- within Transport topic(s)
The Consumer Financial Protection Bureau (CFPB) has once again found itself at the center of an intense policy debate. Its August 2025 Advance Notice of Proposed Rulemaking (ANPR) on Personal Financial Data Rights — better known as the Open Banking Rule under Section 1033 of the Dodd-Frank Act — drew almost 14,000 public comments before the October 21 deadline.
At its core, Section 1033 requires financial institutions to make certain consumer-authorized data available to the consumer or to a third party of the consumer's choosing upon request. The CFPB's 2024 rule aimed to turn that principle into an operational "open banking" framework.
The volume of public comments in response to the ANPR signals how consequential this rulemaking could be for banks, fintechs, and consumers alike. Although the CFPB hasn't yet released an official summary of the 13,989 submissions, the comment docket reveals a series of recurring and sometimes sharply opposing themes.
How Broad Should "Representative" Be?
Banking trade groups urged the Bureau to narrow the definition of who can request data on a consumer's behalf. They argued that the term "representative" in the statute implies a fiduciary relationship, not a mere click-through authorization on a fintech app.
Fintech coalitions and consumer advocates disagreed, insisting that consumers should retain the freedom to delegate data access to any trusted third party — from budgeting apps to alternative lenders.
Fees and Cost Recovery
Another flash point was whether data providers can charge fees for fulfilling data-access requests.
Banks and credit unions believe that data providers should have the right to charge fees for data access, that the CFPB lacks statutory authority to prohibit such fees, and allowing market-based fee negotiations would better serve security, efficiency and competitive fairness objections.
Fintechs and consumer advocates countered that fees would chill competition by raising barriers for new entrants and limiting consumer choice.
Data Security
Across the spectrum, commenters agreed that security obligations need tightening — but diverged on who bears responsibility.
Banks highlighted risks created by data aggregators that store and transmit sensitive credentials, calling for symmetrical security standards for all data holders.
Fintech firms, meanwhile, cautioned that overly prescriptive requirements could solidify the position of established players and hinder innovation.
Privacy and Secondary Use
Consumer advocacy organizations pressed the CFPB not to weaken the 2024 framework on data minimization and purpose limitation. They warned that curtailing or eliminating strict limits on secondary uses of consumer data (such as marketing or profiling) could lead to the erosion of privacy protections and function creep.
Banks echoed privacy concerns — but used them to argue for narrower data-sharing permissions rather than broader consumer control.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
