Published Article

Glimmers Of Clarity Appear Amid Open Banking Disarray

October 17, 2025

This article was published on Law360 on October 17, 2025, and is reprinted with permission.

The Consumer Financial Protection Bureau’s recently announced intent to revise its personal financial data rights rules has cast a shadow on the future of open banking regulations in the U.S. Despite the overwhelming ambiguity that exists for banks and fintechs using open banking technology in the U.S. today, rays of stability are emerging.

The CFPB’s Final Rules, Litigation and an Advance Notice of Proposed Rules

The CFPB finalized its personal financial data rights rules to govern the burgeoning open banking market in the fall of 2024. The day the rule was published, banking trade associations filed suit in Forcht Bank NA v. CFPB in the U.S. District Court for the Eastern District of Texas to block it from taking effect, claiming the rule should be vacated for being arbitrary and capricious and exceeding the CFPB’s statutory authority.

After the change in administration earlier this year, the CFPB’s views changed with it, and the agency filed a motion for summary judgment in the litigation, switching sides and asking the court to vacate its own rules.

But after some large banks stated they would consider imposing fees for third-party access to data — fees that will be expressly prohibited by the current rules once they become effective — the fintech industry, including crypto companies that use open banking tools to assist with fiat money movement, complained loudly.

After a short but seemingly effective advocacy campaign, the CFPB changed its views again and asked the court to stay the litigation so it could conduct an “accelerated rulemaking” to modify the rules.

The CFPB published an advance notice of proposed rulemaking on Aug. 22. Rather than providing notice of any specific changes, the advanced notice asks 36 questions to inform the agency’s evaluation of a few discrete areas of the rules: which kinds of companies can qualify as a representative to access data on behalf of a consumer, the costs that data providers incur when making data available, and the data security and privacy threats that exist from open banking.

Comments are due to the CFPB on Oct. 21.

Open Banking Rules Likely to Remain — Even if Revised

The advance notice of proposed rulemaking represents a relatively narrow inquiry into specific components of the final rule.

While these are important areas — dealing with who can access data, what fees can be imposed by data providers, and what data security and use limitations might apply — they don’t question the core structure of the final rules or undermine the need for open banking regulation as a whole.

Even if the CFPB were to conclude that the scope of representatives that can access data should be limited to companies with a fiduciary-like consumer relationship, the fact that agents, trustees and some category of representatives will still exist with rights to access data on behalf of consumers necessitates rules of the road.

Data providers will still need to grapple with risks from screen scraping, develop secure methods of sharing data with third parties (i.e., a developer interface or application programming interface, or API), evaluate and approve third parties seeking access to data, provide consumer disclosures and obtain consent to make data available, determine what data to make available, develop secure data-sharing capabilities, and authenticate and monitor third parties on an ongoing basis.

Rules of the road for third parties are still needed to ensure that third parties provide consumers with disclosures about what data is being accessed and how it will be used, and are subject to minimum data security limitations.

And data providers and third parties will still need to sign bilateral data access agreements to address commercial issues not addressed by the rules, including allocations of liability for when things go wrong.

Expect Changes on the Margins

Rather than a complete rescission or significant revamp of the open banking rules, the advance notice indicates that the CFPB is likely to seek changes on the margins. The two most consequential areas are likely to involve data access fees and data security and privacy limitations.

Permitting Some Data Access Fees

Data providers incur significant costs in developing technology to make data securely available to third parties on behalf of their customers.

In addition to the technical engineering and product teams needed to build interfaces for third-party access, specialized support staff across a variety of disciplines are needed to ensure these systems run properly and without exposing the data provider or consumer to undue risk, including identity verification and authentication, fraud, risk, operations, third-party risk management, compliance, and legal teams. Second order costs can also arise from fraud and unauthorized transactions.

While the current rules prohibit data providers from charging any fees for access to consumer account data, the CFPB appears inclined to permit data providers to recover some of these costs. While this is a difficult endeavor, and data recipients paying those fees are likely to object, some foreign governments have developed approaches to enable compensation for financial data access.

For example, the European Union’s framework for financial data access would permit data-sharing schemes with what it calls “reasonable compensation” for data providers, indicating that a workable middle ground may exist.

Enhanced Data Security and Privacy Expectations

Whether rooted in third parties being subject to fiduciary-like obligations or specific data security and privacy concerns, the CFPB could be inclined to place additional requirements and limitations on downstream uses of data.

For example, third parties’ so-called secondary use of data for purposes that aren’t confined to delivering the requested product or service, such as using data to improve services provided to all customers, could be considered problematic and curtailed.

No-Regrets Steps for Banks and Fintechs to Take Now

While the CFPB’s ongoing efforts to amend the final rules and the pending litigation create regulatory uncertainty in the near to medium term, the market is moving forward.

Banks, fintechs, and data aggregators continue to invest in APIs, build interoperable data access frameworks and implement security tools that reflect the inevitability of regulated open banking.

Even if the compliance deadlines shift or the details are tweaked, the broader direction of travel is clear: Open banking is part of the U.S. financial services landscape for the foreseeable future.

The CFPB’s final rules, regardless of how they are revised, will serve as minimum expectations. Forward-looking institutions will seek to capitalize on the innovation available from real-time access to consumers’ account data while managing the risks it presents.

In consultation with business and other stakeholders, the following are a series of no-regrets actions companies should consider taking right now.

Develop a comprehensive open banking strategy.

If you’re a data provider, consider how your customers are using open banking today: Who are they sharing data with and why? What behaviors can you observe about customers that are sharing data?

Perhaps there are needs being met outside your institution that you want to support, or better yet, provide on a competitive basis. If you are accessing data, or thinking about accessing data, consider all the emerging use cases that could provide value to your customers: smarter payments, enhanced underwriting using cash flow data, improved identity verification and authentication, easier account opening and onboarding, and the list goes on.

Check out the case study library from the U.K.’s Open Banking Limited for a helpful list of real-world examples.

Invest in more secure APIs and data-sharing infrastructure.

The long-term trend is clear: Standardized, secure APIs are the preferred path over screen-scraping, which is plagued with security and quality risks. Investing in API readiness will pay dividends in efficiency and risk reduction, and quietly build customer trust and confidence in your brand.

Strengthen data governance and privacy practices.

With great data comes great responsibility. As companies access more data through open banking rails, the need for strong data governance and privacy protections increases.

Efforts to minimize data collected, closely tie the use of data to customer consent, and enforce retention limits become increasingly important.

Companies should be prepared for enhanced restrictions on data resale or reuse. Robust data governance processes will be viewed positively by regulators, partners and customers alike.

Engage in the policymaking process.

The Administrative Procedures Act requires the CFPB to receive and consider input from the public as it develops revised rules, so companies would be wise to share their perspectives.

The agency needs your input to ensure all perspectives are considered. Comment letters, participation in trade groups and direct engagement can help ensure your perspective is heard.

Monitor litigation and international developments.

Forcht — the banking industry lawsuit challenging the CFPB’s final rules — continues to be a wild card. While the case is currently stayed, the court is continuing to monitor the CFPB’s progress in revising the rules, and the case could be reopened at any point.

While our regulatory (dis)function grinds on, we can learn from other jurisdictions around the world that are continuing to experiment with open banking regulatory policies, e.g., the EU’s allowance of reasonable compensation for data access and New Zealand’s development of API standards.

Companies that benchmark their activities globally will benefit from mature policies.

Conclusion

The CFPB’s vacillation over its personal financial data rights rules has created uncertainty, but the advance notice of proposed rulemaking is a strong signal that open banking regulations are here to stay.

While changes are likely on the margins — defining “representatives,” adjusting fee models, tightening security and privacy standards — the overarching momentum is toward a regulated, interoperable ecosystem.

Banks, fintechs and other financial service providers should consider open banking a durable feature of the market. Waiting for regulatory clarity is not a risk-free strategy.

By taking no-regrets actions now, like building secure APIs, testing features using consumer-permissioned data and enhancing data governance practices, banks and fintechs can reduce compliance risk and seize competitive advantages.

The rules may shift, but the open banking era has arrived. The companies that act now will be best positioned to thrive in it.