How to Navigate Open Banking Uncertainty, as Battle Lines Harden Over CFPB Rule
By Steve Cocheo, Senior Executive Editor at The Financial Brand
Simple Subscribe
Subscribe Now!
Executive Summary
- The struggle over open banking in the U.S. continues as comment letters flood the downsized Consumer Financial Protection Bureau. Now staff must sort through a pile of conflicting opinions and opposing interests, some laced with vitriol, to devise a brand-new rule.
- Meanwhile, the federal court overseeing the court case on open banking regulations has stayed compliance dates, pending the new rule. It’s the only certainty for bankers right now.
- Samplings of letters from multiple viewpoints indicate that challenges are growing more complex, as new technologies like agentic commerce overlay the basic disagreement of who should pay for data access.
The future of open banking regulation in the U.S. looks more uncertain than ever.
The effective compliance dates of the original regulation, issued by the Biden Consumer Financial Protection Bureau in 2024 and already extended by a federal district court, have now been stayed by that same court. This Oct. 29 decision is pending completion of a total reconsideration of the rulemaking to implement Section 1033 of the Dodd-Frank Act, which has been underway at the Trump CFPB since August.
The stay puts to bed banking industry anxiety about timing, for now.
The decision in the convoluted legal case came only eight days after the comment period closed on CFPB’s request for input as it begins revamping open banking regulations. The bureau published an advance notice of proposed rulemaking in August to start the renewed rulemaking process.
Over 13,000 comment letters were filed, a massive response. However, a brief sampling of the filings makes it clear that a good portion of that bulk came from automated comment letters. At least two consumer-oriented letters seem to have been orchestrated, as well as at least one for bankers.
That said, many genuine comment letters were filed by banking interests, fintechs and their associations. Long-established battle lines were shored up on both sides, with commenters often taking completely opposite positions on identical language in the Dodd-Frank Act.
The debate also broke new ground, as JPMorgan Chase’s decision to begin charging fintechs and others for customer data drew fire. On Sept. 15, Chase and Plaid announced a renewed data access agreement that includes a fee structure — but that didn’t temper Plaid’s own comment letter.
Likewise, some commenters brought up the need to address technologies that were barely on the radar when the original regulation was finalized — a key example being agentic artificial intelligence. And some industry commenters urged CFPB to remove payments initiation from the services addressed by the pending 1033 regulation.
Three other key issues: What constitutes a “consumer” for purposes of the regulation, whether banks and credit unions can charge fees for providing data, and whether certain community banks should be exempted. One commenter, the Independent Community Bankers of America, urged expanding the institutions covered by the exemption, while the American Bankers Association actually called for eliminating all community bank exemptions, to avoid screenscraping being used by authorized third parties to capture customer information, using login credentials, on any institution’s website.
What Is a ‘Consumer’?
The definition of a “consumer” is critical. Generally, the banking industry prefers a narrow definition of the term, the fintech industry a broad one.
Banks weren’t happy that the original regulation included parties authorized to access consumers’ information.
The Act “gives no indication that Congress intended to provide the CFPB the authority to compel banks to share their consumers’ information with third-party commercial actors,” wrote the Bank Policy Institute. “Throughout Section 1033, the word ‘consumer’ is used in a way that could only refer to the individual customer.”
“Congress did not intend for technology companies, data aggregators, payments processors, or fintech apps to have statutory rights to consumer data. The narrow language of Section 1033 grants this statutory right to data to consumers and those acting in a fiduciary-like capacity,” wrote JPMorgan Chase.
The original rule refers to “authorized third parties” which have complied with requirements on consumer consent. The Independent Community Bankers of America (ICBA) argued that these third parties are not obligated “to act in the best interests of the consumer” and asked that the new regulation narrow that group to only those using access to grant customers a product or service “that is in their interest to receive.”
This debate reflects a common view among banks that fintechs use much consumer data for their own purposes. In its letter, JPMorgan Chase referred to access used to build files for non-customer reasons.
The fintech side argues just as vehemently that they and other organizations are very much “consumers” under Section 1033’s definition of the term.
“The scope of who may act on behalf of a consumer is central to the operation of Section 1033 and the future of financial services in the United States,” said the Financial Technology Association. FTA maintained that Congress intended “consumer” to be broad. “Narrowing it to fiduciaries would incorrectly collapse the term’s meaning,” the association said.
“Third parties authorized by users may well be those users’ ‘agents,’ but they are certainly ‘representatives,’ and so, within the CFPA’s scheme, they are clearly consumers entitled to access under Section 1033. The bureau cannot now circumscribe those rights,” wrote the Blockchain Association. (CFPA stands for “Consumer Financial Protection Act,” a subpart of Dodd-Frank.)
“The bureau should confirm that any third-party representative properly authorized by the individual consumer is entitled to access data under Section 1033,” said Plaid in its letter.
Plaid, a leading data aggregator, noted that banking interests “have mischaracterized authorized third parties, including companies like Plaid, as untrustworthy middlemen, in an attempt to discredit the very entities helping Americans to better manage their financial lives. The incumbent financial institutions’ goal is clear: eliminate the statutory protection for consumer-authorized data sharing.”
The definition of “consumer” could influence the bureau’s decision on whether third parties can be charged for data access under the new regulation. The original regulation specifically barred fees for such access, and the JPMorgan Chase decision to begin charging was made before the original regulation would have gone into effect.
Read more from our open banking archive:
- With the Fate of Open Banking Unclear, What Should Banks Do? Stay the Course
- Should You Demand Fintechs Pay for Your Data Like Chase?
- What Banks Must Do While 1033 Open Banking Rules Hang in Legal Limbo
- Open Banking Isn’t Dead. The Battle Over Regulation 1033 Now Pits Banks vs. Fintechs
‘Fees Are an Anti-Competitive Gambit’ vs. ‘Fees Are Critical to Cover Costs’
The fintech camp leaves no doubt where it stands on fees that banks would like to charge for access to their customers’ data.
Plaid wasn’t vague: “Dominant financial institutions are pressing for fees now, not because of some new-found need to recover ‘costs’ on the very API technologies they insisted the market adopt, but rather because fees are yet another competition-killing weapon in their arsenal.” (API stands for application programming interface.)
Plaid — having announced the deal with Chase only about two months before filing its letter — wrote that Dodd-Frank makes it clear that consumers and their authorized third-party representatives “are entitled to receive information ‘upon request’ — not ‘upon the payment of a fee’. The statute is not written conditionally, nor does it contain any allowance from Congress for fees.”
“A prohibition on charging fees is … critical because it solves a significant market failure,” said the FTA. “Legacy data providers [i.e., banks] have a direct economic incentive to charge high, deterrent fees in order to block the transfer of data they would prefer to hold captive.” The association insisted that Dodd-Frank granted consumers and their third parties a “fundamental legal entitlement, not a conditional right contingent on paying access fees” and that statutory rights are not subject to “gatekeeping fees.”
The American Fintech Council is unusual in that its membership includes fintechs but also some banks. Still, its comment letter came down against fees.
“We are not diminishing the costs that our innovative bank members and other financial institutions face,” the group said. “However, given that our bank members are focused on being innovative, the specific infrastructure costs function as part of that broader innovation strategy and are necessary for remaining viable in the modern banking system.”
On the banking side, the American Bankers Association insisted that 1033 doesn’t state nor imply that fees are not allowed, even though the original regulation barred charging for data. As such, it said, the original regulation “compels data providers under penalty of noncompliance to subsidize the business models of data aggregators and third parties seeking to monetize the information.”
In fact, ABA disputes a key assumption: “Despite what is being alleged, it is not the data itself that is being charged for but rather developing and maintaining a costly system for access, refinement, monitoring, updates, and safeguarding of the data. Those who will use the API are not the consumers, but other companies who will provide a product/service based on the data they ingest, so it is reasonable they pay market value for such access.”
Park National Bank, a $9.9 billion-in-assets bank based in Newark, Ohio, called on the bureau to lift the original regulation’s ban on fees, calling it “unsustainable and inequitable.” The bank suggested the CFPB devised a tiered system of fees, with a cap: “This approach would allow institutions to recover costs while maintaining equitable access and avoiding anti-competitive practices.”
Read more: Open Finance Is Exploding Globally. Why is the U.S. Lagging?
Chase Gives More Details About Effort to Charge for Data Access
Given its size and scope, JPMorgan Chase’s comments are almost in a category unto themselves. A few statistics cited early in the bank’s letter:
- The number of apps linked to the bank’s accounts has gone from 5,000 to 11,000 in the last two years.
- These involve over 24 million customers.
- During the same period, monthly data calls on Chase APIs doubled to 2 billion.
Chase acknowledged widespread criticism of its announcement that it would begin charging third parties for access to data. The bank’s comment letter said that the ability to charge fees was written into every data-sharing agreement signed by the bank since it began executing them in 2017, though it didn’t exercise it.
“With a business model based on free inputs, aggregators were emboldened to take much more data than necessary, which exposed customer data to greater risks and overly taxed our system,” the letter stated. “Now that the ecosystem has matured, and data over-consumption has proliferated, our costs have risen.”
Things have moved forward since announcement of the policy and the deal with Plaid. Chase said that as of the Oct. 21 date of the comment letter it has reached agreements representing 80% of the data aggregator volume on the bank’s APIs.
“Those negotiated arrangements have already yielded benefits to all parties in the ecosystem, including decreases in the volume of unnecessary data calls; deregistration of unnecessary payment credentials; increased performance standards; and other innovation commitments,” Chase wrote. The letter said that feedback from aggregators is that they will reduce their API calls by 30%-50% in the wake of being charged.
“When companies pay for data, they are more careful about what they collect,” according to Chase.
Read this next: How Banks Can Insulate Against Systemic Failures Like the AWS Outage
