WASHINGTON–While a district court has granted a request to stay the compliance deadline for the CFPB’s Section 1033 rule, which halts the original timeline for the open banking rule to take effect, there remain significant issues affecting credit unions that still need to be hashed out around charging fees for data access, data security and more—and it’s a debate on which there are strong parties on both sides of all those questions.
As the CU Daily reported, the rule, which was designed to give consumers more control over their financial data, was set to take effect on a staggered schedule for different financial institutions starting in June 2026. The court decision comes after the CFPB signaled its intention to broadly reexamine and potentially revise the open banking rule, following a lawsuit filed by the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank.
The stay will remain in effect while the CFPB conducts a new rulemaking process, which includes seeking public feedback, the court said.
A New Landscape
Ann Petros, VP-policy engagement and credit union operations with America’s Credit Unions, said the trade group is appreciative of the additional clarity the CFPB is looking to provide around the sharing of customer/member data, especially given the burdens and challenges (including legal) that the prior rule was likely to bring.
But the court ruling does not mean new rules aren’t coming, Petros said, and credit unions will need to prepare for a new landscape.
“This is a requirement under the Dodd Frank Act, so the CFPB is statutorily required to issue a regulation to implement section 1033 and establish an open banking framework,” Petros said.
Petros said she didn’t want to speculate on what form those rules might take, but did note that the fintech industry is pressuring the CFPB to ensure open banking becomes a reality sooner rather than later.
A fintech trade group has also intervened in the lawsuit over Section 1033.
‘No Slam Dunk’
Ultimately, Petros said she expects the CFPB’s final rule to give a “little bit to banks and credit unions and a little bit” to fintechs.
“I don’t know that it will be a slam dunk from our perspective,” said Petros. “Maybe we get the ability to assess some sort of fee for sharing. As for the other requests that we’ve made of the CFPB, I don’t know that they’ll just grant them outright, because there’s a lot of pressure from the other side to establish a very fluid system for exchanging consumer information.”
Not to ‘Overhype’ It, But…
Greg Mesack, senior vice president of advocacy with America’s Credit Unions, said he expects “this is going to be one of the more contested rulemaking we see out of this CFPB in the next year.”
“I don’t want to overhype it, but it really means a transition in the financial services industry for the delivery of consumer finance with the growth of fintechs,” he said. “(The CFPB) is going to try to draw the lines between how information is shared and how it’s done in a way that’s safe and sound and preserves the ability of community institutions like credit unions and community banks to continue to have a role, while also allowing innovation…It is a very consequential rulemaking and, when done right, can be great for everybody.
“But as we saw, the previous version was not done right. It left credit unions holding a ton of liability with no ability to protect their members. It would have been incredibly damaging,” Mesack continued. “We don’t know what they’re thinking for the future. There is a lot of pressure from the fintech industry, which has strong connections to the White House, pushing for something that wouldn’t be good for credit unions.”
Different Rules
Mesack said credit unions, banks and other depositories that operate under strict standards are aligned around the critical need for data security and privacy, while fintechs do not operate under a similar regulatory regime.
“We pride ourselves on data security, pride ourselves on how we use our customer data, and we don’t view customer data as a way to make money,” Mesack said. “To their credit, fintechs have driven a lot of innovation and a lot of great new products. So, how do you draw those lines? They’re not easy to draw.”
Mesack noted there is one camp that believes these issues are already being addressed by market forces and which questions whether any new rule is needed at all.
But given the Dodd Frank requirements, he added it’s inevitable that at some point there will be compliance requirements for credit unions and other financial services providers when it comes to open banking, as has been seen in other countries.
The Two Key Issues
The debate over open banking will focus on the two key issues noted above: the ability to charge for access for data (as some big banks are doing in charging fintechs) and liability.
Of the two, Mesack said he believes the liability issue is most critical.
“They’re both very important, but the liability could potentially cost so much,” Mesack said. “If you look at the…original proposed rule, we were required to give the data away. So, a (third party) could take the data, misuse it, there could be all kinds of fraud and the entity that took the data and misused the data would have to pay for it, and the credit union could potentially have to, too. So, that’s just terrifying for credit unions.”
It’s a point America’s Credit Unions wants to see addressed in the reworked CFPB proposal.
Petros noted the data security question around open banking is actually part of a broader issue around third parties and security.
A ‘Reasonable’ Fee
In terms of fees for accessing data, Mesack said America’s credit unions believes a “reasonable fee” would seem “appropriate,” but at this point America’s Credit Unions has not determined how such fees might be structured and what that appropriate fee might be.
“That may vary from institution to institution. I believe it’s a determination that should be made by the credit union,” he said. “It’s something we’ll have to continue to hash out.”
