Could it be that we're witnessing the dawn of consumer-driven financial advancements in the United States with Open Banking? This innovation could potentially pave the way for an era of customer-focused financial breakthroughs.

Could it be that we're witnessing the dawn of consumer-driven financial advancements in the United States with Open Banking? This innovation could potentially pave the way for an era of customer-focused financial breakthroughs.

The Consumer Financial Protection Bureau (CFPB) has finalized its Personal Financial Data Rights rule, a move aimed at giving consumers greater control over their financial data. The rule, which is part of the CFPB's efforts to activate Section 1033 of the Consumer Financial Protection Act, was published on October 22, 2023.

The rule is designed to put consumers in control of their finances and financial data, with the aim of clamping down on risky data collection practices and ensuring consumers can get their data free of junk fees. However, the compliance dates for another rule, relevant to small business lending under Section 1071 of the Dodd-Frank Act, have been delayed due to ongoing litigation.

The Personal Financial Data Rights rule requires banks, credit unions, fintechs, and other nonbank lenders making at least 100 small business loans in the prior two calendar years to collect and report detailed data, including 81 data points on borrowers' race, gender, ethnicity, and ownership by minorities, women, or LGBTQI+ individuals. The extended timeline for this rule reflects the CFPB's responsiveness to litigation and industry concerns but maintains the rule’s underlying mandates to enforce fair lending laws and improve transparency in small business lending.

Compliance with the Personal Financial Data Rights rule is being implemented in phases, with the country's largest financial institutions required to comply by April 1, 2026, while the smallest covered institutions have until April 1, 2030. Smaller financial institutions may face challenges in complying with the rule, as they are heavily dependent on their core providers for technology solutions.

Industry experts, such as Ozone API's Sivan, applaud the CFPB's efforts but believe the inclusion of standardized APIs for payment initiation will help the CFPB achieve its goals. MX's Barratt concludes that institutions of any size that think of Section 1033 as a regulatory stick instead of a competitive carrot are at risk of being left behind. The institutions that adopt Open Banking and compete to deliver the best experience will be more likely to earn consumer loyalty and engagement for the long term.

However, the rule has not been without controversy. On the same day that the CFPB issued its final Open Banking rule, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit challenging aspects of the agency's rulemaking under Section 1033 of the Dodd-Frank Act. The lawsuit asserts that the CFPB overstepped its statutory authority and finalized a rule that jeopardizes consumers' privacy, financial data, and account security.

Rob Nichols, president and CEO of the American Bankers Association, has noted that while privacy and security around consumers' personal financial information are core bank values, some concerns about scope, liability, and cost remain unaddressed. Boms suggests that the CFPB could have drawn a harder line between secondary use for the purpose of marketing and secondary use for the purpose of product development. Barratt believes third-party risk management could be more prescribed from an interagency perspective and that a lack of guidance on liability sharing puts strain on ecosystem players.

Despite these concerns, the rule provides uniformity, so that consumers have certain rights regardless of who they bank with and the third-party tool they choose to use. At least 100 million consumers have authorized a third party to access their account data, with the number of individual instances in which third parties accessed or attempted to access consumer financial accounts exceeding 50 billion in 2022 and potentially reaching as high as 100 billion.

As of mid-2025, the Bureau has extended the compliance deadlines for lenders in three tiers based on loan volume as follows:

| Compliance Tier | New Compliance Date | New First Filing Deadline | |-------------------------------|---------------------|--------------------------| | Tier 1: Highest Volume Lenders | July 1, 2026 | June 1, 2027 | | Tier 2: Moderate Volume Lenders| January 1, 2027 | June 1, 2028 | | Tier 3: Smallest Volume Lenders| October 1, 2027 | June 1, 2028 |

Kat Cloud, compliance principal director at Envestnet|Yodlee, believes small banks and credit unions will not be left behind in implementing the CFPB's Personal Financial Data Rights rule.

[1] Consumer Financial Protection Bureau. (2023). Frequently Asked Questions: Small Business Lending Data Collection Rule. Retrieved from https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-final-rule-on-small-business-lending-data-collection-and-reporting/

[2] Consumer Financial Protection Bureau. (2023). Frequently Asked Questions: Personal Financial Data Rights Rule. Retrieved from https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-final-rule-on-personal-financial-data-rights/

1. The Personal Financial Data Rights rule, aimed at consumer financial data control, requires banks, fintechs, and other lenders to collect and report detailed data, including data on borrower demographics, in line with the CFPB's efforts to activate Section 1033 of the Consumer Financial Protection Act.
2. Compliance with this rule is being implemented in phases, with the largest financial institutions required to comply by April 1, 2026, and smaller covered institutions having until April 1, 2030.
3. Industry experts argue that the inclusion of standardized APIs for payment initiation in the rule will help achieve the CFPB's goals, while some concerns remain unaddressed regarding scope, liability, and cost.
4. The rule has been met with controversy, as the Bank Policy Institute and Kentucky Bankers Association have filed a lawsuit challenging aspects of the rule's implementation under Section 1033 of the Dodd-Frank Act.
5. At least 100 million consumers have authorized a third party to access their account data, with potentially over 100 billion instances of third-party access in 2022.
6. Small banks and credit unions are not expected to be left behind in implementing the CFPB's Personal Financial Data Rights rule, according to compliance principal director Kat Cloud from Envestnet|Yodlee.

Read also: