Introduction
The CFPB's Personal Financial Data Rights Rule (Section 1033) was set to reshape how fintechs access consumer financial data — but a federal court blocked its enforcement in October 2025, leaving the industry in regulatory limbo. For fintechs built on consumer data access, this isn't just policy news; it's a business continuity issue.
The core tension is real: standardized data-sharing rights would give fintechs enormous competitive advantages and finally replace fragile screen scraping with secure APIs. That promise is now on hold. The rule is paused, banks are moving to charge data access fees, and the CFPB is conducting a full rulemaking revision with no firm timeline.
This article covers what the rule actually requires, the current legal status, what it means for fintech business models, and the concrete steps you should take now. The fintechs that come out ahead will be the ones that use this pause to build compliance infrastructure — not wait for it to resolve.
TLDR: Key Takeaways
- The CFPB's rule requires financial institutions to share consumer data with authorized third parties via secure APIs, replacing screen scraping
- A federal court halted enforcement in October 2025; compliance deadlines are suspended while the CFPB completes a new rulemaking
- JPMorgan Chase began charging data access fees in July 2025, with other major banks signaling similar moves
- Fintechs face rising data connectivity costs and the risk that banks can unilaterally restrict access
- Audit data dependencies, review API readiness, and build compliance-ready data governance before the final rule lands
What Is the CFPB Open Banking Rule (Section 1033)?
Section 1033 of the Dodd-Frank Act establishes that financial data belongs to consumers, not financial institutions. The statute requires covered firms to make consumer financial information available to the consumer and their authorized representatives upon request.
The finalized rule (November 2024) operationalizes this right by requiring covered financial institutions to build and maintain developer interfaces (APIs). These APIs allow consumers and authorized third parties — including fintech apps, data aggregators, and digital wallets — to access specific categories of financial data.
What Data Is Covered
The 2024 rule covers:
- Transaction and account data from checking accounts
- Prepaid cards and credit cards
- Digital wallets and payment apps
- At least 24 months of transaction history, account balances, and payment initiation routing details
Not included in the initial scope:
- Brokerage accounts
- Mortgages
- Auto loans
- Savings accounts
The CFPB has flagged these categories for potential inclusion in a subsequent rulemaking phase.
Why It Matters to Fintechs
The rule was designed to replace unreliable and insecure "screen scraping" methods with standardized, permissioned API access. Screen scraping requires storing consumer credentials, creating security vulnerabilities and fraud risks.
The CFPB estimated that screen scraping still accounted for roughly 50% of the 50 billion to 100 billion annual consumer-authorized data access attempts in 2022, despite credential-free APIs growing to handle 24% of attempts.
For fintechs, standardized API access provides a more reliable, legally supported foundation for products that depend on consumer financial data, including:
- Credit underwriting and income verification
- Budgeting and personal finance management tools
- Digital wallet funding and payment initiation
- Account aggregation and financial data platforms
Who the Rule Applies To
Data providers: Financial institutions above certain asset thresholds are required to make data available:
- Tier 1 (largest): Depositories ≥$250B assets; Non-depositories ≥$10B receipts (original deadline: April 1, 2026, later tolled to June 30, 2026)
- Tier 2-5: Smaller institutions phased in through April 2030
- Exempt: Depositories at or below ~$850M in assets
The flip side of those provider obligations falls on the fintechs and aggregators consuming the data.
Authorized third parties: Fintechs and data aggregators accessing the data must comply with strict obligations:
- Provide clear authorization disclosures and obtain express consumer consent
- Limit data collection to what is "reasonably necessary" for the requested product or service
- Prohibit secondary uses including targeted advertising, cross-selling, and data sales
- Obtain new authorization annually (reauthorization requirement)
- Bind downstream recipients to the same obligations
The Legal Battle: Why the Rule Is Currently Blocked
The rule faced immediate legal challenges from the banking industry, culminating in a complete halt.
| Date | Event | Details |
|---|---|---|
| Oct 22, 2024 | Lawsuit Filed | Bank Policy Institute, Kentucky Bankers Association, and Forcht Bank sued the CFPB in Eastern District of Kentucky, arguing the agency exceeded its statutory authority |
| May 14, 2025 | FTA Intervention | The Financial Technology Association successfully intervened as a defendant, giving fintechs a formal seat at the table |
| Jul 29, 2025 | CFPB Pivots | Acting Director Russell Vought requested a stay, stating the rule was unlawful and announcing a rewrite |
| Oct 29, 2025 | Preliminary Injunction | Judge Danny Reeves enjoined the CFPB from enforcing the rule until reconsideration is complete |
| Dec 26, 2025 | Appeals Filed | Both the FTA and CFPB filed notices of appeal to the Sixth Circuit |
The Trump Administration's Unusual Role
When the new administration took over the CFPB in early 2025, Acting Director Russell Vought sided with the banks rather than defending the rule — federal agencies almost never argue against their own regulations in court. The CFPB told the court that the rule exceeded statutory authority by mandating data sharing with commercial third parties and prohibiting fees.
JPMorgan's Data Access Fee Escalation
In July 2025, JPMorgan Chase announced it would begin charging fintechs fees for consumer data access, taking advantage of the regulatory vacuum. The bank argued that fees are necessary to offset the costs of maintaining secure API infrastructure.
By November 2025, JPMorgan secured updated, paid agreements with major aggregators including Plaid, Yodlee, Morningstar, and Akoya.
Exact fee amounts remain unverified publicly, but reports indicated the costs could total hundreds of millions of dollars annually — with payment-focused firms facing the highest tiers.
What the Injunction Means in Practice
Practical implications:
- Compliance deadlines are suspended indefinitely
- Banks face no immediate legal obligation to build or maintain developer interfaces
- No regulatory backstop exists to prevent banks from charging access fees or restricting data sharing unilaterally
- Screen scraping continues, with all its associated security and operational risks
What the Rule Means for Fintechs: Key Opportunities and Risks
The Upside: Standardized API Access Rights
If the rule is ultimately finalized and enforced, fintechs would gain a legally enforceable right to access consumer-authorized financial data through standardized APIs. This removes a structural advantage incumbent banks have long held and opens the door to a broader range of products:
- Credit underwriting based on transaction history
- Budgeting and personal finance management tools
- Payment initiation services
- Crypto wallet funding from bank accounts
The Downside: Data Access Fees and Unit Economics
With the rule blocked, major banks can now set their own fees for data access. Analysts at Bernstein noted that while mature fintechs like PayPal and Block have negotiated multi-faceted agreements and may face limited exposure, smaller startups could be severely impacted.
Fintechs must model scenarios where aggregators pass per-API-call fees down, potentially forcing apps to:
- Raise consumer prices
- Restrict services
- Reduce the frequency of data pulls, degrading user experience
For lending apps that rely on high-volume transaction analysis, these costs could make the underlying business model unprofitable.
The Screen Scraping Problem
Without standardized API requirements, many fintechs still rely on screen scraping — storing consumer credentials to log into bank accounts and extract data. This method:
- Can be blocked by banks at will
- Creates severe security vulnerabilities
- Lacks any consumer authorization framework
- Exposes fintechs to fraud liability
The FBI's 2025 Internet Crime Complaint Center report highlighted approximately 4,700 complaints related to Account Takeover (ATO) fraud, resulting in $359.7 million in losses. The CFPB expects that eliminating credential-based access will lower ATO risks.
Secondary Data Use Restrictions
Even when the rule provides data access rights, it imposes strict data minimization obligations and bans on most secondary uses of consumer data. Fintechs that have relied on broad data use for product development or marketing should audit their data governance practices now.
Prohibited secondary uses include:
- Targeted advertising
- Cross-selling other products
- Sale of covered data
Global Benchmarks: What Regulatory Certainty Delivers
These compliance constraints exist within a broader context: where regulatory frameworks are clear and enforced, open banking markets grow fast. In the UK, the Financial Conduct Authority reported over 16 million active open banking users by the end of 2025, with a 53% growth in open banking payments. UK adoption reached 11% of digitally active consumers by early 2024.
When the U.S. framework does stabilize — whether through revised rulemaking or Congressional action — demand will likely follow a similar curve. Fintechs that have clean data governance and API-ready infrastructure in place will be first to capture it.
What's Coming Next: The ANPR and Rulemaking Timeline
On August 22, 2025, the CFPB published an Advance Notice of Proposed Rulemaking (ANPR) to guide a reopened rulemaking. The ANPR received 13,981 public comments by the October 21 deadline — the most ever for a CFPB rulemaking.
Issues Under Reconsideration
The CFPB is reconsidering four core pillars:
| Pillar | What's at Stake |
|---|---|
| Definition of "Representative" | Whether third parties acting for consumers must meet fiduciary duties |
| Fee Prohibitions | Banks want to charge for data access; fintechs argue this locks consumers into bank products |
| Data Security | Whether GLBA standards are sufficient, and who bears the cost-benefit burden |
| Data Privacy | Preventing the unwitting licensing or sale of sensitive personal financial information |
What a Revised NPRM Will Address
The updated rule will likely revisit:
- Consumer consent frameworks and authorization standards
- Data security liability allocation between banks and fintechs
- Whether fee prohibitions can be legally sustained
- Scope of covered data types (potential expansion to brokerage, savings, and loan accounts)
The CFPB was expected to issue the NPRM in early 2026, but no one has confirmed a firm timeline — and several factors could push that date further out.
Risk Factors That Could Further Delay the Rule
Three dynamics are most likely to stall progress:
- Legal challenges could resume the moment a revised rule is finalized, as banking industry groups have shown a willingness to litigate.
- Bank lobbying pressure remains intense — large institutions are pushing to charge data access fees and limit third-party liability exposure.
- CFPB posture under the current administration suggests the revised rule may look substantially different from the 2024 version.
Fintechs should plan for multiple scenarios: a sharply narrowed rule, indefinite delay, or something in between.
How Fintechs Should Prepare Now
Audit Data Access Dependencies Today
Map every product or workflow that relies on consumer financial data access:
- Identify which connections depend on screen scraping vs. existing API agreements
- Model the cost impact if major bank data access fees become standard practice
- Evaluate which products remain viable under various fee scenarios
- Assess operational risk if banks terminate screen scraping access
Engage in the Rulemaking Process
The comment period on the ANPR has closed, but fintechs will have additional opportunities to submit comments when the NPRM is issued. Participating — directly or through industry groups like the Financial Technology Association — directly shapes the final regulatory outcome.
Why it matters:
- Regulators weigh public comments in final rule decisions
- Industry coordination strengthens advocacy positions
- On-the-record comments create a legal record for future challenges
Build a Compliance-Ready Data Governance Framework Now
Regardless of the rule's final form, fintechs should implement these practices now:
Limit what you collect:
- Collect only data reasonably necessary for the requested product or service
- Document the business justification for each data type collected
- Implement automated retention limits
Lock down authorization and consent:
- Clear, plain-language authorization disclosures
- Express informed consent before data collection
- Annual reauthorization processes
- Easy revocation mechanisms
Control how data gets used:
- Written policies specifying permitted and prohibited data uses
- Restrictions on secondary uses (advertising, cross-selling, data sales)
- Downstream third-party contractual controls
Starting now reduces risk, builds trust with banking partners, and demonstrates good faith to regulators, auditors, and investors. When a final rule takes effect, you're ready — not scrambling.
For fintechs without a full-time Chief Compliance Officer or data privacy lead, fractional compliance leadership fills that gap directly. Fraxtional provides director-level CCO and BSA Officer access — without the cost or commitment of a full-time executive hire — so you can move on compliance now rather than waiting until you're large enough to staff the role internally.
Frequently Asked Questions
What is the CFPB rule for open banking?
The CFPB's open banking rule, finalized in November 2024, implements Section 1033 of the Dodd-Frank Act by requiring covered financial institutions to share consumer financial data with authorized third parties through secure APIs, giving consumers greater control over their financial information.
What is the 1033 rule of the CFPB?
"1033" refers to the section of the Dodd-Frank Act that gives consumers the legal right to access their own financial data. The CFPB's rule puts that right into practice — defining which institutions must comply, what data must be shared, and through what technical standards.
What is the status of the CFPB's open banking rule?
As of late 2025, a federal court issued a preliminary injunction blocking enforcement of the rule while the CFPB undertakes a new rulemaking process. The CFPB is expected to issue a revised NPRM, but has not set a firm deadline — leaving compliance timelines suspended.
Can I refuse to use open banking?
Under the rule's framework, consumer participation is voluntary — the rule grants consumers the right to share their data with third parties but does not require them to do so. Financial institutions, however, would be required to facilitate the sharing when a consumer requests it.
What are the new rules for banks in 2026?
Compliance deadlines remain suspended, but banks should expect a revised NPRM in 2026 covering data sharing obligations, API standards, and fee-related provisions. Monitoring CFPB communications now — rather than waiting for a final rule — gives banks the lead time to prepare.
