Court Pauses CFPB’s "Open Banking" Rule Pending Reconsideration

A federal district court paused enforcement of the Consumer Financial Protection Bureau’s ("CFPB") Personal Financial Data Rights Rule.

The U.S. District Court for the Eastern District of Kentucky temporarily lifted a stay on the litigation and enjoined the CFPB from enforcing the rule. The court postponed the effective date of the rule under the Administrative Procedure Act until the agency completes its reconsideration.

Finalized in 2024, the rule would have required financial institutions to share consumers’ financial data with authorized third parties, such as Fintech firms, at no cost when requested by the consumer. Several banking organizations sued the CFPB, arguing that the rule exceeded the agency’s authority under the Dodd-Frank Act and was adopted without adequate consideration of data security and compliance burdens. (See previous coverage.) The CFPB has begun a new rulemaking to substantially revise the regulation. The litigation had been stayed, but the original compliance deadlines—beginning in June 2026—remained in place, prompting the plaintiffs to seek the temporary relief.

In the Order, the U.S. District Court concluded that the plaintiffs were likely to succeed on the merits and would face irreparable harm if forced to prepare for compliance with a rule the agency intends to replace. The court identified several legal and procedural flaws, including that the rule likely exceeded statutory authority, imposed unreasonable deadlines, banned data access fees without clear authorization, and failed to assess cumulative data security risks.