.svg)
On October 22, 2024, the US Consumer Financial Protection Bureau (CFPB) finalized its framework for open banking with the Personal Financial Data Rights rule, commonly referred to as the Open Banking Rule. The final rule aimed to ensure consumers would be able to access and share data associated with bank accounts, credit cards, mobile wallets, payment apps and other financial products, and unlock consumer choice over financial products and services.
Over the past year, a series of developments, including a legal challenge and a change in presidential administration, have led to ongoing back-and-forth over the Open Banking rule’s status and implementation. In 2024, following the rule’s adoption, Forcht Bank, the Kentucky Bankers Association, and the Bank Policy Institute immediately sued the CFPB, challenging the rule’s legality and claiming it exceeded the agency’s authority. In May 2025, the CFPB, under the new Trump administration, told the court that the final rule was “unlawful” and should be vacated. However, only two months later, in July 2025, the CFPB announced that it would issue a revised rule instead of vacating the old one entirely.
Most recently, in August 2025, the CFPB issued an advance notice of proposed rulemaking (ANPRM) highlighting four key issues in the rule’s implementation, which are now the focus of the current debate.
The Bigger Picture
The Open Banking Rule is grounded in Section 1033(a) of the Dodd-Frank Act, which provides that, subject to rules issued by the CFPB, consumers shall have access to requested information in the control or possession of financial entities relating to the products of services obtained from those financial entities.
The final Open Banking rule adopted in October 2024 required financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. The final rule also defined obligations for third parties accessing consumers' data, including important privacy protections.
As the CFPB moves toward revising the rule, it has focused on four key issues and is inviting public comment on each:
- The proper understanding of who can serve as a “representative” making a request on behalf of the consumer, including precisely who may act on behalf of the consumer.
- The optimal approach to the assessment of fees to defray the costs incurred by a “covered person” in responding to a customer-driven request, including how the costs of effectuating such rights may be defrayed by the “covered person” providing the data.
- The threat and cost-benefit pictures for data security associated with Section 1033 compliance, including the potential negative consequences to the consumer of exercising this right.
- The threat picture for data privacy associated with Section 1033, including the potential negative consequences to the consumer in exercising this right.
Interested parties are encouraged to submit comments via the online portal by October 21, 2025.
Why Should You Care?
Without open banking, banks’ monopoly over customers’ financial data creates significant barriers for switching to competitors. This limits consumer choice and increases the likelihood that customers remain with the same institution for additional products. For payment service providers (PSPs), the Open Banking Rule presents an opportunity to level the playing field by breaking down banks’ traditional monopoly over customer data and payment initiation. By mandating banks to share data, the rule eliminates key advantages that banks previously held, particularly customer retention and concentrated market power, allowing PSPs to compete more effectively.
The CFPB’s current position on the rule, and its call for industry feedback, gives PSPs a chance to shape the outcome and ensure their interests are represented. As they prepare responses to the ANPRM, PSPs should focus on the following key issues and advocate for interpretations of the rule that favor the innovation and consumer choice that the rule is meant to create.
(1) Consumer representation and data access rights: Under Section 1033, a "consumer" is defined as “an individual or an agent, trustee, or representative acting on behalf of an individual.” However, as pointed out by the CFPB in its ANPRM, “the statutory text of section 1033 is quite sparse and does not specifically address several important questions that arise from the rights it creates.” The CFPB is now assessing which parties qualify as a “representative” and are therefore authorized to request data sharing on a consumer’s behalf.
The CFPB’s interpretation of who can act as a consumer’s “representative” will determine how easily PSPs can access bank-held data on behalf of their customers. PSPs should consider current customer interactions to identify how they could verify and potentially demonstrate “representative” authority. In feedback to the CFPB, PSPs should consider advocating for clear, standardized definitions and processes that prevent abuse while ensuring consumers can easily authorize PSPs to access their data if they so choose.
(2) Data costs and fee structures: Under provisions finalized as part of the current Open Banking rule, a data provider must not impose any fees or charges on a consumer or an authorized third party in connection with establishing or maintaining the required consumer and developer interfaces or receiving requests or making available covered data. The CFPB is now investigating whether covered persons should be able to recover a “reasonable rate for offsetting the costs of enabling consumers to exercise their rights under section 1033.”
PSPs should take into consideration, if the CFPB chooses to permit banks to impose fees when responding to consumers' requests for data sharing, PSPs will likely face higher operating costs or barriers to accessing customer data. If PSPs choose to pass this cost on to consumers in the form of higher transaction fees, customers could likely switch back to traditional banking, effectively creating an uneven playing field for fintech PSPs seeking to enter the space. There is an argument to be made that paid data access favors large PSPs that can afford the data costs, thus stifling the competition and innovation in the fintech sector that Open Banking seeks to create. PSPs should analyze the impact these costs may have on their bottom line and provide feedback that these fee structures could not only harm competition but restrict consumer choice.
(3) Data security: The current Open Banking rule addresses information security in several ways. It prohibits data providers from relying on a third party’s use of screen scraping to access the developer interface required by the rule, requires data providers and third parties to adhere to specific information security standards, and provides that data providers may deny access to consumers or third parties if granting access is inconsistent with policies and procedures reasonably designed to comply with such standards. The CFPB is now seeking comments and data on the threat and cost-benefit of securing consumer financial data both in storage and in transit by consumer, highlighting the constant threat of data breaches in today’s digital world.
Section 1033 compliance will likely require PSPs to meet robust security standards for data access and transmission. PSPs should consider both the direct costs of implementation (e.g., cybersecurity infrastructure) and the competitive advantage that strong security practices could bring in building consumer trust. In feedback, PSPs should emphasize standards that account for the size and resources of PSPs, while advocating for reasonable best practices that protect consumers.
(4) Data privacy and consumer protection: The current Open Banking rule requires third parties to obtain a consumer’s express informed consent to access covered data on behalf of the consumer, prescribes what a third party must disclose to a consumer, and limits a third party’s collection, use, and disclosure of covered data. The CFPB is now seeking comments on the threats to data privacy as a result of “unwitting” licensing or sale of sensitive personal financial information.
Privacy rules will shape how much data PSPs can collect, store, and use data to innovate services, and while stricter privacy controls may limit business opportunities, they also present PSPs with a chance to differentiate by demonstrating strong consumer protection and transparency. Limits on data retention will also play a key role in reducing costs for smaller PSPs while also helping to mitigate security risks. PSPs should consider reviewing existing data collection, storage, and use policies to identify where privacy risks may arise. In feedback, PSPs should consider advocating for clear consent requirements, demonstrating a commitment to consumer protection.
Above all else, PSPs should push for rules that apply equally across banks and non-banks, creating a level playing field.
PSPs have a critical opportunity to shape the Open Banking rule to their advantage. Strategic, well-informed feedback that addresses their unique position in today’s payments ecosystem can protect their competitive position while empowering consumers with greater control over their financial data.
