Alert

CFPB’s Open Banking Rules: Dead on Arrival or Alive and Well?

February 18, 2025

The Consumer Financial Protection Bureau (CFPB) finalized its long-awaited Personal Financial Data Rights rules under Section 1033 of the Dodd-Frank Act, marking a significant milestone in the regulation of consumer-authorized financial data sharing (also referred to as Open Banking). The final rules were issued in October 2024 and establish guidelines for how banks, FinTechs, and data aggregators must manage access to consumers’ financial data.

In the first month of the new administration, there has been a significant effort by the executive branch to dismantle the CFPB, including the appointment of an Acting Director who immediately suspended all of the agency’s standard operations, including supervision, examination, and enforcement activities. While the impact of the administration’s efforts can’t be fully appreciated at this time, many are asking: what will happen to the CFPB’s final 1033 rules?

Final Rules Became Effective January 2025

The final rules were published with an effective date of January 17, 2025. This eliminates the potential for an immediate delay raised by a recent Executive Order calling for federal agencies to postpone the effective date of all rules that have been published but are not yet effective, which has been relayed by the CFPB’s Acting Director to agency staff. While the compliance deadlines in the rule are still in the future – beginning in April 2026 for the largest data providers – regulatory efforts to change the final rule should follow the ordinary process laid out in the Administrative Procedures Act (APA).

FinTech Trade Seeks to Intervene in Lawsuit, Defend Final Rules

On the day the CFPB finalized its Personal Financial Data Rights rules, two banking trade associations filed a lawsuit to block the rules from taking effect, claiming that it violates the Administrative Procedures Act. The lawsuit claims that several aspects of the CFPB’s final rule are arbitrary and capricious: applying “consumer” rights to third parties; placing consumer data at risk; restricting access denials based on risk management; failing to address liability; imposing vague developer interface performance standards; setting irrational compliance deadlines; and imposing an access-fee ban. The suit also claims several aspects of the rule exceed the agency’s statutory authority: requiring the disclosure of payment initiation information; delegating regulatory authority to private standard setters; and imposing an access-fee ban.

But given a recent directive for CFPB staff to refrain from making court appearances other than to request a pause in proceedings, proponents of the rule fear that the agency won’t defend it. A large trade association representing FinTechs and third parties seeking to access data filed a motion to intervene in the lawsuit, stepping up to defend the rule on behalf of its members in place of a stunted CFPB.

States Can Enforce CFPB’s 1033 Final Rules

While the CFPB is ordinarily expected to enforce its rules, Section 1042 of the Dodd-Frank Act also empowers states to take legal action to enforce CFPB regulations, adding a layer of decentralized consumer financial protection that should be more heavily utilized in the face of a limited or absent CFPB. The law gives state attorneys general and regulators authority to enforce certain provisions of federal consumer financial laws, including final CFPB rules. This provision was included in the Dodd-Frank Act to ensure that even if federal enforcement priorities shift, states can still hold financial institutions and FinTech firms accountable for noncompliance.

State enforcement is particularly significant given the historically divergent approaches to consumer protection at the state and federal levels. Some states, such as California and New York, have been particularly active in regulating financial data privacy and security. State attorneys general and regulators could leverage Section 1042 to take action against firms that fail to comply with the CFPB’s new data sharing rules. This creates a dual enforcement structure, where companies must not only ensure compliance with federal regulations but also prepare for state-level oversight and enforcement. In short, the absence of CFPB enforcement is unlikely to eliminate all enforcement of 1033.

Congressional Disapproval: Possible But Unlikely

Since the rule was finalized and published in the Federal Register on November 18, 2024, within 60 legislative days of the 118th Congress adjourning, it is subject to disapproval by Congress under the Congressional Review Act (CRA). A resolution of disapproval under the CRA would need to be passed by Congress and signed by the President. If that were to occur, the resolution would effectively nullify the rule and prohibit another rule from being issued in “substantially the same form.” But a CRA resolution of disapproval seems unlikely given bipartisan support for increased data sharing and competition in the provision of banking-related services from the FinTech sector.

What’s Next for Open Banking and Consumer Financial Data Rights?

The CFPB’s final rules on personal financial data rights are a significant step toward a financial system that advocates view as a more transparent and consumer-friendly financial ecosystem. While the rules are being challenged in court and the first compliance deadlines are still a year away, they are codified regulations today. Banks and FinTechs with obligations under these rules should prepare to comply with the law. And regardless of whether the rules survive, companies should be prepared to address the many policy issues presented by consumer and business demands for open banking, to deliver innovative features leveraging new data streams, and to manage the many risks presented, from privacy and data security to third party risk management.