.svg)
By defining who can access consumer data, whether fees are allowed and compliance timelines, the Personal Financial Data Rights final rule (PFDR Rule) underscores continuing legal and market tensions between banks and fintech innovators.
At the end of October 2025, the Consumer Financial Protection Bureau (CFPB) closed the comment period on key issues relating to its revised PFDR Rule.
The PFDR Rule is designed to implement Section 1033 of the Dodd-Frank Act, the foundational law of the US open banking ecosystem.
Though the law was enacted by Congress in 2010, it did not become a major point of contention among financial institutions until October 2024, when the CFPB published its final PFDR Rule.
On the day it came into effect, the rule was immediately challenged in court by Forcht Bank, the Kentucky Bankers Association, and the Bank Policy Institute (BPI). The plaintiffs argued that it exceeds the CFPBās statutory authority.
In July 2025 the current CFPB leadership petitioned the court to stay the litigation on the grounds that it would initiate a new āacceleratedā rulemaking process that will lead to a āsubstantially revisedā rule.
The closure of the comment period potentially marks the last opportunity for financial institutions to influence the ruleās provisions outside of court.
However, the sticking points among banks and fintechs remain unresolved, with no immediate prospect of reconciliation.
Is it legal to charge for data access?
In their original October 2024 complaint, the plaintiffs argued that the PFDR Rule is "arbitrary, capricious, or otherwise contrary to lawā under the meaning of the Administrative Procedure Act (APA).
Among their grievances, the plaintiffs objected to the ruleās prohibition on charging third parties to access consumer data
In May 2025, in one of its court submissions, the current CFPB leadership also expressed the view that the prohibition of such fees is āunlawfulā.
This remains the plaintiffsā point of view, and reflects the position of major US banks, particularly BPI members.
In its latest comments to the CFPB, the BPI argues that the prohibition of fees would ādisruptā the ārobust and competitiveā permissioned data sharing ecosystem that already exists and that is built around fees.
To demonstrate that this ecosystem is āfunctioning wellā without government regulation, the BPI offers the example of J.P. Morgan Chase and its latest data access agreement with Plaid.
The agreement includes a pricing structure whereby Plaid has agreed to compensate J.P. Morgan Chase to access its consumer data upon request.
In August this year, as covered by Vixio, the bankās decision to begin charging such fees had triggered a backlash from fintechs such as Plaid, which decried the fees as āexorbitantā and āanticompetitiveā.
In Plaidās latest comments to the CFPB, the fintech argues once again that the Bureau āshould confirmā that such fees are illegal under Section 1033.
āWith Section 1033ās protection, the market has successfully developed over more than a decade without fees for data access,ā it said.
āDominant financial institutions are pressing for fees now, not because of some new-found need to recover ācostsā on the very API technologies they insisted the market adopt, but rather because fees are yet another competition-killing weapon in their arsenal.ā
Plaidās comments were echoed by other fintechs including Wise, Stripe and Trustly.
Aneeb Sheikh, policy and government relations manager for North America at Wise, wrote that Section 1033 makes clear that access to consumer data is a right, not a service subject to discretionary pricing by financial institutions.
āAny attempt by a covered entity to impose fees on data access transforms a statutory right into a paid privilege, effectively nullifying CongressŹ¼ intent,ā he said.
āThe prohibition on fees is the best reading of the statute, which does not explicitly authorize them, and is necessary to prevent costs from becoming a barrier to exercising the data right.ā
No consensus on compliance deadlines
Another element of the PFDR Rule that is likely to be revised is its compliance deadlines for covered entities.
As part of its reconsideration of the PFDR Rule, the CFPB said in August 2025 that it plans to issue a Notice of Proposed Rulemaking to extend the compliance dates.
The current compliance dates are determined by the size of the covered entity. Those with $250bn or more in assets are required to comply by August 1, 2026, with smaller entities subject to staggered deadlines through April 1, 2030.
As with the prohibition on fees, banks and fintechs are on opposing sides of the issue, and for similar reasons.
Large banks that believe the rule itself is unlawful object to having to invest resources to comply with it, especially if those resources cannot be recouped through fees.
āIf the compliance deadlines are not suspended, banks will continue to expend significant time and resources to come into compliance with a rule that the CFPB itself believes is unlawful and has already begun to revise,ā said the BPI.
āThe CFPB therefore should act as expeditiously as possible to suspend the compliance dates while it reconsiders the PFDR Rule.ā
On the fintech side, the banks are accused of pushing to extend the deadlines so that they can continue to impose fees for data access.
āThe largest banks have long known that the requirements were coming and, in most instances, are already compliant through their existing API direct connections,ā said Stripe.
āTherefore, the largest banks will not benefit from extensions to the compliance timelines. Conversely, small businesses that depend on data access will suffer great hardship if they are forced to pay data access fees to maintain their operations.
āRather than allowing fees to take hold, Stripe urges the CFPB to uphold the existing compliance deadlines for the largest banks, thereby prohibiting data access fees.ā
The same argument was made by Trustly, which added that banks are using the uncertainty of continued litigation against the PFDR Rule to embed fees for data access, in what is āvery likely an illegal land grabā.
Who can access data anyway?
A final element of the PFDR Rule that is also subject to dispute is its interpretation of which ārepresentativesā can access consumer data on the consumerās behalf.
The BPI argues that the CFPB does not have authority to require banks to share consumer data with commercial third-party data aggregators and fintechs, even if they obtain the consumerās authorisation.
The terms āagent, trustee, or representative acting on behalf of an individualā, which appear in Section 1033, are legal āterms of artā, the BPI writes, that should be presumed to have their common-law meaning.
āAt common law, agents and trustees have a fiduciary relationship that requires an unusual level of trust and confidence and that imposes a duty of loyalty to act for the principalās benefit,ā it said.
āThe one-time authorization contemplated by the Ruleāperhaps provided when the consumer downloads an appādoes not convert the third party into the consumerās agent or trustee acting for the benefit of the consumer.ā
The BPIās reading of Section 1033 is contested by fintechs and data aggregators.
Writing as a group, the Financial Technology Association (FTA), the American Fintech Council (AFC) and others argue that a "representative" of the consumer need not have an existing fiduciary responsibility to that consumer.
āThe word ārepresentativeā has a straightforward meaning: someone who acts on your behalf,ā they said.
āInterpreting ārepresentativeā to require a fiduciary relationship would make the word ārepresentativeā meaningless, since Congress already used the words āagentā and ātrusteeā.
āIf Congress wanted to limit who could access data, it wouldn't have added a third, broader category.ā
What happens next?
The CFPBās funding is drawn directly from the Federal Reserve System, which means it is not at risk of being brought to a halt under a prolonged government shutdown, unlike agencies that are funded by Congressional appropriations.
However, it remains unclear whether the Trump administration intends to keep the CFPB open in the long term, and Democrats continue to press for more details as to the administrationās true plans for the agency.
Even if the CFPB remains open and a "substantially revisedā PFDR Rule is put forward as promised, the rule will likely remain subject to legal challenges in court.
Whether those challenges come from the banks or from the fintechs will depend on what goes into the final rule, but it is unlikely to satisfy all stakeholders.
