Save the Open Banking Rule
This week, we worked with our client, the Blockchain Association, on a CFPB comment letter. Check it out.
Brogan Law provides top-quality legal services to individuals and entities with questions related to cryptocurrency. Cryptocurrency law is still new, and our clients recognize the value of a nimble and energetic law firm that shares their startup mentality. To help our clients maintain a strong strategic posture, this newsletter discusses topics in law that are relevant to the cryptocurrency industry. While this letter touches on legal issues, nothing here is legal advice. For any inquiries email info@broganlaw.xyz
So back in 2010, there was a major financial reform called the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). This act did a great many things, so many indeed that nobody is really casually familiar with all of them. We’ve written about various of these here many times, including our very first newsletter!
Title X of Dodd-Frank, in turn, was something called the Consumer Financial Protection Act, which created the Consumer Financial Protection Board (“CFPB”). Now, at the time, some people loved to complain about the CFPB calling it redundant, or saying it was just a private fiefdom for its progenitor, Elizabeth Warren.
I vividly remember touring their offices in D.C. in 2013 and finding them dead and sterile, empty rows of office chairs in a gray box. It was genuinely bizarre.
But over the years, while some in industry never fully accepted the new agency, it grew more integrated into the broader financial ecosystem, and took on an important role. While agencies like OCC and the Fed regulate banks’ touchpoints with the financial system, the CFPB regulates banks’ contact with consumers.
Yesterday, we submitted a comment letter to the CFPB with our client the Blockchain Association addressing exactly that. How banks can interact with consumers. Here’s why.
Section 1033
Section 1033 of Dodd-Frank (now codified as 12 USC § 5533) is known as the “Open Banking Rule.” It says, among other things that “covered persons” (basically, banks) “shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.”
Exactly what this means is a matter of debate1, but generally it suggests that banks have to provide consumers with their banking data. And “consumer” within Dodd-Frank is not the same as “consumer” in natural English. It’s a defined term in 12 USC 5481(4) that means “an individual or an agent, trustee, or representative acting on behalf of an individual.” (emphasis added).
There are entire industries, fintech, primarily, but also DeFi to a lesser extent, that are built out of using this data to create products for consumers. Banks really don’t like this, because if these third parties create products for consumers then the banks themselves can’t sell those products to consumers. There are profits available in the analyzing-reams-of-data-and-selling-insights-to-consumers business, and the banks want them. So they would really prefer if they didn’t have to give their competitors data that they feel they own.
But when you look at Section 1033 and the definition of consumer together, it sure seems like Banks have to provide the fintechs with this data. After all, any agreement an end-user signs with a fintech will surely make that firm the fintechs “representative” and that means, for statutory purposes, the banks shall make information available to them upon request. This, broadly, is open banking.
Case closed, right?
Rulemaking
As it turns out, the banks do not consider this case to be closed, and for that reason, Section 1033 has a somewhat tortured history. While it was passed in 2010, rulemaking didn’t even start until 2020. Then, it took virtually the entire term of the Biden administration to promulgate a final rule. With quite a bit of gnashing of teeth along the way.
Finally, the CFPB set out its final rule in November 2024, after the Democrats lost the election. We’ve been critical in the past of this practice, sometimes called midnight rulemaking, through which agencies implement rules during the lame duck that they’re pretty sure the next administration is not going to like.
But in this case, it was pretty clear which way the wind was blowing for a while, and if your rule has been pending for 14 years, I’d say it’s due whenever it comes up.
While there has been much controversy over various aspects of this law, the final rule ended up including one particularly controversial provision. Not only did it require banks to provide consumer data to fintechs through API interfaces. Section § 1033.301(c) of the final rule stating that:
Fees prohibited. A data provider must not impose any fees or charges on a consumer or an authorized third party in connection with: (1) Interfaces. Establishing or maintaining the interfaces required by paragraph (a) of this section; or (2) Requests. Receiving requests or making available covered data in response to requests as required by this part.
Banks really didn’t like this part. And you can see why. The rule requires them to maintain sophisticated technical interfaces (that they were maintaining already for commercial purposes) and to allow third parties to ping those interfaces for data, that the third parties are going to use for profit, for free.
So they didn’t wait a beat. The same day the CFPB issued the final rule, the banks sued through their trade group, the Bank Policy Institute. They made standard Administrative Procedure Act claims about the rule, and that case, Forcht Bank, NA v. Consumer Financial Protection Bureau, No. 5:24-cv-00304-DCR in the U.S. District Court for the Eastern District of Kentucky, is ongoing.
Morning in America?
Then, in January, Trump came in. This has been a pretty unalloyed blessing for crypto, but for the open banking rule, it was trouble. See, Republicans have not always been fans of the CFPB. During Trump’s first term they, erm, ramped down enforcement.
This time around, the administration made it its mission to reverse Biden era regulation, issuing Executive Order 14236, Additional Rescissions of Harmful Executive Orders and Actions on March 14th, 2025. The accompanying fact sheet signaled a policy approach to “review and repeal [...] harmful Biden administration policies to usher in a new golden age for America.” We covered the use of the Congressional Review Act back then.
But with the Open Banking Rule, the administration took a different tack. Trump appointed Russ Vought as acting director of the CFPB, and they moved to stay proceedings in the ongoing litigation, telling the court “the [Open Banking] Rule is unlawful and should be set aside.”
A lot of procedure followed that is too granular to include here, but the upside is that, in July, the case was stayed, and then on August 22, 2025 the CFPB issued this ANPR, Personal Financial Data Rights Reconsideration, seeking comment on issues “related to implementation of [S]ection 1033” including “who can serve as a ‘representative’ making a request on behalf of the consumer; the optimal approach to the assessment of fees to defray the costs incurred by a ‘covered person’ in responding to a customer driven request; the threat and cost-benefit pictures for data security associated with [S]ection 1033 compliance; and the threat picture for data privacy associated with [S]ection 1033 compliance.”
They want to reverse the rule!
This makes sense, at first blush, because the Republican Party is generally positioned as pro-industry, and the banking industry hates the rule! But it turns out that some other industries have become important since 2010, and fintech and DeFi have something to say about it too!
Our Argument
Back in August, the BA approached us to help develop arguments to support the old rule. The access to open banking is crucial to firms that intermediate and structure transactions using large amounts of data, and banks are already trying to take it away. On July 11, 2025, JPMorgan Chase circulated pricing sheets to data aggregators stating it would begin charging for API access to customer account data.
We made two legal points in our comment. First, the language of Dodd-Frank necessarily requires access to third parties, like fintechs and DeFi. Dodd-Frank defines consumer to include representatives, and those third parties are representatives. There are convoluted arguments pointing the other way, but this is straightforward.
Second, the language of 1033 prohibits fees. This argument is a bit trickier. The section does not have any verbiage specifically addressing fees, but what it does do is (i) create a rule, banks must give consumers data access, and (ii) name exceptions to the rule.
This is the paradigmatic example of the canon of interpretation expressio unius est exclusio alterius, which has force “when the items expressed are members of an ‘associated group or series,’ justifying the inference that items not mentioned were excluded by deliberate choice, not inadvertence.”
But the real nub of this argument comes down to this. Yes, this rule is effectively shifting costs from fintechs to banks. But fintechs and DeFi are fundamentally more competitive sectors thank banking. If banks control the data, and can choose or monetize flows out, then their incentive to develop tools to use it is diminished. It is only a robust sector of outsiders that will ever drive them to push forward. It is hard to switch banks, it takes time. If you live in a rural area, it may not even be possible. But fintechs are easy, and that’s why they have driven so much innovation. In this sense, the Open Banking Rule is a policy choice we are making to drive the financial sector forward, and we think that is a good thing.
It was a great honor to work with the BA on this project. There is more on the way.
Until next week.
Brogan Law is a registered law firm in New York. Its address and contact information can be found at https://broganlaw.xyz/
Brogan Law provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
That’s what you hire us for.