The Consumer Financial Protection Bureau reopened debate over open banking, issuing a new advance notice of proposed rulemaking
The notice, which kicks off a rewrite of the CFPB’s Section 1033 data-access rule, is scheduled to appear in the Federal Register on Aug. 22, with public comments due 60 days later, around Oct. 21, 2025. With this step, the bureau is formally moving away from the Biden-era framework it finalized last year by inviting stakeholders to help shape a replacement that balances consumer control of financial data with meaningful security, privacy, and cost guardrails.
In its announcement of the proposal, the CFPB highlighted Section 1033’s shortcomings, noting that it does not specify who may act on a consumer’s behalf when making data requests. The law does not detail the optimal way to assess fees to defray the costs incurred by a “covered person” in responding to a customer-driven request. Other unresolved issues include the threat and cost-benefit pictures for data security and data privacy tied to compliance.
To that end, the CFPB is seeking comment in four areas. quiry. First, the bureau wants to define who qualifies as a consumer’s “representative” to access data. Second, the notice asks if and how covered institutions should be allowed to assess fees to defray the cost of responding to requests. Third, it seeks an accounting of the threats and cost-benefit tradeoffs for data security posed by broad access rights. And fourth, it probes the privacy risks tied to consumer-authorized sharing, including the licensing or sale of sensitive financial data.
The rulemaking reset follows a tumultuous year. The CFPB finalized its Section 1033 rule on October 2024. Within hours, Forcht Bank, the Bank Policy Institute, and the Kentucky Bankers Association sued in federal court, seeking an injunction while arguing that the bureau exceeded its statutory authority.
The Trump Administration, which initially told the court it would rescind the rule, later reversed course, saying it would write a new rule through an expedited process and issue a new notice of proposed rulemaking.
Timing looms large. The Biden-era rule is set to take effect on June 30. The CFPB plans to propose an extension of the current compliance dates and is seeking feedback on whether those deadlines remain appropriate.
Plaintiffs in the Kentucky case, which contend that the CFPB cannot finish a replacement on schedule, asked the court to further delay the effective dates. Without a stay, they argue, financial institutions would have to keep preparing for the 2024 rule even as a new version is being drafted.
Banks and trade groups greeted the reset as an opportunity to recalibrate.
In a joint statement, the lawsuit’s plaintiffs said the rulemaking “presents an opportunity for the CFPB to right the problems of the Biden-era rule by sticking to its statutory authority and putting consumers’ security first. Banks are advocating for a solution that both protects consumers and preserves marketplace innovation already underway, and we look forward to working with the administration on its efforts to revise the problematic 2024 rule.”
Where the bureau lands will hinge on several design choices.
Defining who can represent consumers could lead to accreditation or contractual standards, while decisions on fees could determine if data access operates like a utility right or a cost-recovery service with caps and conditions.
Security rules will need to allocate responsibility for authentication, transmission standards, incident reporting, and liability should things go awry, and the privacy framework must address consent flows, data minimization, time-limited access, and restrictions on downstream use or sale of sensitive information.
Given the timing and the high stakes involved, the issue is unlikely to be resolved this year.