Open banking’s path toward implementation took another turn on Wednesday (Oct. 29) when the U.S. District Court for the Eastern District of Kentucky enjoined the Consumer Financial Protection Bureau from enforcing its Personal Financial Data Rights Rule — the regulation built on Section 1033 of the Dodd-Frank Act — until the Bureau completes its ongoing reconsideration.
The ruling freezes compliance deadlines that would have required some institutions to be ready as soon as June 2026, signaling that the years-long fight over who controls consumer-financial data is far from settled.
Why 1033 Matters
Section 1033 was intended to let consumers obtain and share their own financial information. The CFPB’s now-paused rule would have required banks and credit unions to build standardized digital “developer interfaces” allowing consumers and any third parties they authorize to access transaction histories, balances, and payment data at no charge.
Supporters called it a cornerstone for real-time data portability across mobile-banking apps and FinTech platforms. But banks argued the Bureau exceeded its legal authority and underestimated the security and cost burdens of transmitting sensitive data to outside aggregators.
The Court’s Reasoning
Judge Danny Reeves held that plaintiffs — Forcht Bank, the Kentucky Bankers Association and the Bank Policy Institute — are likely to prevail on claims that the rule exceeded the CFPB’s statutory authority and was arbitrary and capricious under the Administrative Procedure Act.
The opinion said Section 1033’s text limits access to a consumer or a fiduciary-like agent, not commercial third parties, and faulted the Bureau for failing to weigh the cumulative data-security risks of mandatory open access. The court also questioned the CFPB’s ban on interface fees and its fixed compliance dates.
Advertisement: Scroll to Continue
“The plaintiffs raise a reasonable argument that the CFPB failed to address a key issue: How data providers are expected to comply with the Rule when the ‘consensus standards’ may not yet exist by the applicable deadlines,” the judge wrote. Elsewhere, per the ruling, already-incurred “compliance costs are likely unrecoverable and, therefore, constitute irreparable harm under the facts presented here … it would be unreasonable to require the plaintiffs and their members to bear compliance expenses for a rule that the CFPB itself previously argued was unlawful and is now in the process of replacing through new rulemaking.”
BPI Statement to PYMNTS
In a joint release provided to PYMNTS, the Bank Policy Institute, Kentucky Bankers Association and Forcht Bank welcomed the outcome. They contended that the rule “is a common-sense procedural step that doesn’t interfere with the rulemaking process but ensures banks won’t be forced to invest time and resources preparing for a rule that is currently being rewritten.”
That relief follows months of legal back and forth. The CFPB had already told the court it planned to re-examine the rule and publish an advance notice of proposed rulemaking. The new proceeding, launched August 22, 2025, sought public comment on definitions of “representative,” data-security obligations, cost-sharing, and whether compliance dates should be extended. Yet with no extension formally issued, banks moved again for injunctive relief — and won.
What the Stay Means Now
The injunction effectively freezes implementation nationwide until the CFPB finalizes a new version of the rule. The Bureau has said it intends to “comprehensively reexamine” the framework, which could stretch well into 2026. That means banks, credit unions and FinTechs face continued uncertainty about technical standards, liability allocation and how consumer authorization will be verified across digital and mobile channels.
For traditional FIs, the pause relieves immediate pressure to fund API infrastructure projects that may soon change.
But it also delays clarity on work with FinTechs that already use data-sharing APIs voluntarily. For larger banks and aggregators, it extends the waiting game over whether fees for secure connections will be allowed.
Recent PYMNTS Intelligence studies show how consumers’ appetite for connected financial experiences is shaping expectations for open banking. A PYMNTS Intelligence report, “Pay by Bank: Consumer Adoption Hinges on Security Concerns,” found that security and clear protections drive adoption; nearly 6 in 10 consumers would switch some transactions to pay by bank when buyer protections and small rewards are offered. That signals demand for bank-to-bank options inside mobile and digital banking if risk, recourse and incentives are explicit. The court’s ruling doesn’t kill open banking. It simply resets the timeline.
