CFPB must withdraw open banking rule to protect innovation and consumer choice

On October 21, John Berlau, senior fellow and director of finance policy at the Competitive Enterprise Institute, submitted a comment letter to the Consumer Financial Protection Bureau (CFPB) urging it to withdraw its 2024 rule that implemented Section 1033 of the Dodd-Frank Act and to ensure that any future proposal adheres strictly to the statute’s language. Section 1033, which only takes up a few paragraphs of text, simply requires financial institutions to make consumer account data available to consumers upon request. The letter argues that the 2024 rule exceeds its mandate and congressional authority in two ways: 1) by establishing an “open banking” regime and 2) by mandating free sharing of consumer information.

Firstly, the letter argues that the 2024 rule exceeds its mandate and congressional authority by attempting to establish a de facto “open banking” regime, a term never explicitly mentioned in the statutory provision. Open banking goes far beyond the simple Section 1033 requirement. Instead, it requires the automatic sharing of consumer data among banks, credit unions, and third-party fintech and payment services, in addition to other apps and websites that receive payments from consumers.

The letter emphasizes recent Supreme Court decisions, including Loper Bright v. Raimondo (2024) and West Virginia v. EPA (2022). These decisions make clear that agencies cannot claim significant new powers without explicit authorization from Congress. The substantial policy shift exemplified by this rule is reinforced by the fact that in jurisdictions where open banking has been implemented, such as the European Union and the United Kingdom, open banking reforms were preceded by extensive parliamentary debates among elected officials rather than imposed unilaterally by regulatory agencies staffed by unelected bureaucrats. Supreme Court precedent signals that such sweeping changes constitute “major questions” that must come from Congress, underscoring the fact that the CFPB rule exceeds its statutory authority and would likely trigger the major questions doctrine.

The letter also argues that the 2024 rule exceeds its mandate and congressional authority by requiring banks to transfer valuable financial information to other businesses without compensation, essentially establishing a form of price control. In doing so, the rule would distort market pricing, create new privacy and cybersecurity risks, and undermine incentives for responsible data management. As noted, the text of Section 1033 only requires that banks and credit unions to make information from customer accounts available to the consumers they serve, it does not contain language mandating the sharing of data with other parties that may serve these same consumers, and it certainly does not mandate that banks and credit unions provide this information to other businesses for free; the rule is likely to face Loper Bright scrutiny for diverging from the law.

In conclusion, Berlau recommends that the CFPB:

• Withdraw the 2024 rule in its entirety;
• Ensure that any new rule sticks closely to the original language of Section 1033 requiring data sharing with consumers;
• Allow market forces to determine the terms and prices of data sharing between banks, credit unions, and fintech firms.

You can read the full comment letter here.