trending
The US District Court for the Eastern District of Kentucky has issued an injunction halting enforcement of the Consumer Financial Protection Bureau’s (CFPB) Open Banking rule.
Court freezes CFPB’s Open Banking rule
This leaves banks, credit unions and FinTechs in regulatory limbo as the Bureau reconsiders its approach to data-sharing.
The ruling effectively pauses compliance deadlines that were due to begin in June 2026, underscoring that the long-running dispute over consumer data rights in US finance is far from resolved.
A Pause on the CFPB’s Section 1033 Rule
At the heart of the case is Section 1033 of the Dodd-Frank Act, which gives consumers the right to access and share their financial data.
The CFPB’s now-paused Personal Financial Data Rights Rule would have required banks and credit unions to create standardised digital interfaces—essentially APIs—that allow consumers and their authorised third parties to securely access transaction histories and balances at no charge.
Proponents hailed the measure as the foundation for true Open Banking in the US, enabling seamless data portability across mobile-banking apps and FinTech platforms.
Banks, however, argued the CFPB had overstepped its authority, failed to account for cybersecurity risks, and underestimated the costs of compliance.
Court Finds CFPB Likely Overstepped Its Authority
Judge Danny Reeves sided with the plaintiffs—Forcht Bank, the Kentucky Bankers Association and the Bank Policy Institute (BPI)—finding they were likely to succeed on claims that the rule exceeded the CFPB’s statutory remit and was “arbitrary and capricious” under the Administrative Procedure Act.
The ruling highlighted Section 1033’s narrow language, which restricts data access to the consumer or a fiduciary-like representative, not commercial third parties.
It also criticised the CFPB for failing to assess the “cumulative data-security risks” of mandatory open access and for prohibiting interface fees without justification.
The court added that forcing banks to comply while new rulemaking is underway would cause “irreparable harm” due to unrecoverable compliance costs.
Industry Reaction and What Comes Next
In a joint statement, the BPI, Kentucky Bankers Association, and Forcht Bank welcomed the injunction as “a common-sense procedural step” that prevents wasted resources while the CFPB rewrites the rule.
The Bureau has already initiated a new rulemaking process, seeking public input on definitions, security obligations and compliance timelines—an effort that could stretch well into 2026.
For now, the decision suspends all implementation nationwide, easing near-term pressure on financial institutions to invest in API infrastructure.
Yet the pause also prolongs uncertainty for digital-first banks and FinTechs that depend on clear data-sharing standards to innovate responsibly.
While the ruling delays Open Banking’s rollout, it does not derail it.
Consumer demand for secure, bank-to-bank connectivity continues to grow—particularly when protections and incentives are explicit.
The legal setback simply resets the timeline for America’s long-anticipated leap into Open Banking.
Comments