Published Article

Planning For Open Banking Despite CFPB Uncertainty

April 30, 2025

Open banking has been lauded by many as an accelerant for innovation in financial services.

But a lawsuit brought by groups including the Bank Policy Institute and Kentucky Bankers Association, Forcht Bank NA v. Consumer Financial Protection Bureau, currently pending in the U.S. District Court for the Eastern District Of Kentucky, is challenging the new rules of the road for open banking and has thrown ice on the prospect of a regulated market.

Despite the uncertainty, banks, fintech companies, payments companies and a broad swath of third parties using consumer-authorized data sharing can take steps now to maximize the innovative potential of this data stream and manage the multifaceted risks it presents.

Setting the Stage: The CFPB’s Final Open Banking Rule

On Oct. 22, 2024, the CFPB finalized its long-awaited personal financial data rights rule under Section 1033 of the Consumer Financial Protection Act. This marked a significant milestone in the regulation of consumer-authorized sharing of financial data, also referred to as open banking.

The final rule established guidelines for how banks, fintech companies and data aggregators must manage access to consumers’ financial data.

Litigation Chills CFPB’s Open Banking Rule

Despite its recent publication, the Section 1033 open banking rule is seemingly in peril. Forcht Bank v. CFPB was filed in Kentucky federal court the same day the rule was issued. The lawsuit seeks to set aside the entire Section 1033 rule based on alleged violations of the Administrative Procedures Act.

Following the change in leadership at the CFPB, on Feb. 25 U.S. District Judge Danny C. Reeves ordered the case stayed and tolled the compliance deadlines by an additional 90 days, pushing the earliest compliance deadline for the largest banks and nonbank providers from April 1, 2026, to June 30, 2026. Smaller banks and nondepository providers will have an additional year or longer to comply, depending on their size.

The Financial Technology Association has sought to intervene in the suit, in an effort to defend the final rule, should current CFPB leadership choose not to.

While the earliest compliance deadlines may seem far in the distance, the technical work needed to comply with the rule is so significant that data providers are expected to need every minute of these extended compliance periods to bring their systems, policies and user experiences up to speed.

Options for the CFPB to Revise its Open Banking Rule

There’s a growing sense that the CFPB may take some action to revise its open banking rule in response to the banking industry’s lawsuit and to meet the varied demands of its fintech, big tech and bank constituencies.

In reopening the final rule, the CFPB could procedurally issue a request for information, seeking additional input from the industry as it evaluates potential changes to the rule, and announce a present intent not to enforce the rule, as it has done recently with others. But that light-touch approach to enforcement would coexist with the firm compliance deadlines etched in the final rule — which are enforceable by state attorneys general and regulators — until an amendment is proposed and finalized. The CFPB could also issue an interim final rule to extend the compliance deadlines as it conducts this work.

On the other end of the spectrum of possibility, the CFPB could pursue a full repeal of the rule.

In substance, the CFPB could take a nuanced approach and change its position on some of the most controversial aspects of the rule. The CFPB could remove the limitations on secondary use of data by authorized third parties, the required disclosure of payment initiation data and the ban on data providers from charging fees. It could provide more clarity on third-party risk management obligations and affirmatively address liability when something goes wrong.

An opportunity exists now for the industry to put together their wish lists for revisions to the final Section 1033 rule, establish cogent arguments for them, build coalitions to support them and vocally advocate for changes.

Practical Steps to Manage Risk and Support Innovation Now

Banks and financial services companies may be tempted to wait for the uncertainty around the CFPB’s final open banking rule to dissipate before mobilizing an active open banking strategy, but that choice carries its own risks. Many of the issues addressed by the final rule are incumbent upon banks and fintechs to tackle now, regardless of where the final rule lands.

Below is a series of no-regrets actions that banks and fintechs can take now.

Manage data security concerns with modern architecture.

Screen scraping, where a third party collects a user’s online credentials and uses them to programmatically log into the user’s account and extract data, is still a prevalent practice despite the data security risks it presents. Many data providers have identified risks from screen scraping and begun making more secure data access methods available, namely application programming interfaces.

All providers of financial products — not only consumer credit card issuers and deposit products providers covered by the final Section 1033 rule — should assess how third parties are accessing data today, as it’s likely happening whether they realize it or not.

They should then assess the scope of risk presented and determine the right path forward for their institution and their customers. This includes monitoring for screen scraping and other risky access patterns, developing a secure and sanctioned alternative access channel, and creating a third-party risk management program to manage the parties accessing data.

Decide what data to make available

The final rule addresses the disclosure of data about consumer deposit accounts, prepaid and credit cards, and other accounts governed by Regulation E, which covers electronic funds transfers. The rule covers six categories of data to be disclosed for these accounts, but it provides few examples of the specific elements that fall into each category. It’s ultimately up to individual data providers to decide what data within those categories it will make available to authorized third parties.

Financial services companies more broadly also need to consider whether to make data available about other products — such as mortgages, auto loans, student loans, personal loans, investments and securities, and small business products — and which unique data elements to make available for each of those account types.

Create disclosures and user experiences that emphasize transparency

Providing customers with transparency regarding data-sharing activities is a best practice and will be required by the final Section 1033 rule, though model disclosures were not provided. Third parties receiving data are expected to tell their customers what data they’ll collect and how that data will be used, document the customer’s consent to those terms of access, and abide by their commitments.

Data providers will be allowed to confirm data-sharing authorizations when they’re initially made, create dashboards that tell customers which third parties are accessing data and let customers stop sharing data, and notify customers about data access changes, such as when a new connection is established or access is revoked. Data providers and authorized third parties will need to consider which issues to include in disclosures within their user experiences and which issues to address in detailed terms and conditions, each with an eye toward maximizing consumer transparency and control.

Control residual risks with bilateral agreements

When authorized third parties access data, particularly via application programming interfaces, the data provider may set the terms upon which that access may be granted. These terms are ordinarily captured in bilateral agreements between the data provider and data recipient, and can range from click-through, take-it-or-leave-it developer terms to highly negotiated bespoke data access agreements.

In any case, these agreements will typically address:

• Data handling and data security expectations;
• Identity verification protocols and requirements for the third parties and end users;
• Data access limitations, such as frequency of access requests when the end user is present versus batch requests when the end user is not present;
• Dispute handling when errors are detected;
• Use of brand names, logos and other trademarks; and
• Allocations of liability for data breaches and fraud.

Test and learn

Once the risks associated with open banking are well managed, banks and fintechs can capture the opportunity to innovate using real-time, high quality data. Emerging use cases show promise in improving identity verification, cash-flow-based underwriting, personal financial management and budgeting, fraud models, and payment initiation tooling.

Making Sense Through Chaos

Despite the chaos around the CFPB this year, the global and industrywide trend toward open banking — and even open finance, including securities and insurance products — seems unstoppable. Driven by an insatiable demand for access to more and better data, companies will continue finding a way to gather data from others and using that data to innovate. Whatever the fate of the CFPB’s final Section 1033 rule, the policy issues that the rule addresses need to be managed by data providers and data recipients alike.

This article was originally published in “Expert Analysis” on April 30, 2025 by Law360. The original publication is available here with a subscription.