Section 1033 Update: The CFPB’s Open Banking Rule 

By Nancy DeGrandi, Federal Compliance Research and Analysis Manager

You may have already seen the coverage in the news of the Consumer Financial Protection Bureau’s (CFPB) Section 1033 rule derived from Dodd-Frank. That section focuses on consumer access to their own data and is also known as the open-banking rule. In my last blog discussing the rule, I mentioned that any new developments on this rule would be covered in a subsequent blog. So here we are…

The CFPB filed its motion of summary judgment on May 30, 2025, asking the court to vacate the rule, concluding “that the Rule exceeds the Bureau’s statutory authority and is arbitrary and capricious” and therefore should be set aside. The litigation involving the rule is ongoing with the intervenor, the Financial Technology Association having a June 29th deadline to file an opposition brief. The CFPB has a July 29th deadline for its response and August 29th imposed as the deadline for the defendants. So, stay tuned for the outcome.

While the CFPB is no longer defending the legal challenge to the rule, the Consumer Financial Protection Act (CFPA) still requires the CFPB to issue rules covering the availability of a consumer’s financial information to the consumer or to a third party. What may be of interest is that the CFPB identified in its motion for summary judgement that the following aspects of the rule were potentially unlawful:

  • Exceeding Statutory Authority.The CFPB claims the rule goes beyond the scope of Section 1033 of the Dodd-Frank Act, which focuses on consumer access to their own data, by regulating "open banking" and mandating data sharing with "authorized third parties". They argue this stretches the definition of "consumer" and lacks statutory support.
  • Unlawful Fee Prohibition.The CFPB asserts that the rule unlawfully forbids data providers from charging fees to cover the costs associated with granting consumer data access, because Section 1033 is silent on this matter. They argue this prohibition is arbitrary and capricious because it lacks sufficient justification.
  • Consumer Data Risks.The CFPB believes the rule, with its extensive data-sharing framework, significantly increases the risk to consumer privacy and data security.
  • Arbitrary and Capricious Compliance Deadlines.The CFPB argues that the compliance deadlines were set without considering the development of consensus standards, making them arbitrary and capricious.

Based on the above, a rewrite of the Section 1033 rule may include the following considerations if the CFPB chooses to rewrite the rule:

  • Narrower Scope: A rewrite of the rule could focus more on consumer access to their own data, potentially reducing requirements for organizations to share data.
  • Fee Considerations: A rewrite of the rule could allow data providers to offset the costs of complying with the rule by allowing data providers to charge reasonable fees.
  • Enhanced Data Security Measures. A rewrite of the rule could address the concerns about the risks associated with data sharing with third parties and screen scraping by way of more robust safeguards for consumer data.
  • Standard-Setting Process. A rewrite of the rule may prioritize setting consensus standards through recognized standard setting bodies prior to setting compliance deadlines.

We will have to see where the CFPB lands on open banking given its mandate from the CFPA.

For assistance with your regulatory compliance questions, members of America’s Credit Unions can reach out to the Compliance Team at compliance@americascreditunions.org