- The CFPB’s 2024 PFDR rule created the first broad US open banking framework, requiring large financial institutions to provide consumer financial data for free to consumers and their authorised third parties on a phased timeline.
- Major banks and trade groups argue the rule is overbroad, unsafe, and beyond CFPB authority, pushing back on the fee ban, the scope of authorised third parties, and liability and security obligations.
- JPMorgan and other large banks have begun or planned to charge fintechs and data aggregators for API-based account access, citing infrastructure and fraud costs, triggering intense opposition from fintechs and tech firms.
- CFPB has moved to vacate and rewrite parts of the rule, reopening debates over who can access data, whether and how banks can charge fees, and how to balance innovation, competition, security, and consumer rights.
Read More
The Consumer Financial Protection Bureau’s final PFDR rule (October 2024) represents the most definitive US legal framework to date for open banking, requiring eligible data providers (banks, credit unions, card issuers, and non-bank providers) to supply consumers and their authorized third parties with covered financial data in machine-readable format, with no fees for the consumer or third party and strong limits on secondary usage. However, it exempts institutions with less than US$850 million in assets and provides staggered compliance dates through April 2026-2030 depending on size. [5][6]
Financial institutions—most notably major banks such as JPMorgan—and banking trade associations have mounted challenges. Key points of contention are the breadth of “authorized third parties” (including whether data aggregators qualify), potential data security and liability risks, the prohibition of cost recovery via fees, and the rule allegedly exceeding CFPB’s statutory authority. In response, in May 2025 the CFPB itself stated it would seek to vacate the rule, calling it “unlawful,” and subsequently released an Advance Notice of Proposed Rulemaking in August 2025 to reconsider components like fee logic, scope of representation, security, and liability. [3][4]
Corporate strategy actions have emerged in parallel. In July 2025, JPMorgan informed fintech‐aggregators it would begin charging them for accessing customer data through APIs, particularly targeting those making many background/pull requests, citing infrastructure cost and fraud risk. Agreements with Plaid, Yodlee and others formalised fee structures in late 2025. [2][4][7]
From a fintech perspective, fees—especially high or frequent ones—could undermine business models that depend on continuous account access for product features. Meanwhile, banks argue fees are legitimate cost recovery, positioning themselves as overinvested infrastructure owners who deserve compensation. One financial institution defended the fees as necessary to maintain secure, reliable infrastructure amid non-customer or non-transactional data pulls. [7][2]
Strategic implications are substantial: who owns access to customers’ financial data controls parts of the fintech/AI/data ecosystem. Chargeable access could shift power back toward large incumbent banks. For fintechs and startups, this may raise barriers to entry. Regulatory uncertainty adds risk: compliance deadlines, legal challenges, and CFPB’s likely revisions means investment, legal, and product roadmaps are at risk.
Open questions include: What constitutes “reasonable” fees under law? Will the CFPB reimpose fee prohibitions or allow banks to charge aggregators under tighter conditions? How will liability and data security obligations be enforced? What business and pricing changes will small fintechs or aggregators make? And will consumer rights over aggregate behavior data (used for AI, analytics) be preserved?
Supporting Notes
- PFDR rule finalised October 22, 2024 under CFPB Section 1033 mandates financial providers to make consumers’ transaction, balance, payment-initiation and related data available free of charge to consumers or authorised third parties. Compliance dates vary with institution size—from April 1, 2026 up to 2030. [5][6]
- Exemptions include depository institutions with assets under US$850 million; and rules limit secondary uses, require express consent, revoke data access upon request, and restrict retention to one year unless required for service. [5][6]
- In May 2025, CFPB declared the 1033 rule “unlawful” in legal filings and proposed rescinding or vacating it. [3][4]
- On July 11, 2025, JPMorgan sent pricing sheets to data aggregators variant by use case, charging higher fees for payment-focused companies; justified by infrastructure cost and data security/security risk concerns. [2][4]
- Internal data showed JPMorgan received ~1.89 billion aggregator API requests in June 2025, of which only ~13% were tied to active customer transactions; the rest background/snapshot pulls. [7]
- Over 80 CEOs from fintechs, retailers, crypto firms, and others signed a letter on August 13, 2025 urging Trump to oppose “exorbitant” account access fees that would take effect in September. [1][4]
- Banking associations responded with joint statement (ABA, BPI, CBA etc.), defending feeability, citing liability, security, and infrastructure cost; oppose mischaracterizations of current rules and asserting banks don’t charge consumers for access. [1][3]
- CFPB in August 2025 issued an Advance Notice of Proposed Rulemaking to reconsider key aspects: who acts as authorised representative, fees to defray provider costs, data security and liability. [3][4]
Sources
- [1] www.consumerfinance.gov (CFPB) — August 22, 2025
- [2] www.reuters.com (Reuters) — July 11, 2025
- [3] www.americanbanker.com (American Banker) — August 21, 2025
- [4] www.ftassociation.org (Financial Technology Association) — August 14, 2025
- [5] www.reuters.com (Reuters) — October 22, 2024
- [6] www.ft.com (Financial Times) — October 22, 2024
- [7] www.pymnts.com (PYMNTS) — November 14, 2025