative consequences to the consumer of exercising this right in an environment where there are tens of thousands of malign actors regularly seeking to compromise data sources and transmissions
  • the potential negative consequences to the consumer in exercising this right where the data contains information that the consumer may not want disclosed but does not fully understand or realize may be disclosed by the third party through which it has made a request
  • the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers and other third parties

Notably, the ANPR has a relatively narrow scope and does not necessarily indicate what the CFPB will ultimately propose changing in the current Rule, but it does suggest where, specifically, the CFPB sees the need for additional clarity. By analyzing what the agency is seeking input on and, just as important, what it is not asking about, we can get a sense of the CFPB's priorities and, to a lesser extent, its preexisting beliefs.

Notably, certain aspects of the Rule remain unaddressed, such as the allocation of liability in this data access ecosystem. The issue of liability and assigning liability in open-banking-powered use cases (particularly payments use cases) has been one of the key arguments made by critics of the Rule. The ANPR does ask about information security, however, which may be a proxy for these same concerns about the risks created by consumer-permissioned data sharing. At this point, it remains unclear whether the CFPB will issue "significant changes" to the existing Rule or whether it will vacate the Rule entirely, either via rulemaking or in litigation.

The CFPB also announced in the ANPR that it will be issuing a proposed rule to extend the forthcoming compliance dates for the Rule and noted it would be asking for specific information on how long entities will need to comply with a revised rule. As of now, the compliance dates for the current Personal Financial Data Rights (PFDR) Rule remain in effect, with the first deadline currently set for June 30, 2026. Since any potential changes to the compliance dates will likely be informed by this ANPR, the timing of any potential extension may not be until later this year or early 2026, which may pose compliance challenges for entities subject to the June 30, 2026, compliance deadline.

Industry participants have until Oct. 21, 2025, to submit answers to the CFPB's stated questions and provide additional related comments, such as how the licensing and sale of consumers' financial information gives rise to data privacy threats. As the CFPB awaits these comments and analyzes those received, it also plans to issue a Notice of Proposed Rulemaking (NPRM) extending the Rule's compliance dates and is seeking comments on the appropriateness of such extensions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Eamonn Moran
Eamonn Moran
Photo of Ashley Feighery
Ashley Feighery
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More