The Open Banking Debate Rages On
While operations at the Consumer Financial Protection Bureau (CFPB) continue to dwindle dramatically, one aspect of the agency is continuing its work. Known as the Open Banking Rule, Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act is currently in an expedited rulemaking process following a tumultuous rollout. This piece presents a summary of the rule and its status, while a forthcoming explainer will dive deeper into the issue.
What Is Open Banking?
Open banking is rulemaking that allows consumers to transfer their financial data (e.g., transaction history, balances) securely between financial institutions and with financial technology applications. For example, an individual wanting to analyze spending with a budgeting application may need to connect data from their financial institution directly to the application. The Open Banking Rule would define and regulate the process by which this would occur.
Recent Updates
The CFPB finalized the Personal Financial Data Rights Rule in October 2024; however, it was rescinded before implementation due to a variety of contentious points. The Open Banking Rule is now on an expedited timeline to be rewritten and implemented.
Key Areas of Debate and Possible Paths Forward
As the CFPB continues its accelerated Section 1033 rulemaking process, several provisions of the earlier rule have prompted renewed debate and scrutiny among stakeholders. Here, we distill the four central areas of debate and outline opportunities for compromise and pathways forward.
Liability Framework
The lack of clarity around who bears responsibility when data sharing between financial institutions and technology platforms goes wrong is a significant source of disagreement. While Section 1033 places obligations on both financial institutions and authorized third parties, stakeholders increasingly agree that ambiguity around breaches and unauthorized transactions creates uncertainty in enforcement and risk allocation.
To address this, many are examining a “follow-the-data” model that assigns accountability based on each party’s role in collecting, transmitting, storing, or using consumer information. Others have proposed anchoring Section 1033’s security provisions to existing frameworks, such as the Gramm-Leach-Bliley Act Safeguards Rule, to harmonize expectations for all participants without duplicative mandates. Additional approaches include empowering industry-led, standard-setting bodies to promote secure application programming interfaces as the default and clarifying that banks may limit data access only on transparent, consistent, and risk-based grounds—thereby reducing concerns that cybersecurity safeguards could be used unfairly as a pretext to stifle competition.
Privacy Standards
Privacy remains a contested aspect of Section 1033, especially given the perception of sweeping obligations and limited safeguards that characterized the 2024 rule. Critics warned that mandatory data sharing without parallel oversight could expose consumers to privacy and security risks, while supporters argued that stronger data rights are essential to modernizing financial portability in the absence of a comprehensive federal privacy law.
Current discussions focus on the following:
- Adopting data minimization and “reasonable security” standards while explicitly permitting de-identified data for safety, fraud prevention, and model improvement in line with cyber best practices.
- Creating standardized disclosures and accountability mechanisms that ensure clarity and consistency across financial institutions and third parties.
- Implementing user-centered consent frameworks with clearly defined scopes, easy revocation, opt-in or opt-out options, and a right to deletion.
Together, these approaches aim to preserve customer control and privacy without imposing prohibitions that could limit legitimate data uses or otherwise impede innovation.
Data Access and Transfer
The original rule required financial institutions to provide data free of charge, despite there being no such requirement in statute; however, the costs for data access and transfer will ultimately be borne somewhere. If the final rule requires data to be accessible on a fee-free basis, then financial institutions may face an unfair burden of costs—an issue far more challenging for smaller institutions. And if borne by data aggregators, those costs will likely pass on to third parties and ultimately fall back on the consumer in the form of a subscription fee or other fees.
Definition of “Consumer”
In the Biden-era rule, the term “consumer” included data aggregators. This is a departure from traditional financial regulatory language, which would typically include only those with a “fiduciary responsibility” to the consumer. The Dodd-Frank Act defines a consumer as “an individual, agent, trustee, or representative acting on behalf of an individual” but fails to incorporate the fiduciary responsibility terminology, leaving the interpretation open to debate.
While it is reasonable to assume that a financial technology application with which a consumer has directly engaged is “acting on behalf of an individual,” it is not necessarily reasonable to assume they too should receive data free of charge. This is why the association between a consumer and associated costs is so critical.
Conclusion
A variety of issues existed with the initial open banking framework—a rule over a decade in the making. Fortunately, the new rulemaking will roll out on an expedited timeframe; unfortunately, several key issues relate directly to the underlying statute and its lack of clarity (just one example of Dodd-Frank’s broader issues). Clearly defining these terms in the final rule will be vital.
Further, rulemaking authorities must consider the impacts to all involved parties including financial institutions, financial technology companies, data aggregators, and, of course, consumers. This means rejecting a framework that puts unnecessary regulatory burdens upon any of the key players in favor of one that advances the statutory requirement of open banking in the clearest, least burdensome way.