The Slow Death of the CFPB Open Banking Rule?

On May 30, 2025, the Consumer Financial Protection Bureau (CFPB) stated in a court filing that its “Open Banking Rule” (Rule) issued during the Biden administration “is unlawful and should be set aside.” This shift is part of a wider effort by the CFPB to rescind or limit previously issued regulations. 

Background on the Open Banking Rule

After much anticipation, in October 2024, the CFPB announced its final rule on personal financial data rights, implementing Section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. § 5533) (CFPA). The CFPB drafted the Rule to mandate that certain providers of financial products and services enable consumers to control the access to and sharing of their financial data to increase transparency and competition. 

The Rule seeks to ensure that both consumers and their authorized third parties can access consumers’ financial data in a secure and reliable manner to promote a system of “open banking” (i.e., a network of entities sharing personal financial data with consumer authorization). Examples of common open banking services used today include apps or other third-party services that obtain consumers’ permission to access their bank account directly (usually through an application programming interface) in order to help consumers view and consolidate accounts across multiple financial institutions; pay for goods or services online without a credit card; import account information for accounting, budgeting, and tax preparation services; compare financial service offerings; and analyze spending. 

For additional background on the Rule, see our previous update on open banking and the final Rule.

Banks Push Back

In an immediate response to the Rule, a bank and two bank industry groups sued the CFPB in federal court, claiming, among other things, that the CFPB exceeded its statutory authority in violation of the Administrative Procedure Act (APA). See Compl., Forcht Bank, N.A. v. Consumer Fin. Prot. Bureau, No. 5:24-cv-00304-DCR (E.D. Ky. Oct. 22, 2024). Namely, plaintiffs argue that the statute did not authorize the agency to require data providers to share consumer information with “authorized third parties,” and that this requirement creates substantial security risks for consumers as well as undue burdens on the data providers. 

Change of Administration and CFPB Leadership

Soon after President Trump took office in January 2025, he replaced CFPB Director Rohit Chopra with Acting Director Russell Vought and issued Executive Order 14219, which instructs agency heads to identify unlawful regulations and those “based on anything other than the best reading of the underlying statutory authority” for potential rescission or modification. 

CFPB Changes Its Position 

Following these administrative changes, the CFPB now finds its own Rule to be unlawful. On May 23, 2025, the CFPB filed a status report in litigation challenging the Rule, stating that “Bureau leadership has determined that the Rule is unlawful and should be set aside,” followed by the CFPB’s motion for summary judgment filed on May 30, 2025, agreeing with the plaintiffs’ position. 

In its summary judgment motion, the CFPB put forth the following arguments.

Statutory Authority

First, the CFPB now argues that the agency exceeded its statutory authority in promulgating the Rule. In issuing the Rule, the CFPB under the prior administration claimed statutory authority under Section 1033 of the CFPA, which provides: 

1. Subject to rules prescribed by the [CFPB], a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person . . . .

2. The [CFPB], by rule, shall prescribe standards applicable to covered persons to promote the development and use of standardized formats for information, including through the use of machine readable files, to be made available to consumers under this section.

12 U.S.C. § 5533(a) & (d) (emphasis added). The CFPB during the Biden administration asserted that the Rule was justified in light of the above language and the CFPA’s definition of “consumer,” which includes agents, trustees, or representatives acting on behalf of an individual (12 U.S.C. § 5481). 

By contrast, the CFPB now claims it exceeded its authority by requiring certain financial institutions to provide consumers and any authorized third parties with access to covered data under the Rule (12 C.F.R. § 1033.201). The Rule obligates these financial institutions to create both a consumer interface and a developer interface to allow data sharing with consumers and those third parties.

The CFPB argues in its motion that, at most, the Rule should only allow legal representatives with a fiduciary duty to the consumer to access this data, based on the CFPA’s definition of “consumer.” However, the Rule currently allows any third party to become an “authorized third party” if it gives notice and obtains the consumer’s consent to access data for a requested product or service. The Rule’s definition of “consumer” already includes fiduciaries such as guardians, trustees, and custodians (12 C.F.R. § 1033.131), so “authorized third parties” must refer to others who are not fiduciaries—which the CFPB asserts is an expansion of the law’s permitted scope.

The CFPB further contends that nothing in either Section 1033 or its legislative history suggests Congress intended to give the agency broad authority to regulate open banking. Instead, the statute is meant to ensure consumers can access their own financial information. The Rule’s broad approach to regulating open banking goes beyond the agency’s statutory authority and therefore violates the APA, according to the CFPB.

Substantial Risk to Consumers

The CFPB also contends that the Rule’s extensive data-sharing requirements pose an unacceptable risk to consumer privacy and data security and are another reason why the Rule is arbitrary and capricious in violation of the APA. The CFPB now argues that the agency during the previous administration failed to reasonably assess the cumulative effects and risks of a vast data-sharing framework, which permits any authorized third party (and its subcontractors) to directly access a consumer’s sensitive financial information. Furthermore, under the Rule, a bank is limited in its ability to deny access to its developer interface or otherwise limit access to sensitive consumer information, even when the bank believes denial is appropriate to satisfy its information security or other risk management obligations. 

Undue Financial Burden to Covered Providers

Additionally, the CFPB argues that the Rule exceeds the CFPB’s statutory authority by prohibiting data providers from charging fees—even reasonable fees—for operating and maintaining these interfaces, essentially providing third-party competitors with a “windfall.” The CFPB says such failure to consider these effects in the aggregate renders the Rule unreasonable, and also, nothing in Section 1033 indicates that Congress authorized it to force data providers to establish a costly and complex developer interface system to provide third-party commercial actors with consumers’ financial data, free of charge. Despite the argument of the CFPB in the previous administration that a fee may impair consumers’ right to access their information, the CFPB now contends that “the Rule goes far beyond” ensuring that fees do not impede consumer rights and should be rendered arbitrary and capricious in violation of the APA. 

Compliance Deadlines

Finally, the Rule establishes a framework of “consensus standards,” to be set by recognized standard-setting bodies, that would serve as indicia for compliance with various provisions. However, these consensus standards would not become available until after the relevant compliance dates, which the CFPB now argues render the Rule’s compliance deadlines arbitrary and capricious in violation of the APA because data providers cannot look to a consensus standard that does not yet exist. 

* * * * *

Thus, the CFPB now argues that due to the “numerous legal infirmities” that are “essential” and “interwoven” in the Rule, the Rule in its entirety should be vacated as unlawful under the APA. 

If the court invalidates the Rule, the question remains whether the CFPB, under the CFPA, will exercise its authority to promulgate rules that require a “covered person” to make available to a “consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person . . . .” and to do so in an electronic form usable by consumers. Without the CFPB acting upon this authority, this part of the CFPA will lie dormant.

Nevertheless, the fate of the Rule is still uncertain. Despite the CFPB’s 180-degree turn, the Financial Technology Association (FTA) is still an active defendant in the current case, and in response to its co-defendant’s motion for summary judgment, it has stated that “[a]s an intervening party in this lawsuit, FTA will continue to defend this right and work to uphold Americans’ financial freedoms . . . . We will review the CFPB’s filings in this case and respond in kind.”