The ANPR has a relatively narrow scope.
This doesn’t necessarily tell us what the bureau will ultimately propose changing in the current rule, but it does suggest where, specifically, the CFPB sees the need for additional clarity.
The preamble at the beginning of the notice lists a few specific topics:
The statutory text of section 1033 is quite sparse and does not specifically address several important questions that arise from the rights it creates, in particular: a) precisely who may act on behalf of the consumer; b) how the costs of effectuating such rights may be defrayed by the “covered person” providing the data; c) the potential negative consequences to the consumer of exercising this right in an environment where there are tens of thousands of malign actors regularly seeking to compromise data sources and transmissions; d) the potential negative consequences to the consumer in exercising this right where the data contains information that the consumer may not want disclosed, but does not fully understand or realize may be disclosed by the third party through which it has made a request; and e) the potential benefits to consumers or competition of facilitating the consumer-authorized transfer of data to financial technology companies, application developers, and other third parties.
The bureau then goes on to list some specific questions under each of these topical areas.
By analyzing what the bureau is asking about (and, just as importantly, what it's not asking about), we can get a sense of the CFPB’s priorities and (to a lesser extent) its pre-existing beliefs.
Here are the questions that occurred to me after reading the CFPB’s questions.
How seriously will the CFPB entertain BPI’s argument that Dodd-Frank does not empower the bureau to require consumer-permissioned data sharing with authorized third parties?
Some of the big banks argue that section 1033 of Dodd-Frank was not meant to allow third parties (such as data aggregators) to access data on behalf of consumers through programmatic interfaces such as APIs.
In this reading of the law, Dodd-Frank was meant to enable consumers to download their own financial data (in a CSV file, for example) and, if they wished, share it with other financial institutions or service providers (like product comparison sites).
The proponents of this argument appear unconcerned that this implementation of open banking would be substantially less valuable and convenient for consumers than the developer-centric, API-driven model we have today.
(Use credit reports as an analogy. Imagine how much less efficient consumer lending would be if consumers had to manually download their credit report and upload it to each lender they wanted to apply for a loan from.)
However, as the CFPB says, the statutory text of section 1033 is sparse. It doesn’t weigh in, one way or the other, on this question. What it does do is define consumers as an “individual or an agent, trustee, or representative acting on behalf of an individual.”
In the ANPR, the CFPB is keenly interested in understanding how these terms apply in the context of open banking. Crucially, as the bureau notes, in common law, both agents and trustees have fiduciary duties (which typically include care, loyalty, good faith, and confidentiality).
Representative, by contrast, is a less defined and potentially less legally onerous term. Might data aggregators (and other third parties) acting on the explicit instructions of consumers count as “representatives” of those consumers under section 1033 of Dodd-Frank?
That seems to be a possible answer to this question, in the eyes of the CFPB.
Is it reasonable to impose fiduciary responsibilities on data recipients and authorized third parties?
But what if the CFPB determines that a representative acting on behalf of a consumer in an open banking context has the same fiduciary duties that an agent or trustee would have?
What if the bureau decides that the only third parties allowed to act on behalf of consumers in open banking must take on the legal mantle of a fiduciary? Is that reasonable?
This is an interesting question.
On the one hand, the current rule already imposes numerous fiduciary-like requirements on data recipients and third parties. And the idea of a “data fiduciary” isn’t new. It is built into the open banking laws of other countries (India, most prominently).
On the other hand, banks in the U.S. aren’t typically considered fiduciaries in the work that they do for their customers. Does it make sense to hold the permissioned facilitators and recipients of consumer financial data to a higher standard than we hold the originators of that data to?
(Remember, some big banks already do things with their customers’ data that would clearly fall short of this fiduciary standard. Chase Media Solutions is an obvious example.)
Given the lack of a national privacy law in the U.S., I would personally favor defining a new category of fiduciary responsibilities — a data fiduciary — and holding all participants in the ecosystem (banks, data aggregators, fintechs, and credit bureaus) to that standard equally. However, I doubt the current CFPB will go that far.
Will the bureau allow data providers to charge fees? If so, how much leeway will it give data providers to set their own fees?
Fees are obviously the issue that sits at the crux of this whole debate.
The CFPB’s framing of the issue in the ANPR is telling (at least to me):
Section 1033 of the Dodd-Frank Act, however, is silent on the question of how the burden of consumers’ exercise of the rights it creates should be shared between the consumer and the “covered person.” The Bureau is seeking comments and data generally on how to deal with this omission, and whether costs, benefits, or market forces might justify modifying the Rule’s provisions.
“The burden of consumers’ exercise of the rights it creates” is the type of language we didn’t see from the Chopra CFPB. It didn’t talk about the burden that consumers exercising their rights created for market participants. The Vought CFPB is making that a focus, which suggests to me that it is more sympathetic to the banks’ argument that they should be allowed to charge for access to the data.
However, this entire rulemaking effort from the Vought CFPB was initiated in response to Chase’s fee gambit, which the bureau clearly saw as excessive. It is also telling that the ANPR focuses on the term “defrayment of costs”.
The CFPB doesn’t appear to believe that data providers under the rule should be able to go beyond cost recovery when charging fees. If true, that would mean fees can’t be a profit center and cannot be used to discourage other behaviors (such as excessive secondary use) that annoy the banks.
It’s by no means a sure thing, but my guess at this moment is that the bureau’s draft rule will give data providers the ability to charge fees, but those fees will be limited and based on the costs incurred to comply with the rule.
One other observation on fees.
This section of the ANPR ends with this question:
If consumers ought to bear some of the cost in implementing requirements under section 1033, should that be shared by every consumer of a covered person, including those who may not wish to exercise their rights under section 1033?
This is a fascinating question because it suggests a potential future that I haven’t really been contemplating: a future in which end consumers pay their financial providers an explicit, up-front fee to enable programmatic data sharing.
I don’t think anyone (banks, data aggregators, fintechs, consumer advocates) really wants this, but it seems like the CFPB may be open to it.
Will the CFPB loosen restrictions on secondary data use?
This is one of the primary areas that the ANPR inquires about (they refer to it as “privacy”), and it’s clearly motivated by the concerns that JPMorgan Chase has expressed since introducing its fees. Namely, that data aggregators are allegedly abusing access to its APIs for purposes far beyond what consumers have authorized.
However, as I have previously written, the current rule is very strict regarding secondary data use. I’m not sure there’s much further for the bureau to push those restrictions (they obviously need to be enforced, but that’s a separate issue). Indeed, the way the ANPR addresses privacy (focusing on specific concerns, such as the licensure or sale of consumer financial data, rather than broader consumer privacy rights) makes me wonder if the bureau might actually loosen the restrictions on secondary data use.
This would be a catastrophic outcome for the big banks. It’s not guaranteed to happen (my money is on the rule mainly staying unchanged in this area), but even a slight chance of it happening should be concerning to them.
Why doesn’t the ANPR ask about liability?
I don’t know! But it doesn’t. I have double and triple-checked.
The ANPR does ask about information security, which is arguably a proxy for these same concerns that banks have about the risks created by consumer-permissioned data sharing. Here’s a good example:
Covered persons are subject to several legal obligations regarding risk management, such as safety and soundness standards, Bank Secrecy Act (BSA) requirements, and Anti-Money Laundering (AML) regulations. What should covered persons consider under these legal obligations when making information available to consumers? How could the Rule’s interface access provision better allow covered persons to satisfy these legal obligations?
But if banks were looking for a more defined framework for assigning liability in open-banking powered use cases (particularly payments use cases), they may end up being disappointed.
On the plus side for banks, I think it’s possible that the Vought CFPB will take a more hardline stance on screen scraping than the Chopra CFPB did:
What are the costs and benefits of the Rule’s provisions designed to reduce the use of screen scraping? What changes would better protect the security of consumer credentials?
How is the CFPB feeling about standard-setting organizations these days?
The Financial Data Exchange (FDX), which is the formally recognized standard-setting organization for open banking under the current rule, is also not mentioned. In fact, standard setting in general isn’t really discussed (outside of specific areas such as information security).
The reason this is important is twofold.
First, FDX is a bit fractured right now. The BPI lawsuit and JPMC’s fee gambit really damaged the trust that banks had built with fintech companies and data aggregators over the last few years. Rebuilding those relationships is possible, but it will require some work.
Second, from what I hear, the Vought CFPB isn’t especially bullish on industry standards. The bureau obviously doesn’t want to have to set standards itself (the free market can figure it out!), but it also doesn’t seem overly interested in engaging with or empowering an industry standard-setting organization.
This is disappointing. I would have liked to see a more explicit focus on standard setting in the ANPR. There’s a lot of room to work between prescriptive regulatory rules and the free market, but we need to empower a standard-setting organization to actually do that work.
Will the overall scope of the rule change?
The CFPB didn’t provide any hints that it is considering this in the ANPR, so I would tend to doubt it.
The scope of covered data (deposit accounts, credit cards, and digital wallets) is unlikely to expand. And I don’t think the bureau will try to descope payment initiation from the rule. JPMC really wants it to, but the pushback from data aggregators and crypto companies would be fierce.
How long will all of this take?
This might be the most important question.
At the very end of the ANPR, the bureau states its intention to push back the compliance deadlines for the existing rule:
The Rule included a series of compliance dates by which data providers would need to comply with the requirements in subparts B and C of the Rule. These compliance dates were determined by the size of the entity, and ran from April 1, 2026, through April 1, 2030.11 As part of its reconsideration of the Rule, the Bureau plans to issue a Notice of Proposed Rulemaking to extend the compliance dates.
If you are a close student of the Administrative Procedures Act (APA), you might be asking, “Wait. How could the CFPB issue a Notice of Proposed Rulemaking to push back the compliance deadlines set by the current rule? Wouldn’t it be skipping steps?”
Yes! Yes, it would!
Specifically, the bureau appears to be reluctant to undergo the SBREFA process. SBREFA stands for the Small Business Regulatory Enforcement Fairness Act, which amended the APA to give small businesses more opportunities to weigh in on regulatory rules that would have a significant economic impact on them.
I’m guessing that the reason the CFPB wants to skip the SBREFA process is because if it went through the process (which is quite lengthy), it likely couldn’t push through a change to the compliance dates in the current rule before the first of those compliance dates (April 1, 2026 for the largest data providers) hit.
I can certainly understand why large banks may be pushing the CFPB to push through this change to the compliance dates (April 2026 is coming up fast! And it would be annoying to rush to comply with a rule that you know is in the process of being changed), but the prospects of actually doing that seem dubious, both legally (assuming that the courts actually force the Trump administration to follow the APA) and optically (how is it going to look if the CFPB doesn’t allow small businesses to weigh in on a regulatory change that would have a significant impact on them for the benefit of JPMC and other big corporations?)
Will the banks (and their trade associations) stick together this time? Will fintech and crypto companies get more engaged? What about VCs?
I’m super curious to see who responds to this ANPR.
The first time through, banks were relatively unified. Most opted to let their trade associations respond on their behalf, and the various bank trade associations (which represent different segments of the market) seemed to be mainly in agreement.
Will that be true this time? Will large regional banks like Citizens and Fifth Third, which don’t seem philosophically opposed to open banking the way that others like PNC and U.S. Bank do, submit their own comments?
And what about fintech companies? Like banks, many of them left the heavy lifting to their trade associations (and data aggregators) last time. Will they do that this time? Or will they express their own individual opinions? It’s important to remember that large fintech companies will also be significant data providers under this rule. Their interests are not necessarily fully aligned with the data aggregators.
And what about fintech VC firms? With a few individual exceptions, they have mostly stayed silent in the wake of JPMC’s fee gambit. Will they speak up this time?
Finally, is it legally permissible for Tyler Winklevoss to just submit this tweet (which was, I think, highly influential in getting the CFPB to initiate this revision process) as his official comment?
