ARTICLE
1 July 2025

The Slow Death Of The CFPB Open Banking Rule?

PC
Perkins Coie LLP

Contributor

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

On May 30, 2025, the Consumer Financial Protection Bureau (CFPB) stated in a court filing that its "Open Banking Rule" (Rule) issued during the Biden administration "is unlawful and should...
United States Finance and Banking

On May 30, 2025, the Consumer Financial Protection Bureau (CFPB) stated in a court filing that its "Open Banking Rule" (Rule) issued during the Biden administration "is unlawful and should be set aside." This shift is part of a wider effort by the CFPB to rescind or limit previously issued regulations.

Background on the Open Banking Rule

After much anticipation, in October 2024, the CFPB announced its final rule on personal financial data rights, implementing Section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. § 5533) (CFPA). The CFPB drafted the Rule to mandate that certain providers of financial products and services enable consumers to control the access to and sharing of their financial data to increase transparency and competition.

The Rule seeks to ensure that both consumers and their authorized third parties can access consumers' financial data in a secure and reliable manner to promote a system of "open banking" (i.e., a network of entities sharing personal financial data with consumer authorization). Examples of common open banking services used today include apps or other third-party services that obtain consumers' permission to access their bank account directly (usually through an application programming interface) in order to help consumers view and consolidate accounts across multiple financial institutions; pay for goods or services online without a credit card; import account information for accounting, budgeting, and tax preparation services; compare financial service offerings; and analyze spending.

For additional background on the Rule, see our previous update on open banking and the final Rule.

Banks Push Back

In an immediate response to the Rule, a bank and two bank industry groups sued the CFPB in federal court, claiming, among other things, that the CFPB exceeded its statutory authority in violation of the Administrative Procedure Act (APA). See Compl., Forcht Bank, N.A. v. Consumer Fin. Prot. Bureau, No. 5:24-cv-00304-DCR (E.D. Ky. Oct. 22, 2024). Namely, plaintiffs argue that the statute did not authorize the agency to require data providers to share consumer information with "authorized third parties," and that this requirement creates substantial security risks for consumers as well as undue burdens on the data providers.

Change of Administration and CFPB Leadership

Soon after President Trump took office in January 2025, he replaced CFPB Director Rohit Chopra with Acting Director Russell Vought and issued Executive Order 14219, which instructs agency heads to identify unlawful regulations and those "based on anything other than the best reading of the underlying statutory authority" for potential rescission or modification.

CFPB Changes Its Position

Following these administrative changes, the CFPB now finds its own Rule to be unlawful. On May 23, 2025, the CFPB filed a status report in litigation challenging the Rule, stating that "Bureau leadership has determined that the Rule is unlawful and should be set aside," followed by the CFPB's motion for summary judgment filed on May 30, 2025, agreeing with the plaintiffs' position.

In its summary judgment motion, the CFPB put forth the following arguments.

Statutory Authority

First, the CFPB now argues that the agency exceeded its statutory authority in promulgating the Rule. In issuing the Rule, the CFPB under the prior administration claimed statutory authority under Section 1033 of the CFPA, which provides:

  1. Subject to rules prescribed by the [CFPB], a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person . . . .

  2. The [CFPB], by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine readable files, to be made available to consumers under this section.

12 U.S.C. § 5533(a) & (d) (emphasis added). The CFPB during the Biden administration asserted that the Rule was justified in light of the above language and the CFPA's definition of "consumer," which includes agents, trustees, or representatives acting on behalf of an individual (12 U.S.C. § 5481).

By contrast, the CFPB now claims it exceeded its authority by requiring certain financial institutions to provide consumers and any authorized third parties with access to covered data under the Rule (12 C.F.R. § 1033.201). The Rule obligates these financial institutions to create both a consumer interface and a developer interface to allow data sharing with consumers and those third parties.

The CFPB argues in its motion that, at most, the Rule should only allow legal representatives with a fiduciary duty to the consumer to access this data, based on the CFPA's definition of "consumer." However, the Rule currently allows any third party to become an "authorized third party" if it gives notice and obtains the consumer's consent to access data for a requested product or service. The Rule's definition of "consumer" already includes fiduciaries such as guardians, trustees, and custodians (12 C.F.R. § 1033.131), so "authorized third parties" must refer to others who are not fiduciaries—which the CFPB asserts is an expansion of the law's permitted scope.

The CFPB further contends that nothing in either Section 1033 or its legislative history suggests Congress intended to give the agency broad authority to regulate open banking. Instead, the statute is meant to ensure consumers can access their own financial information. The Rule's broad approach to regulating open banking goes beyond the agency's statutory authority and therefore violates the APA, according to the CFPB.

Substantial Risk to Consumers

The CFPB also contends that the Rule's extensive data-sharing requirements pose an unacceptable risk to consumer privacy and data security and are another reason why the Rule is arbitrary and capricious in violation of the APA. The CFPB now argues that the agency during the previous administration failed to reasonably assess the cumulative effects and risks of a vast data-sharing framework, which permits any authorized third party (and its subcontractors) to directly access a consumer's sensitive financial information. Furthermore, under the Rule, a bank is limited in its ability to deny access to its developer interface or otherwise limit access to sensitive consumer information, even when the bank believes denial is appropriate to satisfy its information security or other risk management obligations.

Undue Financial Burden to Covered Providers

Additionally, the CFPB argues that the Rule exceeds the CFPB's statutory authority by prohibiting data providers from charging fees—even reasonable fees—for operating and maintaining these interfaces, essentially providing third-party competitors with a "windfall." The CFPB says such failure to consider these effects in the aggregate renders the Rule unreasonable, and also, nothing in Section 1033 indicates that Congress authorized it to force data providers to establish a costly and complex developer interface system to provide third-party commercial actors with consumers' financial data, free of charge. Despite the argument of the CFPB in the previous administration that a fee may impair consumers' right to access their information, the CFPB now contends that "the Rule goes far beyond" ensuring that fees do not impede consumer rights and should be rendered arbitrary and capricious in violation of the APA.

Compliance Deadlines

Finally, the Rule establishes a framework of "consensus standards," to be set by recognized standard-setting bodies, that would serve as indicia for compliance with various provisions. However, these consensus standards would not become available until after the relevant compliance dates, which the CFPB now argues render the Rule's compliance deadlines arbitrary and capricious in violation of the APA because data providers cannot look to a consensus standard that does not yet exist.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More