What Banks Must Do While 1033 Open Banking Rules Hang in Legal Limbo
By Adam Maarec, McGlinchey Stafford
Simple Subscribe
Subscribe Now!
Executive Summary
- Caught in the transition from the Biden administration to the Trump administration, the Consumer Financial Protection Bureau open banking rules face an uncertain future, caught up in a lawsuit. The rules could die, be upheld or wind up substantially amended.
- Legal pleadings will continue at least into early September. So a decision might be reached this year … but that could be appealed by either side.
- This article addresses key issues, and suggests questions banks and fintechs should be asking while awaiting final action.
The Consumer Financial Protection Bureau’s final Personal Financial Data Rights rules — often referred to as the “open banking” rules or as “1033” in reference to the section of the Dodd-Frank Act that gives consumers a right to access account data electronically — have been caught in litigation since the day they were published in October 2024.
But this is no ordinary lawsuit. Following is a brief summary of this unusual litigation and the possible outcomes. This is followed by a series of questions that companies operating in the open banking ecosystem can ask now while the case continues to be litigated.
A Curious Case: What the 1033 Litigation is About
Immediately after the final 1033 rules were published, two banking industry trade associations filed suit. They allege that the CFPB’s rules go beyond the intent of the Dodd-Frank Act. The act created a right for “consumers” to request and receive electronic records of their “consumer financial products and services.”
In legal terms, the associations claim that the rule’s effort to regulate the entire open banking ecosystem — particularly by giving rights to third parties to access data on behalf of individual consumers — exceeded the CFPB’s statutory authority. Further, the groups claim that several provisions of the final rule were “arbitrary and capricious” under the Administrative Procedures Act. They asked a federal district court in the Eastern District of Kentucky to vacate the rules in their entirety.
Then things got weird. After new leadership arrived at the CFPB in early 2025, it was unclear whether the CFPB would defend the rule in court. Acting on this concern, a fintech trade association filed a motion to intervene in the lawsuit. The court granted the motion, allowing the fintech trade association to essentially step in the CFPB’s shoes to defend the rule.
Then things got really weird. After additional consideration, the CFPB reversed course and filed a motion in the case agreeing with the banking industry trade associations that the rule exceeded the agency’s statutory authority and was arbitrary and capricious. The CFPB also took the extraordinary step of asking the court to vacate the entire rule. Ordinarily, when a federal regulatory agency wishes to change or eliminate regulations, the agency must follow procedures under the Administrative Procedures Act, including providing public notice of the rule changes being proposed, receiving comments on the proposed change, and issuing final rules (or a rescission of rules) that is well reasoned based on the facts and comments in the record.
Several trade associations and consumer groups recently filed “amicus” briefs in the case but, so far, the judge has rejected all of them. (An amicus brief is a friend of court filing for non-parties to share their perspectives on an issue.)
Additional pleadings are scheduled in the case through the beginning of September 2025, so a decision could be reached before the end of the year, barring any unforeseen twists. However, the parties are likely to appeal, regardless of the outcome, so this litigation could continue well into 2026.
As the case drags on, companies may begin to feel more urgency to comply with the final rule ahead of its looming compliance deadlines, which begin as early as June 30, 2026, for the largest data providers.
This leaves banks, fintechs and other companies in the open banking ecosystem with many questions — about how to manage the risks and capture the opportunities presented by open banking technologies — as the fate of the final rules hangs in the balance.
Read more: Open Banking Isn’t Dead. The Battle Over Regulation 1033 Now Pits Banks vs. Fintechs
Issue 1: What if the court vacates the final 1033 rules?
The federal judge could issue an order vacating parts of the rule or even the entire rule. Here are a few potential outcomes if this occurs:
• Return to the plain language of 1033, ambiguities and all. Data providers and third parties receiving data will be left to interpret the obligations of 1033 without the clarity and structure provided in the final rules. For example, what data must be made available and for which products?
While the final rules narrow the scope of products and data that must be disclosed — generally including six categories of data for credit cards, deposit accounts, and prepaid accounts — the Dodd-Frank Act actually extends consumer data access rights to all “consumer financial products and services,” which includes many other products and services. So individuals and their third parties could seek access to a broader scope of data than is currently contemplated in the rules, e.g., for mortgages, auto loans, student loans, etc., and not limit their requests to the six categories of data in the final rules.
• Avoiding the most troubling aspects of the final rule. Data providers and third parties could avoid what they respectively believe to be the most complex and troubling aspects of the rule. For example:
Data providers might choose to:
• Create bespoke application programming interfaces (APIs) that do not conform to standardized formats or access protocols, such as the Financial Data Exchange (FDX) API specification;
• Not make APIs available at all and/or block screen scraping, or make APIs available but limit the scope of data available;
• Block third party access requests based on varied and private third party risk management criteria; or
• Impose fees for access and other terms in bilateral data access agreements.
Third parties might choose to:
• Seek access to data beyond credit cards and deposit accounts;
• Seek data via screen scraping rather than APIs;
• Provide varied or limited consumer disclosures and authorization processes;
• Not limit their access, use and retention of data to what is “reasonably necessary” to deliver the requested product or service, e.g., enable secondary uses; and
• Obtain consents that last longer than one year.
Compliance with other applicable laws. It is important to note that existing laws and regulations governing the sharing and use of financial data will continue to apply if the final rules are vacated (and even if they aren’t). Among these are:
1. The Gramm-Leach-Bliley Act’s restrictions on financial institutions’ disclosure of nonpublic personal information to non-affiliated third parties and data security requirements under the Safeguards Rule. (This requires maintenance of safeguards to protect the security of customer information.)
2. The Fair Credit Reporting Act’s requirements when a company accessing and selling data becomes a “consumer reporting agency” and users of their data become subject to limits on the use and disclosure of “consumer reports.”
3. The payment authorization and liability regimes under the Electronic Fund Transfer Act, as implemented by Regulation E.
4. General prohibitions on unfair, deceptive or abusive acts or practices (UDAAPs).
Issue 2: What if the rules are upheld?
To effectively implement the many technical requirements in the final rule, banks and other parties acting as data providers will need months or even years to prepare.
For example, it takes a significant amount of work for a data provider to identify all of the “covered data” that is in its “control or possession.” The provider must also develop systems to ensure that covered data is made available, accurately, via a developer interface and consumer interface, within minimum performance expectations.
And for third parties receiving data, they must develop well managed systems to track customers’ consent, and ensure that their access, use and retention of data is in line with that consent. That’s a simple process in theory that is complex and difficult to implement in practice at scale.
From the archive: Has CFPB Started a War Over Open Banking — or Created New Opportunities for Banks?
Issue 3: What about the work companies have already done to comply with the final rule?
Even if the rules are vacated, in whole or in part, the work companies have done or are doing now to modernize their back-end data sharing infrastructure, provide consumers with better and more uniform disclosures and data sharing user experiences, among other things, will be valuable enhancements – whether explicitly required by law or not.
Issue 4: Could other federal regulators or state regulators begin to regulate open banking?
Federal prudential regulators — namely the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency, and the National Credit Union Administration — could provide perspective on the risks that exist from open banking, with or without the final rules.
More specifically, these regulators could provide much sought-after guidance regarding a bank or credit union’s third party risk management obligations. For example, what risks should banks and credit unions evaluate for each third party that seeks access to data on behalf of a consumer? And when the third party is a data aggregator, what risks should banks and credit unions evaluate for each fourth party (e.g., the data aggregator’s client and ultimate recipient of data), if any?
The Federal Trade Commission could also provide guidance on the applicability of its Safeguards Rule to the open banking ecosystem, which imposes data security obligations on many non-bank financial institutions.
The states could also exert their power in the open banking market. In the final rule, the CFPB identified a number of potential UDAAPs in open banking use cases. State regulators and attorneys general with enforcement powers could examine and bring cases against companies that engage in these and other UDAAPs when offering open banking services. In addition, state regulators and attorneys general also have the power to enforce the CFPB’s rules, including the final 1033 rules to the extent they exist and are not stayed or vacated by a court.
Furthermore, at least one state — Wyoming — has adopted a standalone open banking law. It does not appear that other states have followed suit. However, high-profile actions to eliminate the CFPB’s final rules could catch federal and state regulators’ attention and cause them to scrutinize open banking practices.
What Should Banks and Fintechs Do Now?
Banks and fintechs should recognize the trend towards more consumer-directed data sharing, not less, and devise a strategy to capture the opportunities, and manage the risks that these open banking activities present, with or without the final rules.
Following are a series of questions that companies should ask and answer, with or without the CFPB’s final rules.
When acting as a data provider:
• Screen scraping: Will you block screen scraping activity and, if so, under what circumstances?
• APIs: Will you develop an API to share data with third parties? If so, which products and data elements will you include? Will you follow a standard API specification, e.g., the FDX API specification? Will you hire a third party to deliver some or all of your API capabilities?
• Third party risk management: How will you determine which third parties may access data? How will you monitor their activities on an ongoing basis?
• Bilateral data access agreements: Will you require third parties to sign data access agreements? If so, what terms will you include in your agreement? Will you require adherence to terms (i.e., treat them as click-through terms) or negotiate bespoke agreements with certain third parties?
• Customer experience & disclosures: What disclosures and other information will you provide to customers about their data sharing activities? Will you allow customers to revoke third parties’ data access rights? Will you require customers to reauthorize data sharing periodically?
When acting as a third party:
• Data access methods: Will you access data directly or via a data aggregator? Will you and/or your data aggregator(s) access data via screen scraping and/or APIs?
• Customer experience & disclosures: What disclosures and other information will you provide to customers about your data access? How long will you allow each customer authorization to last?
• Data access, use & retention rights: What data will you access, how will you use it, and how long will you retain it? Do you have systems in place to capture and track customer consent, and ensure future access, use and retention of data is aligned with that consent? Will your expected use case cause the data being obtained to be considered a “consumer report” subject to the Fair Credit Reporting Act?
Read more: Busting Three Myths about Community Banks and Open Banking
The Road Ahead for Open Banking Will Be Circuitous
The road ahead for the regulation of open banking in the U.S. is winding and full of uncertainty from our current vantage point. But banks, fintechs and others in the ecosystem can and will continue working to find solutions that deliver value for consumers.
The promise of open banking — to enhance competition and deliver new innovations for consumers and businesses— requires collaboration. With or without the CFPB’s rules on Personal Financial Data Rights, organizations should continue working towards industry-wide solutions that protect consumers, manage risks, and promote technology that works for everyone.
Companies and policymakers in the U.S. would also be wise to watch and learn from other regulatory and market approaches to open banking around the world. Indeed, some jurisdictions have regulatory regimes that go beyond mere access to bank account data, expanding to include payment initiation and “open finance” capabilities, which extend data access to the whole range of financial services, including brokerage accounts and insurance.
Given the global trend to access more data to power smarter models and AI-based tools, this seismic shift seems inevitable. It’s not a matter of if — but when.
