Open Banking the Easy Way, or the Hard Way

Dan Murphy is a leading expert on open banking and an independent consultant. Until recently, he served at the Consumer Financial Protection Bureau and co-lead the CFPB's Personal Financial Data Rights rule. All views expressed are his own.

Headlines have been flying for the last week indicating that the CFPB intends to throw out the final rule on Section 1033 of the Dodd-Frank Act and start from scratch. This is surprising, to say the least, for a rule whose work began under the first Trump Administration, was the product of years of industry engagement, and that was received with strong bipartisan support.

I was a key member of that rulemaking team, so unsurprisingly, I think it’s a pretty good rule. That said, new CFPB leadership under a new administration is entitled to consider whether they want to chart a new path forward on open banking. I’m not here to tell them not to do that. I’m here to tell them that there is, as they say on TV, an easy way and a hard way to accomplish their goals. For their own sake, they should do it the easy way.

Those Who Forget History…

The 1033 rulemaking was, unavoidably, one of the most complex rulemakings the CFPB has taken on since its inception. There are three primary reasons for this: 

1. Competing Industry Interests: Unlike many issues where the CFPB is forced to weigh industry and consumer interests in a relatively straightforward manner, open banking pits two sides of industry against each other, with consumers somewhere in the middle. Anything the CFPB does to make one side of industry happy necessarily makes the other side unhappy. Want to give the banks the ability to charge fees for consumer-permissioned data access? Good luck explaining that to fintechs. Want to let fintechs do whatever they want with consumer-permissioned data? Good luck explaining that to banks. Want to do both? Good luck explaining either to consumers. The CFPB’s new leadership shouldn’t kid themselves, any final Section 1033 rule will likely be challenged in court. It’s not possible to make everyone happy. 

2. Interlocking Statutes: Any effort to implement Section 1033 raises extremely thorny questions about how it works together with other laws on the books, such as the Electronic Fund Transfer Act and the Gramm-Leach-Bliley Act. Perhaps most complex though is the interplay with the Fair Credit Reporting Act (FCRA) and Regulation V, FCRA’s implementing regulation. If a consumer elects to share their banking data with a fintech, and their bank shares that data via an Application Programming Interface (API), does that bank become a furnisher? What if the data is instead accessed via screen-scraping, is the bank a furnisher then? What about the data aggregator facilitating this information sharing, do they become a consumer reporting agency? If so, on any of the above, why? If not, why not?

3. Interlocking Jurisdictions: While Dodd-Frank directs the CFPB to prescribe rules to implement consumer rights to access financial information, the CFPB is not the only game in town with respect to banks’ more general data security obligations. Those obligations flow from prudential regulators – the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA). Each of those agencies has their own, not always well-aligned interpretation of banks’ risk management obligations with respect to third parties. If a consumer elects to share their banking data with a fintech, does that make the fintech a service provider to the bank? If so, does that mean every bank has to perform due diligence on every fintech? Or, since banks are increasingly data recipients, on every other bank? Seems awfully expensive and inefficient. If not, does that mean banks would have to share consumer data even with fintechs they know to be experiencing a data breach? Seems dangerous. Either way, the CFPB can’t answer these questions by itself, it needs to work with its colleagues at the Fed, OCC, FDIC, and NCUA to come to a unified answer (no small feat), and 1033 is its only real leverage.

These are real challenges. And yet. 

Congress passed a law. That law says, unequivocally, that “[s]ubject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.”¹ 

That law stands today. Challenges or no, companies need to know how to comply with the law.

Luckily for the CFPB’s new leaders, over the last four years the Bureau carried on the work the first Trump Administration started. We worked through these thorny, hair thinning questions under immense pressure from all sides, and we got to answers.

Elections Have Consequences

Not only did we get to answers, we left the door open for new CFPB leadership to make adjustments as they see fit. We knew that different leadership at the CFPB might make different policy choices than we did. That is appropriate and expected.

How did we leave the door open? Well, under the statute, Section 1033 applies to all consumer financial products and services. However, the initial 1033 rule finalized by the CFPB last year took an iterative approach and first implemented the statute for accounts covered by Reg E and Reg Z. Our plan was to then extend the framework to include other products and services over time. This approach gives other parts of the market more time, but it also allows the CFPB’s new leadership to make adjustments to the underlying framework of the rule as they see fit through a targeted notice and comment process, without slowing industry’s considerable momentum on open banking.

For example, if new leadership at the CFPB wants to revisit the rule’s prohibition on fees for data access or explore whether more can be done with respect to limiting bank liability, they can solicit comment on those items and any others they have interest in while expanding the framework to include more products and services, as intended by Congress. That is, the CFPB and industry stakeholders can have their cake and eat it too. They can make adjustments to the rule without dedicating the resources necessary to start from scratch. This feels particularly important given that the CFPB seems intent on implementing sweeping reductions in force.

That’s the easy way to do things. But reporting over the last week indicates that the CFPB may be considering doing things the hard way and starting from scratch. 

“If I Were In Charge I Would Simply Write a Good Rule”

Word among those who have spoken to new leadership at the CFPB is that they think the rule would be too hard to fix, and that it would somehow be easier to vacate the rule and start over. Nothing could be further from the truth. Attempting to vacate the rule is sure to result in litigation, and starting over would require far more time and resources from the Bureau, and most importantly would impede private sector progress, both on a bilateral basis and at industry standard setting organizations like the Financial Data Exchange (FDX). 

This raises two broad questions for any sober observer – why and how. 

With respect to the why, one potential motivating factor is that certain big banks appear to have had a change of heart on open banking. Within hours of the final rule being released in October, and before anyone could possibly have read the rule, the Bank Policy Institute (BPI) sued the CFPB. Their lawsuit indicates that they don’t believe the Bureau has authority to write an open banking rule, calling into question the purpose of years of engagement by those banks with the CFPB, prudential regulators, industry stakeholders, and standard setters such as FDX.

More recent messaging from BPI indicates to me that there’s little that can be done to make them happy. For example, they claim the rule is too permissive with screen scraping, but it’s certainly not as permissive as no rule at all. Moreover, the final rule does require fintechs “to adhere to the same rigorous standards and duties as banks” with respect to financial data security. BPI simply doesn’t like the fact that financial data security rules for nonbanks are set by the Federal Trade Commission instead of prudential regulators. Rather than offer constructive criticism to move forward, BPI’s revealed preference appears to be for open banking to simply go away and become something that banks can choose to offer, or not, at their discretion. This is a coherent worldview, but it’s not what banks spent years telling the rest of industry or the CFPB, and it’s not what the law says. It also doesn’t align with the first Trump Administration’s 2018 fintech report. It’s not clear to me why the Trump Administration would be willing to offer such a giveaway to large banks at the expense of fintech companies that power everything from innovative payment products to account funding for investment and cryptocurrency platforms.

Another potential rationale for vacating the rule could be that this has nothing to do with the new CFPB’s policy preferences on open banking. Rather, this could all be downstream from their desire to downsize agencies like the CFPB, even if that means eliminating major achievements with bi-partisan support. If so, the damage inflicted on thousands of businesses that spent years of time and tens of millions of dollars engaging with and preparing for this rule seems a steep price to pay. If this rationale is indeed driving things, it should also be noted that any promises of a new and improved open banking rule would then be disingenuous.

This brings us to the “how.” 

Here, I really must urge the CFPB’s new leaders to proceed with caution. Bloomberg’s reporting indicates that the CFPB may be interested in vacating the rule in the face of the BPI litigation, much as they did with a recent rule on credit card late fees. If this is the path they choose, there is unlikely to be an open banking rule for the foreseeable future. 

This is especially true if the CFPB concedes the first count of BPI’s lawsuit, which argues that third party access is not permitted by the statute. In that case, the CFPB would seemingly be unable to write a new 1033 rule that had anything to do with open banking. Rather, they would only be able to write a rather silly rule that said banks must provide online banking to their customers. This would be, to put it mildly, not exactly leading the world in innovation in 2025. 

But even if the CFPB didn’t concede the first count of the BPI lawsuit, vacating the rule is likely to get them tied up in litigation for years with the Financial Technology Association, who has already filed a motion to intervene. Only after that litigation plays out could they get started on a new rule. 

And even when they get to that point, they would find themselves facing down at least three more years of redoing work that the CFPB has already completed, whether they realize it or not. 

First, the CFPB would have to go through a process with the Small Business Administration (SBA) and the Office of Information and Regulatory Affairs under the Small Business Regulatory Enforcement Fairness Act (SBREFA). Even if they re-propose the final rule’s exemption for depositories with less than $850 million in assets, any rule would still affect a significant number of small entities on the third party side. This process takes about a year under the best of circumstances with full staffing at the Bureau, the SBA, and OIRA.

Then, the CFPB would have to re-propose the rule and consider all the comments they receive. When we did that in 2023, we received more than 11,000 comments.² You’re looking at another year or so there. 

Finally, the CFPB would need to incorporate the feedback they receive from commenters and finalize the rule. If they want to do that thoughtfully, that’s another year, in my experience. And of course, all of this assumes adequate staffing.

Where does this leave us?

The CFPB appears to be considering setting back open banking by at least three or four years, and perhaps permanently if they concede the first count of the BPI lawsuit. This is, to state the obvious, immensely frustrating to the vast majority of companies in the ecosystem,³ and detrimental to private sector competition and innovation. 

The CFPB is on the cusp of doing this even though there is an easier process available to them that would allow them to accomplish their goals. 

If this sounds wasteful and inefficient to you, it does to me too. 

The CFPB should take the easy way. Open the rule in a targeted, thoughtful way, and avoid years of litigation and redoing work that has already been done. This would allow the private sector to move forward as planned and enable new leadership to make adjustments as it sees fit.

You’re so close, don’t snatch defeat from the jaws of victory.

The opinions shared in this article are the author’s own and do not reflect the views of any organization they are affiliated with.

^[1] Note that the Dodd-Frank Act also defines the term “consumer” to mean “an individual or an agent, trustee, or representative acting on behalf of an individual.” That is why authorized third parties, such as fintechs and aggregators, are in the mix. One cannot simply ignore these words in the statute.

^[2] As a reminder, the Administrative Procedure Act obligates the CFPB to consider each of the comments.

^[3] By the way, it’s an open secret that many bankers aren’t on board with and weren’t expecting BPI’s lawsuit, they just can’t say so publicly, due the largest banks calling the shots.

Open Banker curates and shares policy perspectives in the evolving landscape of financial services for free.

If an idea matters, you’ll find it here. If you find an idea here, it matters. 

Interested in contributing to Open Banker? Send us an email at [email protected].