CFPB data rule in legal limbo

The Consumer Financial Protection Bureau’s open-banking rule is on hold after the agency moved to reconsider it and a federal judge in Kentucky barred enforcement while that process plays out. (consumerfinance.gov) (cozen.com) Section 1033 is the part of the 2010 Dodd-Frank law that says a bank or other covered firm must give a consumer their account and transaction data on request. The Consumer Financial Protection Bureau’s final rule, released on October 22, 2024 and published in the Federal Register on November 18, 2024, set the mechanics for how that data would be shared electronically with consumers and authorized third parties. (consumerfinance.gov) (federalregister.gov) The 2024 rule required banks, credit unions and other financial providers to make covered data available in a “secure and reliable manner” and imposed obligations on outside firms that collect the data, including rules on collection, use and retention. It also set staggered compliance dates starting April 1, 2026 and running through April 1, 2030. (federalregister.gov) (govinfo.gov) The bureau changed course on August 22, 2025, when it opened a reconsideration process and asked for comment on four issues: who may act as a consumer’s representative, whether firms may charge fees, and the security and privacy risks tied to compliance. The bureau also said it planned a separate proposal to extend the rule’s compliance dates. (consumerfinance.gov 1) (consumerfinance.gov 2) That left the first deadline in a different posture than banks and financial-technology firms expected. April 1, 2026 had been the first compliance date under the 2024 rule, but the court order means the bureau cannot enforce that deadline for now. (govinfo.gov) (cozen.com) The case started the same day the rule was released. Forcht Bank, the Kentucky Bankers Association and the Bank Policy Institute sued the bureau on October 22, 2024 in federal court in the Eastern District of Kentucky, arguing the rule exceeded the agency’s authority and created privacy and security risks. (courtlistener.com) (bankingjournal.aba.com) Bank trade groups backed the pause after the court acted. The Bank Policy Institute, Kentucky Bankers Association and Forcht Bank said they were “grateful” the judge stayed the rule’s compliance deadline until the Consumer Financial Protection Bureau finishes new rulemaking. (bpi.com) Supporters of the original rule say it was meant to curb screen scraping and give consumers a clearer right to move their financial data to budgeting apps, payment tools and competing providers. The Consumer Financial Protection Bureau said in 2024 that the rule was designed to promote “fair, open, and inclusive” standards for data sharing. (consumerfinance.gov) (federalregister.gov) Senator Jacky Rosen said on April 14, 2026 that she had filed a joint resolution of disapproval aimed at reversing a separate Consumer Financial Protection Bureau rollback on data-protection policy. Her office said the resolution targets the bureau’s withdrawal of guidance on “insufficient data protection or security for sensitive consumer information.” (billtrack50.com) (rosen.senate.gov) For now, the practical result is simpler than the legal fight: the federal rule that was supposed to start taking effect on April 1 is not being enforced, and the Consumer Financial Protection Bureau is still deciding what version of open banking it wants to write next. (cozen.com) (consumerfinance.gov)