The Consumer Financial Protection Bureau (CFPB) has received 13,979 comments on its proposed Open Banking Rule, one of the most closely watched regulatory initiatives in U.S. financial policy this decade. The flood of feedback underscores how central data access and consumer privacy have become to the future of financial services.
Under Section 1033 of the Dodd-Frank Act, the rule would require banks and financial institutions to share consumer data securely with authorized third parties via standardized interfaces — effectively laying the foundation for open banking in the United States.
But the comment letters tell a different story: while most stakeholders agree that open banking can boost competition and innovation, there is no consensus on how it should work, who should pay for it, and who should be responsible when things go wrong.
Understanding the CFPB’s Open Banking Proposal
The CFPB’s rule aims to make it easier for consumers to share account and transaction data with third-party apps and service providers. This would allow Americans to use alternative credit scoring, budgeting, and payment tools without giving up their credentials or relying on screen-scraping.
| Key Element | Description |
|---|---|
| Legal Basis | Section 1033, Dodd-Frank Act |
| Objective | Ensure consumers can access and share their financial data securely |
| Implementation Tool | Standardized APIs instead of credential-sharing |
| Covered Entities | Banks, credit unions, card issuers, and payment providers |
| Compliance Obligation | Must provide secure, real-time data access to consumers and their authorized third parties |
| Expected Timeline | Phased implementation beginning 2026 (subject to final rule approval) |
The rule’s intent is to democratize financial data, but it also brings into focus fundamental tensions — between privacy and access, innovation and compliance, and banking incumbents and FinTech challengers.
Key Stakeholder Positions
1. Tech Giants: Privacy by Design, Not by Mandate
Apple Payments Services emphasized that companies like itself should not be classified as “data providers” since they do not hold consumer financial accounts.
“The Bureau should take care that rules under Section 1033 do not impose obligations on technology providers like Apple that do not maintain consumer financial accounts,” Apple wrote.
Apple’s stance revolves around privacy architecture, where processing happens locally on users’ devices. The company advocates for:
- “Liability follows the data” — institutions should only be accountable up to the point of secure transfer.
- Banning use-case-based surcharges for data access.
- Limiting obligations to true account issuers like banks or card networks.
Apple cited the UK’s open banking framework as a successful model balancing consumer control with privacy safeguards.
2. Regional and Community Banks: Fraud Risk and Cost Recovery
Smaller financial institutions like Axos Bank warned that mandated open data access could lead to greater fraud exposure and unsustainable costs.
“Mandated data sharing means we have to open up more commission to outside parties, which makes us more vulnerable to fraud,” the bank said.
Axos argued that:
- Smaller banks must be allowed to recover compliance costs through modest fees.
- Access should be limited to fiduciary entities that assume responsibility for safeguarding data.
- A “one-size-fits-all” mandate could strain community banks’ technology budgets.
This mirrors growing concern that open banking favors large institutions with deeper pockets and advanced cybersecurity infrastructure.
3. Credit Unions: Security Through Verified Standards
Florida-based Suncoast Credit Union endorsed open banking in principle but stressed the need for strong security and audit standards.
“Without uniform technical and security requirements, consumers could face new vulnerabilities,” the credit union said.
It recommended:
- Requiring FAPI 2.0 and Mutual TLS encryption standards.
- Annual independent audits such as SOC 2 Type II or ISO 27001 certifications.
- Phased rollouts: 24 months for large institutions, 18 for midsize, and 12 for smaller firms.
- A continuous-compliance certification program modeled after the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).
Suncoast even quantified compliance costs, estimating $0.05–$0.25 per individual data-access request, calling it “a reasonable range” if marginal cost recovery were allowed.
4. FinTechs: Open Data as a Right, Not a Commodity
The American FinTech Council (AFC) took the opposite position. It argued that data access must remain free, calling Section 1033 “an absolute demand upon the covered entity to provide data to the consumer, free from impingement.”
The Council emphasized:
- Prohibiting access fees to ensure a level playing field.
- Rejecting fiduciary obligations for third-party representatives, as these would create excessive barriers.
- Supporting data-driven innovation to improve underwriting models and expand credit access.
“Responsible data analysis allows firms to develop algorithms that more accurately underwrite consumers than traditional models,” AFC said, framing open data as a social equalizer for financial inclusion.
5. Aggregators: API-Driven Standardization
Data aggregators such as Plaid see the CFPB rule as an opportunity to modernize U.S. financial data exchange.
“The CFPB should codify APIs as the mandated access method to eliminate credential sharing,” Plaid wrote.
Its recommendations included:
- Mandating APIs as the sole access channel.
- Harmonizing technical standards with global frameworks like OAuth 2.0, FAPI, and ISO 20022.
- Banning access fees that could harm smaller developers.
- Introducing registration and certification systems for transparency and consumer control.
Plaid described open banking as “an API-driven trust infrastructure” capable of boosting both security and innovation if applied consistently across institutions.
Core Issues and Stakeholder Divide
| Issue | Big Banks & Credit Unions | FinTechs & Aggregators | Tech Firms |
|---|---|---|---|
| Access Fees | Support limited, cost-based fees | Strongly oppose fees | Neutral |
| Security Standards | Emphasize strict compliance (SOC 2, FAPI) | Support but prefer flexibility | Promote on-device privacy |
| Scope of Coverage | Only regulated banks | Broader inclusion for all financial apps | Exclude wallets not storing account data |
| Liability Allocation | “Liability follows data” | Shared responsibility | Full transfer upon handoff |
| Timeline | Phased rollout (12–24 months) | Immediate implementation | Gradual, scalable adoption |
This table illustrates the fundamental policy clash between traditional financial institutions prioritizing security and cost recovery, and FinTechs championing accessibility and innovation without fees.
Recent Developments (as of October 2025)
| Date | Development |
|---|---|
| Oct. 21, 2025 | CFPB received 13,979 public comments on the proposed open banking rule. |
| Oct. 17, 2025 | CFPB held virtual roundtables with banks and FinTechs to refine API and security guidelines. |
| Oct. 10, 2025 | Industry groups requested an extension of the comment period citing technical complexity. |
| Oct. 3, 2025 | Treasury Department signaled support for standardized APIs in line with international models. |
Why It Matters?
The flood of nearly 14,000 comments reflects a once-in-a-generation transformation in how Americans manage financial data. The CFPB’s final rule will determine whether the U.S. adopts an open-banking model akin to the EU and UK, or a fragmented, market-driven approach.
As Dr. Melissa Grant, a financial technology professor at Georgetown University, noted:
“The stakes couldn’t be higher. Whoever defines open banking defines the future of financial competition, privacy, and innovation in the United States.”
If implemented effectively, open banking could:
- Lower switching costs for consumers.
- Empower FinTech innovation in lending and payments.
- Encourage competition among banks and aggregators.
But if mismanaged, it could also: - Expose consumers to data misuse and cyber risks.
- Increase compliance burdens for community banks.
- Reinforce digital inequality if only large players can comply.
FAQs
What is Section 1033 of Dodd-Frank?
It gives consumers the right to access and share their financial data held by banks or financial institutions securely.
What is the goal of the CFPB’s open banking rule?
To create a standardized framework allowing consumers to safely share their financial information with third parties.
Why is the rule controversial?
Stakeholders disagree over data ownership, access fees, liability, and security standards.
How will it affect banks and FinTechs?
Banks will need to open secure APIs for data sharing, while FinTechs could gain more seamless access to financial data for innovation.
What’s next after the comment period?
The CFPB will review all comments, make revisions, and issue a final rule expected in mid-2026.
Will consumers notice immediate changes?
Not right away. The rollout will likely be phased, with larger institutions implementing first.