As CFPB revisits 1033, the core principles of open banking must endure

The CFPB’s recent announcement that it will rewrite its Section 1033 rule under the Dodd-Frank Act marks a significant moment in the evolution of open banking. In seeking a stay in ongoing litigation brought by Forcht Bank, the Bank Policy Institute (BPI) and the Kentucky Bankers Association, the Bureau signaled that it intends to revisit — and likely narrow — the scope of the final rule it issued earlier this year.

While this pivot creates uncertainty for financial institutions, fintechs and consumers alike, the agency’s move to initiate a new advanced notice of proposed rulemaking (ANPR) offers a chance to preserve the original spirit and purpose of 1033. That is, to empower consumers with control over their financial data and foster innovation through secure, consumer-permissioned data sharing.

The initial 1033 rule marked a significant step in strengthening consumer choice by reinforcing the open-market approach to financial services that has fueled innovation across the fintech and broader financial ecosystem. The purpose was clear: to create a consistent, standardized framework for accessing and sharing financial data, allowing consumers to seamlessly and securely move their information between institutions and service providers. By prohibiting financial institutions from charging fees for data access or sharing through the required interface, the rule sought to prevent entrenched players from using cost barriers to limit competition.

Notably, feedback during the notice-and-comment process reflected broad, bipartisan support for 1033’s goals. Preserving these core protections in any rewrite will be essential to ensuring open banking continues to expand opportunity rather than concentrate it.

It’s true that even without a federal standard like 1033, data aggregators and financial institutions are beholden to existing state and federal laws — GLBA, FCRA, UDAAP, CCPA and other state statutes — as well as private data-sharing agreements. These guardrails mean dismantling 1033 will not erase the data aggregation model that has reshaped consumer financial engagement. However, without standardization, the result will be more friction, less consistency and higher costs for consumers.

So, the question now is not whether open banking will survive — it will — but who will ultimately pay for a less regulated, more fragmented system.

More than half of Americans primarily manage their banking accounts through mobile apps. Every login, deposit, payment and loan application depends on secure flows of personal financial data. That data belongs to the consumer, and open banking is the idea that it should move with them, no matter where they bank or what services they use.

Fintechs play a critical role in making banking more accessible, whether for rural communities, consumers with thin credit files or people navigating financial systems not built for them. For these groups, data portability is a pathway to inclusion, competition and better outcomes.

However, JPMorgan Chase’s recent announcement that it will charge fintechs for access to customer data underscores the very risks a weakened 1033 could create, including higher costs and diminished consumer control. Any fees charged to fintechs will almost certainly be passed on to consumers, making digital banking more expensive. For the largest incumbents, this kind of move pulls control back toward legacy infrastructure and away from the open, competitive model 1033 was meant to advance. 

What’s more, without a clear federal standard, compliance will fall into a patchwork of state rules, raising costs and complexity, especially for community and regional banks. Cybersecurity risks will continue to grow, and in the absence of uniform safeguards, the cost of breaches — averaging over $6 million in the financial sector — will ultimately land with the consumer.

JPMorgan contends that since it invested heavily in secure data infrastructure, it shouldn’t be expected to give up access for free. But protecting consumer data is a core responsibility, not a revenue stream. If more financial institutions adopt the view that secure data portability is a luxury, it will only reinforce the very inequities open banking aims to solve.

Section 1033 isn’t a silver bullet, but it is a necessary step toward a more modern and inclusive financial system. The CFPB’s rewrite is a chance to reaffirm its obligation to protect consumer rights, encourage innovation and set clear, consistent rules of the road.

As the debate unfolds, political maneuvering and corporate interests must not overshadow the principle at the heart of open banking: consumer choice and freedom. Open banking is not going away. The question is whether the new 1033 will make it more open — or more expensive.