The US Consumer Financial Protection Bureau (CFPB) has issued an advanced notice of proposed rulemaking (ANPR), asking for public comment to reconsider the implementation of the Open Banking rule.
This move may highlight some potential shifts in regulatory expectations for consumer-authorised data sharing. The agency aims to reopen the Personal Financial Data Rights Rule, which initially enabled consumers to require transaction data from card issuers, account-holding institutions, and specific payment processors, possibly modifying the scope and enforcement framework of these rights.
Reopening the Open Banking rule
The issued ANPR centres on four areas, including defining who may act as a consumer-authorised recipient of financial data, allocating the costs of data access, managing information security risks, and protecting consumer privacy. However, the fintech industry should be aware that these focal points may presage additional modifications beyond the aforementioned four areas. According to the CFPB, the agency is set to accept public comments through 21 October 2025.
Furthermore, the ANPR includes 34 questions on which the agency needs comments and data, organised under four headings. These include:
- Who is a “representative” of a “consumer” who can be an authorised third party who can request a consumer’s financial data?
- How to allocate the costs of providing consumer financial data at consumers’ request?
- How should the rule account for the information security threat environment?
- How to ensure consumers understand what they are authorising so they have a say in their data privacy?
Market participants should take into consideration the opportunity to comment to support influencing the impact of any modifications on their compliance requirements and the strategic implications of how the access rights and security standards may change competition and consumer trust.
