Who Wins and Who Loses? Unpacking the CFPB's Section 1033 Ruling

On October 22, the US Consumer Financial Protection Bureau (CFPB) finalized Section 1033 of the Consumer Financial Protection Act, introducing a landmark rule on consumer-authorized financial data sharing. The regulation is designed to enhance consumers' rights, privacy, and control over their personal financial information.

By encouraging competition and empowering consumer choice, the rule aims to transform the payments, credit, and banking sectors for a better customer experience. The finalized rule introduced key changes to the initially proposed rule, including revised implementation timelines, updates to the scope of data providers and third parties, stricter data retention policies, and a shift toward consensus-based standards.

However, within hours of its release, several banking associations filed a lawsuit, arguing that the rule oversteps the CFPB's authority under the Administrative Procedure Act (APA). While the result remains uncertain, industry preparations for compliance are already underway. In this article I will explore what this rule means for the industry; how this affects consumers, banks and fintechs; when we expect to see the impact, and why major banks respond with a lawsuit.

While other markets such as the UK are often referenced as having pioneered open banking, this has in actual fact been from a regulatory and standards perspective. In terms of functionality, open banking - the sharing of consumer data with third-parties - has existed in the US for decades, with ever-dominant players including Plaid, MX and Akoya. To give an idea of scale, the Financial Data Exchange (FDX) recently reported 94 million connected accounts. That is no small feat. This sharing of data has been through exclusive bilateral commercial agreements. In other cases, however, this has been through screen scraping. From a bilateral agreement perspective, the user’s ability to share their financial data in a safe and secure way via API is great, however the user is limited in coverage. Screen scraping may allow greater coverage, however this data sharing is less secure as it requires the user to provide credentials, and it inflicts an increased and unpredictable load on the institutions they are scraping data from.

The "Open Banking" rule, established under Section 1033 of the Dodd-Frank Act, represents a significant step in giving consumers greater control over their personal financial data. This regulation allows individuals to securely access and share their financial information with third-party providers at no cost. The CFPB emphasizes that the rule aims to boost competition and drive innovation in the financial services sector, making it easier for consumers to switch providers and enabling new entrants to deliver innovative products and services. Covered entities—including banks, credit card companies, digital wallet providers, and other financial institutions—must grant consumers and their authorized third-parties access to specified financial data upon request. It also incorporates robust privacy and security measures, restricting third parties to using the data only for purposes explicitly approved by the consumer.

The initial proposed ruling released over a year prior caused much debate and gave the industry an opportunity to respond with feedback. When the final ruling was released last month, a few key changes were made which are highlighted below:

Extended Compliance Deadlines: The final rule offers a longer compliance timeline than originally proposed, implementing a phased approach based on the asset size of institutions. The largest entities with assets exceeding $250 billion have until April 1, 2026, to comply. Mid-sized institutions with assets between $850 million and $1.5 billion have a deadline of April 1, 2030, while those with assets below $850 million are exempt from compliance.

Broader Scope of Covered Providers: The rule now includes digital wallets and payment facilitators, aligning with the CFPB’s goal of ensuring uniform data privacy and security protections across platforms. These providers are subject to the same data-sharing obligations as traditional financial institutions and must swiftly implement appropriate infrastructure, processes, controls, and risk management systems to achieve compliance.

Data Transmission and Interface Standards: The rule promotes the shift from screen scraping to API-based data sharing, allowing data providers to disable screen scraping if sufficient API infrastructure is in place. Despite industry calls for a complete ban, screen scraping has not been entirely prohibited. Additionally, the rule differentiates between developer and consumer interfaces, permitting consumer interfaces to offer certain data in human-readable or downloadable formats rather than machine-readable formats.

Third-Party Authorization and Data Usage: The rule strengthens third-party authorization protocols by requiring a more structured process for granting and revoking consumer permissions. Third parties must obtain “express informed consent” and face tighter restrictions on secondary data use, prohibiting activities like targeted advertising or cross-selling. Authorization disclosures must explicitly state the duration of data collection, limited to one year from the consumer’s most recent reauthorization.

Information Security Standards: Although industry stakeholders anticipated liability protections, the final rule instead emphasizes strict security requirements, leaving some uncertainty about who holds liability in the event of a data breach. Compliance with recognized security frameworks is mandatory, providing both enhanced data exchange security and benchmarks for assessing liability in breach scenarios. Developer interfaces are specifically required to meet these standards to ensure dependable performance and timely responses.

Ozone API’s Eyal Sivan - founder and host of the Mr Open Banking podcast - shared how he and the Ozone team had submitted feedback on the proposed ruling, and how they felt heard in the way the final ruling now calls for both a data standard and a secure communications protocol. When asked when we can expect to hear an announcement of a preferred standard(s), Sivan shared how Rohit Chopra, the Director of the CFPB, had used the word “months” when alluding to timelines at Money20/20 in Las Vegas last month.

In short, this affects everyone. It does not however affect everyone equally.

From a user perspective, the benefits are far reaching and significant as this now gives all US customers the means to share their financial data in a safe and secure way. This introduces new and enhanced use cases in everything from savings and budgeting tools to real-time alternative credit assessment.

For the fintechs offering these services, they benefit in that they can create enhanced value for their users and charge for these services. As we’ve seen in other markets, this means new companies, new investment opportunities and new talent pools.

For the banks, credit card companies, digital wallet providers, and other financial institutions, they have to provide the infrastructure to share this data, and they are not allowed to charge for it. 

There is an argument for commercial value to banks in offering premium APIs and potentially increased customer lifetime value as customers become better served, however it is probably fair to say that the banks have the most at risk here. 

Aggregators are at risk too as the CFPB has made it clear that they do not want a concentration of power and that anti-competitive behavior will not be tolerated. As APIs become standardized and freely available over time, aggregators will be forced to diversify their propositions to specific functionality or markets, as the cost of connectivity will continue to grow towards zero.

Officially, the ruling outlines a tiered approach to implementation based on the institution asset size, with larger institutions expected to implement first and smaller institutions to follow. 

Deadline

Total Assets for Depository Institutions

Total Receipts for Non-depository Institutions

1 April 2026

> $250bil

> $10bil in either 2023 or 2024

1 April 2027

$10bil - $250bil

< $10bil in both 2023 and 2024

1 April 2028

$3bil - $10bil

1 April 2029

$1.5bil - $3bil

1 April 2030

$850m - $1.5bil

Exempt

< $850m

While this is the official ruling, it is worth noting the number of times we have seen missed deadlines in other markets. This assumes the lawsuit filed by the bank associations doesn't affect the rollout. Whether that is likely to happen - at this stage - is hard to say. To try to understand this impact, it’s helpful to understand why these banks responded with a lawsuit.

Within hours of the ruling, several bank associations filed a lawsuit claiming that the rule exceeds the authority of the Administrative Procedure Act (APA). The lawsuit against the CFPB rule raises significant concerns, arguing that it lacks oversight of third parties handling bank customer data, thereby placing the full burden of consumer protection on banks without holding data recipients accountable.

Critics highlight that weak safeguarding practices increase the risk of fraud and scams, as bad actors could exploit third-party entities with inadequate security. The rule does not explicitly prohibit the use of screen scraping, leaving banks arguing that they have limited ability to mitigate risks.

It also allows third parties to profit from bank-maintained systems without compensation, unlike standard practices among major tech companies. Finally, the implementation timeline is deemed unreasonable, as it requires compliance before consensus industry standards are established, potentially leading to wasted resources if adjustments are later needed.

Although the outcome of the lawsuit against the CFPB’s rule remains uncertain, companies across the financial services ecosystem are expected to begin preparing for compliance. Building the necessary infrastructure, refining data-sharing processes, and implementing robust security measures will be critical steps as the industry anticipates the phased rollout.

One of the most intriguing developments to watch will be the adoption of a common standard to facilitate seamless and secure data sharing. The FDX standard, already widely endorsed by many in the industry, is positioned to play a pivotal role in achieving this. Consensus on a standard like FDX will not only simplify implementation but also ensure consistency and enhance trust across stakeholders.

By proactively addressing the challenges posed by the rule while capitalizing on opportunities for innovation and collaboration, companies can position themselves to succeed in this new era of open banking in the United States.