The Consumer Financial Protection Bureau is shuttered — at least for now.
In the wake of Russell Vought — head of the Office of Management and Budget — moving to the acting director role at the CFPB, supervisory and examination activities were halted Sunday (Feb. 9).
On Monday (Feb. 10), news came that Vought sent an email to CFPB staffers that said, “Employees should not come into the office. Please do not perform any work tasks.”
Online, much of the CFPB website is hobbled, with a 404-error message, job postings scrubbed, and links to past rulemaking and enforcement actions here and there.
The debate over the agency’s funding is likely to rage, and it’s no secret that the President Donald Trump administration and Republicans in Congress are targeting the structure wherein the CFPB gets its money from the Federal Reserve.
If future rulemaking is indeed dead in the water and existing rules could be cut back, the sweeping moves would presumably include the October issuance of the final rule that would shape how personal financial data is handled, and by extension, how open banking evolves.
For now, the final rule took effect last month, and banks must eye a phased-in approach to compliance.
The rule, which is based on Section 1033 of the Dodd-Frank Act, mandates that banks, credit unions and other financial institutions must make consumers’ financial data available upon request to consumers and authorized third parties. This data includes information about transactions, costs, charges and usage related to consumer deposit accounts, credit cards and payment services, data in payment apps and digital wallets as well as bank accounts.
The rule also establishes strict guidelines for third parties seeking to access consumer data, including data security measures.
For banks, there’s a requirement for standardized API development and a ban on institutions from charging fees for data access.
As for the timeline, the rule is being implemented in phases, with larger providers subject to the rule sooner than smaller ones, per the CFPB. The largest banks will have to comply by April 1, 2026, while the smallest institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to the rule.
The new, 119th Congress will likely wield much power in scuttling rules, as the Congressional Review Act lets lawmakers overturn rules stretching back over six months through joint resolutions of the Senate and House.
The banks themselves, through the Bank Policy Institute and the Kentucky Bankers Association, filed a lawsuit against the CFPB in October, alleging that the rule “seeks to cut off that private development and replace it with a complicated, expensive, mandatory regulatory framework that Congress never authorized.”
The lack of fee structure also disallows banks to recoup costs while adding to the operational burden of compliance (as financial institutions would bear liability for breaches), the lawsuit said.
If the rule is struck down, it’s possible that banks will re-examine their open banking efforts and strike FinTech partnerships that are economically advantageous to both sides of the provider equation as data is shared. There are already aggregators that act as a data-transfer bridge between banks and FinTechs.
The organic, market-based approach would bring more momentum to embedded finance and other services. The PYMNTS Intelligence report “Consumer Sentiment About Open Banking Payments” found that 46% of consumers surveyed would be “highly willing” to use open banking options for bill payments and financial services. However, only 11% of consumers in the United States have used open banking payment options, which leaves 89% of a thus-far untapped market.
Although the compliance deadlines put forth by the CFPB are months away, the technical and operational lifts required to implement the rule are heavy. Will banks push to meet those deadlines even as the fate of the CFPB is being determined, or will they find their own avenues to innovate with FinTechs to share and protect data in the spirit of the rule?
Plaid is an example here, as the data connectivity platform enables customers to store their verified identity and account information with Plaid and reuse it across other Plaid-powered apps. This reduces sign-up time for new services by as much as 90% in some cases and improves the conversion rate as well as the overall consumer experience.
In an October interview with PYMNTS on open banking, Brian Dammeir, head of payments for Plaid, said that the rule offers a roadmap.
“Fraud liability in bank-based payments, particularly on the ACH rail, is well-established,” he said. “But as we move to a real-time world, those rules will need to evolve, and consumers will need to understand their protections.”
“The banks that see this as an opportunity rather than a compliance obligation will be the ones to succeed,” Dammeir said.
