The CFPB Just Torpedoed Its Own Open Banking Rule—And the Carefully Planned Future of American Fintech Right Along With It

Financial ServicesFintechData Law
Written By Dara Tarkowski

In a move that would make even the most dramatic Real Housewives reunion show look like a masterclass in diplomatic consistency, the Consumer Financial Protection Bureau just did something truly unprecedented: it sued itself. (Andy Cohen would be so proud…) Well, technically, the new CFPB leadership filed a brief agreeing with banks that the agency's own flagship open banking rule is illegal and should be thrown in the regulatory trash can.

*Chef's kiss to the sheer audacity.

The Dream That Almost Was: What Section 1033 Promised

Before we dive into this regulatory dumpster fire, let's pause to appreciate what the Section 1033 rule was actually supposed to accomplish. The original vision was genuinely compelling:

Consumer Control: For the first time, you'd have a legal right to access your own financial data in a usable format and share it with whomever you chose. No more begging your bank for transaction history or getting stuck with whatever crappy export format they felt like providing.

Innovation Unleashing: Fintech companies could build better budgeting apps, investment tools, and lending platforms with direct, secure access to your financial data instead of relying on the sketchy practice of "screen scraping" (basically automated bots logging into your bank account).

Competition: Small banks and credit unions could partner with fintech companies to offer services that compete with big bank offerings. Your community bank could suddenly offer the same slick financial management tools as Chase.

Security: Instead of giving apps your actual banking passwords (yikes), you'd have secure, permissioned access that you could revoke at any time.

Standardization: Everyone would play by the same rules with the same technical standards, creating a level playing field instead of the current wild west of negotiated partnerships.

It was supposed to be the American equivalent of Europe's successful open banking revolution, finally dragging our financial system into the 21st century. Instead, we got... this.

When Regulatory Agencies Have Trust Issues With Themselves

Here's what happened: In November 2024, the CFPB under the previous administration issued a comprehensive "open banking" rule that would have forced banks to share customer data with third parties through fancy new "developer interfaces." Think of it as forcing banks to build digital bridges so fintech apps could waltz right into your financial life.

But then January 2025 rolled around, new leadership took over, and suddenly the CFPB was all "Actually, we think our predecessors went completely rogue and exceeded our legal authority. Our bad!"

The legal arguments are actually pretty compelling, if you're into that sort of thing:

Argument #1: Congress Didn't Say "Open Banking," So We Can't Do Open Banking

The Legal Brief Says: The CFPB argues that Section 1033 "does not authorize the Bureau to broadly regulate open banking by mandating that data providers share information with 'authorized third parties.'" The statute's text focuses on making information available "to a consumer" about services "the consumer obtained," not to commercial third parties.

The brief gets into the statutory weeds, noting that Congress used consumer-focused language throughout: data providers must make information available "to a consumer" concerning "the consumer financial product or service that the consumer obtained." The CFPB argues this language "ensures that a 'consumer' can access their own financial information" but doesn't support "comprehensively regulate the system of 'open banking.'"

When the previous CFPB tried to justify third-party access by stretching the definition of "consumer" to include "authorized third parties," the new leadership calls this interpretation beyond "its breaking point." They argue that terms like "agent," "trustee," and "representative" in the statute require actual fiduciary relationships, not just commercial entities that happen to have consumer authorization.

The Sassy Take: The new CFPB leadership essentially argues that the previous team played fast and loose with the definition of "consumer" to include commercial third parties. It's like claiming your mom said you could have friends over, so obviously she meant you could rent out the house on Airbnb.

Argument #2: Free Lunch? In This Economy?

The Legal Brief Says: The CFPB argues that the fee prohibition "exceeds the Bureau's authority and is contrary to law because Section 1033 does not authorize the Bureau to prohibit banks from charging any fees for maintaining and providing access through the required developer interfaces."

The brief notes that "the statute is silent on the question of fees" and argues that "if Congress had intended to require data providers to make information available under Section 1033 without the ability to charge a reasonable fee, it would have said so expressly." The CFPB points out that "Congress has made such obligations explicit in other contexts" when it wanted to prohibit fees.

The brief emphasizes the unfairness: "The Rule requires data providers to expend significant costs to provide and maintain complex developer interfaces, but it simultaneously prohibits them from charging fees to recoup such costs, even from third parties." They note the rule acknowledges costs of about "$15 million in annual ongoing costs" for large data providers, yet prohibits any cost recovery.

The Sassy Take: The rule prohibited banks from charging any fees for maintaining these data-sharing systems—even to the commercial companies profiting from the access. The CFPB now points out that forcing banks to spend millions on infrastructure while giving competitors free access is, shall we say, legally questionable. (We’re gonna pretend for a minute like the millions haven’t already been spent…)

Congress was silent on fees, but when it wanted to prohibit them elsewhere, it said so explicitly. The legal equivalent of "if you meant no charging, you should have said no charging."

Argument #3: Privacy? What Privacy?

The Legal Brief Says: The CFPB argues the rule "failed to assess the cumulative effects of its individual decisions pertaining to the risks the Rule poses to consumer data as a result of its extensive data-sharing requirements."

The brief details how the rule creates a cascade of privacy risks: it "requires the disclosure of highly sensitive consumer financial information—including highly sensitive payment-initiation information" and "permits authorized third parties to outsource access to consumer data to still other third parties, known as data aggregators (whom the consumers don't get to choose), thereby increasing the number of parties accessing data and the attendant risks."

The CFPB notes the rule "establishes a lax system for assessing and verifying authorized third parties' security practices" and "limits banks' ability to deny access to sensitive consumer information, even when the bank believes denial is appropriate to satisfy its safety and soundness obligations, information security obligations, or other risk management duties."

Most tellingly, the brief notes that while the Bureau "repeatedly acknowledged that 'screen scraping poses risks to consumer privacy and data security,' the Bureau declined to prohibit the practice."

The Sassy Take: Perhaps most damningly, the CFPB argues that the rule created a privacy nightmare without properly considering the cumulative risks. The framework would have:

- Required sharing of super-sensitive payment information

- Allowed third parties to outsource data to even more parties

- Limited banks' ability to say "no" to risky data requests

- Continued to allow sketchy "screen scraping" practices

It's like mandating that everyone leave their front doors unlocked while simultaneously expressing deep concern about home security. The security risks were something banks screamed about from the beginning. The irony? Congress has been trying to pass comprehensive privacy legislation for the better part of a decade and it is sucking at it. Big time. So let’s point fingers at each other. That’s helpful…

Argument #4: Deadlines Based on Vibes

The rule set compliance deadlines based on when it was published, not when the industry standards it relied upon would actually exist. Essentially: "You must comply with standards that don't exist yet. Good luck!"

So What Does This Mean for the Future of Open Banking?

Immediate Chaos: A Feature, Not a Bug

Right now, the fintech world is experiencing what can only be described as regulatory whiplash. Banks that spent millions preparing for compliance are probably having some very awkward conversations with their boards. Fintech companies that built entire business models around mandated data access are frantically updating their pitch decks (and budgets).

The market response has been swift and brutal: uncertainty, thy name is American fintech.

The Long Game: Three Possible Futures

Future #1: The Wild West Continues

Open banking trudges along through voluntary agreements, competitive pressure, and good old-fashioned screen scraping. Banks build APIs when they feel like it, fintechs negotiate access case by case, and consumers get a fragmented experience that varies wildly depending on which financial institutions they use.

Future #2: Congress Actually Does Something

Sorry, this one makes me giggle, but it isn’t totally impossible. The CFPB essentially threw down a gauntlet: "If you want comprehensive open banking, Congress needs to explicitly say so." This could prompt actual legislation with clear authority, specific requirements, and—dare we dream—bipartisan support.

Future #3: Regulatory Whack-a-Mole

A future administration tries again with different legal theories, narrower scope, or creative interpretations of other statutes. Rinse and repeat until someone figures out a sustainable approach or Congress gets its act together. (Hold on…that last part made me giggle again…)

Meanwhile, in the Rest of the World...

While America debates whether agencies can interpret their own authority, Europe has been doing open banking since 2018. The UK has thriving open banking ecosystems. Australia, Canada, and Brazil have all moved ahead.

The US is essentially choosing to sit out the global open banking party while arguing about whether we were actually invited. In the spirit of Regina George, the CFPB is like: “Stop trying to make open banking happen…it’s not going to happen…”

The Philosophy Behind the Chaos

This reversal reveals a fundamental shift in regulatory philosophy. The previous approach was "innovation through regulation"—use government mandates to force modernization and competition. The new approach is "innovation through markets"—let private parties figure it out themselves. How American.

Both approaches have merit, but the whiplash between them is giving everyone motion sickness.

What Happens Next?

For Banks: Relief from (future) compliance costs (because those sunk costs are indeed sunk), but also from competitive pressure to modernize. Some will continue building APIs because customers demand it and after all, they’ve already spent a ton of money. Others will happily retreat to their data fortresses and quietly declare victory.

For Fintechs: Back to the negotiating table with individual banks, continued reliance on screen scraping, and a lot of very expensive lawyers trying to figure out what's legal. (Hey ya’ll…call me! I’m less expensive than others…)

For Consumers: A continued patchwork of data access options that depend entirely on which banks and apps you use. Some will get excellent integrated experiences, others will be stuck in the financial stone age.

For America: Falling further behind in the global fintech race while other countries race ahead with comprehensive frameworks.

The Bottom Line

The CFPB just delivered a masterclass in how to create maximum regulatory uncertainty while technically following proper legal procedures. It's impressive in its thoroughness and devastating in its implications.

Open banking in America isn't dead—it's just back to being a voluntary, market-driven mess instead of a mandatory, government-regulated mess. Whether that's better or worse depends entirely on your faith in market forces versus regulatory mandates.

One thing's for sure: this is going to be one hell of a case study in administrative law classes for decades to come. And somewhere, a European regulator is probably laughing into their morning coffee while checking their thriving open banking metrics.

The author holds strong opinions about regulatory consistency and may or may not be counseling and/or have money invested in financial services companies currently experiencing existential crises.

Original Post: https://www.linkedin.com/pulse/cfpb-just-torpedoed-its-own-open-banking-ruleand-future-tarkowski-afdpe

Dara Tarkowski
Next

Buckle Up: CFPB Rolls Back State Enforcement Powers in Major Regulatory Shift