WASHINGTON—The Consumer Financial Protection Bureau’s plan to revisit its personal financial data rights rule has injected “new uncertainty” into the future of open banking in the United States, even as regulators and financial firms move toward more standardized data-sharing practices, according to a new analysis.
JDSupra noted the CFPB finalized its long-awaited personal financial data rights rule in late 2024 to govern how banks and fintechs share consumer data. But the same day the rule was published, several banking trade groups sued in Forcht Bank N.A. v. CFPB in the U.S. District Court for the Eastern District of Texas, arguing the agency had overstepped its authority, JDSupra added.
Reversing Course
The analysis noted, and as the CU Daily has reported, that following a change in administration earlier this year, the CFPB reversed course, siding with the plaintiffs and asking the court to vacate its own rule.
“That position shifted again when large banks signaled they might impose fees on third parties seeking access to consumer data—fees the current rule forbids. Outcry from fintechs and crypto firms prompted the bureau to request a stay in the litigation while it conducts ‘accelerated rulemaking,’” the report stated.
Advance Notice of Proposed Rulemaking
On Aug. 22, the CFPB issued an advance notice of proposed rulemaking that does not detail specific changes but poses 36 questions on three key issues: who may qualify as a consumer’s authorized data representative, how much it costs for data providers to make data available, and what privacy and security risks are most acute.
The inquiry suggests the agency will focus narrowly on refining certain provisions rather than dismantling the broader open banking framework, according to JDSupra.
Rules Expected to Stand—With Tweaks
JDSupra said in its review that even if definitions tighten, observers say the rule’s structure—and the need for clear “rules of the road”—will remain. Banks and fintechs still must address screen-scraping risks, authenticate and monitor third-party access, obtain consumer consent, and set secure data-sharing standards through application programming interfaces.
Third parties, meanwhile, will continue to face disclosure and security obligations, and both sides will likely need bilateral data-access agreements outlining liability and operational terms, JDSupra said.
Possible Adjustments: Fees and Security
According to the analysis, the CFPB appears most likely to modify two areas: data-access fees and data-use restrictions. Banks argue they incur steep costs to build and maintain secure data interfaces, citing the need for engineering, compliance and fraud-prevention resources. While the current rule bars fees, the bureau may consider limited cost recovery similar to the European Union’s “reasonable compensation” model for data sharing.
The agency could also strengthen privacy limits on how third parties use consumer data, particularly to curb “secondary uses” such as employing aggregated information to enhance unrelated products, JDSupra added.
Next Steps for Banks and Fintechs
Despite ongoing litigation and rulemaking, financial firms continue investing in open banking infrastructure, JDSupra said, adding that many are expanding APIs, developing interoperable frameworks and upgrading security in anticipation of eventual implementation.
“Analysts say that even if compliance deadlines move, open banking is now embedded in the U.S. financial landscape,” JDSupra reported. “The CFPB’s rules—whatever their final form—are expected to set baseline expectations for secure, consumer-controlled data sharing. Forward-looking institutions are using this period to prepare systems that balance innovation with risk management.”
