.svg)
By defining who can access consumer data, whether fees are allowed and compliance timelines, the Personal Financial Data Rights final rule (PFDR Rule) underscores continuing legal and market tensions between banks and fintech innovators.
At the end of October 2025, the Consumer Financial Protection Bureau (CFPB) closed the comment period on key issues relating to its revised PFDR Rule.
The PFDR Rule is designed to implement Section 1033 of the Dodd-Frank Act, the foundational law of the US open banking ecosystem.
Though the law was enacted by Congress in 2010, it did not become a major point of contention among financial institutions until October 2024, when the CFPB published its final PFDR Rule.
On the day it came into effect, the rule was immediately challenged in court by Forcht Bank, the Kentucky Bankers Association, and the Bank Policy Institute (BPI). The plaintiffs argued that it exceeds the CFPB’s statutory authority.
In July 2025 the current CFPB leadership petitioned the court to stay the litigation on the grounds that it would initiate a new “accelerated” rulemaking process that will lead to a “substantially revised” rule.
The closure of the comment period potentially marks the last opportunity for financial institutions to influence the rule’s provisions outside of court.
However, the sticking points among banks and fintechs remain unresolved, with no immediate prospect of reconciliation.
Is it legal to charge for data access?
In their original October 2024 complaint, the plaintiffs argued that the PFDR Rule is "arbitrary, capricious, or otherwise contrary to law” under the meaning of the Administrative Procedure Act (APA).
Among their grievances, the plaintiffs objected to the rule’s prohibition on charging third parties to access consumer data
In May 2025, in one of its court submissions, the current CFPB leadership also expressed the view that the prohibition of such fees is “unlawful”.
This remains the plaintiffs’ point of view, and reflects the position of major US banks, particularly BPI members.
In its latest comments to the CFPB, the BPI argues that the prohibition of fees would “disrupt” the “robust and competitive” permissioned data sharing ecosystem that already exists and that is built around fees.
To demonstrate that this ecosystem is “functioning well” without government regulation, the BPI offers the example of J.P. Morgan Chase and its latest data access agreement with Plaid.
The agreement includes a pricing structure whereby Plaid has agreed to compensate J.P. Morgan Chase to access its consumer data upon request.
In August this year, as covered by Vixio, the bank’s decision to begin charging such fees had triggered a backlash from fintechs such as Plaid, which decried the fees as “exorbitant” and “anticompetitive”.
In Plaid’s latest comments to the CFPB, the fintech argues once again that the Bureau “should confirm” that such fees are illegal under Section 1033.
“With Section 1033’s protection, the market has successfully developed over more than a decade without fees for data access,” it said.
“Dominant financial institutions are pressing for fees now, not because of some new-found need to recover ‘costs’ on the very API technologies they insisted the market adopt, but rather because fees are yet another competition-killing weapon in their arsenal.”
Plaid’s comments were echoed by other fintechs including Wise, Stripe and Trustly.
Aneeb Sheikh, policy and government relations manager for North America at Wise, wrote that Section 1033 makes clear that access to consumer data is a right, not a service subject to discretionary pricing by financial institutions.
“Any attempt by a covered entity to impose fees on data access transforms a statutory right into a paid privilege, effectively nullifying Congressʼ intent,” he said.
“The prohibition on fees is the best reading of the statute, which does not explicitly authorize them, and is necessary to prevent costs from becoming a barrier to exercising the data right.”
No consensus on compliance deadlines
Another element of the PFDR Rule that is likely to be revised is its compliance deadlines for covered entities.
As part of its reconsideration of the PFDR Rule, the CFPB said in August 2025 that it plans to issue a Notice of Proposed Rulemaking to extend the compliance dates.
The current compliance dates are determined by the size of the covered entity. Those with $250bn or more in assets are required to comply by August 1, 2026, with smaller entities subject to staggered deadlines through April 1, 2030.
As with the prohibition on fees, banks and fintechs are on opposing sides of the issue, and for similar reasons.
Large banks that believe the rule itself is unlawful object to having to invest resources to comply with it, especially if those resources cannot be recouped through fees.
“If the compliance deadlines are not suspended, banks will continue to expend significant time and resources to come into compliance with a rule that the CFPB itself believes is unlawful and has already begun to revise,” said the BPI.
“The CFPB therefore should act as expeditiously as possible to suspend the compliance dates while it reconsiders the PFDR Rule.”
On the fintech side, the banks are accused of pushing to extend the deadlines so that they can continue to impose fees for data access.
“The largest banks have long known that the requirements were coming and, in most instances, are already compliant through their existing API direct connections,” said Stripe.
“Therefore, the largest banks will not benefit from extensions to the compliance timelines. Conversely, small businesses that depend on data access will suffer great hardship if they are forced to pay data access fees to maintain their operations.
“Rather than allowing fees to take hold, Stripe urges the CFPB to uphold the existing compliance deadlines for the largest banks, thereby prohibiting data access fees.”
The same argument was made by Trustly, which added that banks are using the uncertainty of continued litigation against the PFDR Rule to embed fees for data access, in what is “very likely an illegal land grab”.
Who can access data anyway?
A final element of the PFDR Rule that is also subject to dispute is its interpretation of which “representatives” can access consumer data on the consumer’s behalf.
The BPI argues that the CFPB does not have authority to require banks to share consumer data with commercial third-party data aggregators and fintechs, even if they obtain the consumer’s authorisation.
The terms “agent, trustee, or representative acting on behalf of an individual”, which appear in Section 1033, are legal “terms of art”, the BPI writes, that should be presumed to have their common-law meaning.
“At common law, agents and trustees have a fiduciary relationship that requires an unusual level of trust and confidence and that imposes a duty of loyalty to act for the principal’s benefit,” it said.
“The one-time authorization contemplated by the Rule—perhaps provided when the consumer downloads an app—does not convert the third party into the consumer’s agent or trustee acting for the benefit of the consumer.”
The BPI’s reading of Section 1033 is contested by fintechs and data aggregators.
Writing as a group, the Financial Technology Association (FTA), the American Fintech Council (AFC) and others argue that a "representative" of the consumer need not have an existing fiduciary responsibility to that consumer.
“The word ‘representative’ has a straightforward meaning: someone who acts on your behalf,” they said.
“Interpreting ‘representative’ to require a fiduciary relationship would make the word ‘representative’ meaningless, since Congress already used the words ‘agent’ and ‘trustee’.
“If Congress wanted to limit who could access data, it wouldn't have added a third, broader category.”
What happens next?
The CFPB’s funding is drawn directly from the Federal Reserve System, which means it is not at risk of being brought to a halt under a prolonged government shutdown, unlike agencies that are funded by Congressional appropriations.
However, it remains unclear whether the Trump administration intends to keep the CFPB open in the long term, and Democrats continue to press for more details as to the administration’s true plans for the agency.
Even if the CFPB remains open and a "substantially revised” PFDR Rule is put forward as promised, the rule will likely remain subject to legal challenges in court.
Whether those challenges come from the banks or from the fintechs will depend on what goes into the final rule, but it is unlikely to satisfy all stakeholders.
