The CFPB’s rule may be off the table, but smart institutions are using this pause to build the competitive edge they’ll need no matter what comes next.
In October 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-awaited rule under Section 1033 of the Dodd-Frank Act. This rule was intended to establish a national framework for open banking. The rule granted consumers control over their financial data and required financial institutions to make that data available to authorized third parties at no cost to the consumer.
The move was positioned as a leap forward for consumer choice and portability. It promised to help consumers shop for better financial products, switch providers more easily, and benefit from a more connected, data-driven financial ecosystem.
For community banks and credit unions, the rule presented both a serious challenge and a major opportunity. The compliance lift would be real, especially for smaller institutions, but so would the chance to deliver more competitive, tech-forward service without losing their relationship edge.
Then came 2025.
By late May, after lawsuits from the Bank Policy Institute, the Kentucky Bankers Association, and others, the CFPB conceded that the rule may have gone too far. On May 30, the bureau filed a motion asking the court to vacate the rule and pause the litigation. On July 29, the court granted that motion. The CFPB is now initiating an accelerated rewrite.
The reason? The bureau acknowledged that the rule likely exceeded its authority in several key areas, including the ban on data access fees, rigid compliance timelines, and the breadth of third-party access provisions.
And behind the legal retreat is a shift in leadership. In February 2025, Director Rohit Chopra was removed and replaced by Acting Director Russell Vought, who has signaled a more restrained approach to financial regulation. This political context helps explain the sudden reversal.
So where does this leave community financial institutions?
The rule is paused, but open banking is not going away
While the finalized rule has been vacated, Section 1033 of the Dodd-Frank Act still stands. The CFPB is required to issue a rule that gives consumers access to their financial data in a standardized and usable format. That obligation has not changed.
The next version of the rule is likely to be narrower, more cautious, and more favorable to bank-driven access models. But the direction is still the same. Consumers will expect more control over their data, and financial institutions will be expected to make that access safe, secure, and transparent.
The competitive landscape keeps moving
Even without regulation in force, the market is evolving. Fintechs are still building. Big banks are still investing in tokenized APIs, user-controlled permissions, and real-time data pipelines. Consumers are still demanding instant access, intuitive digital experiences, and cross-platform interoperability.
Waiting for regulatory clarity is not a strategy. It is a stall. And in a fast-moving market, stalls turn into setbacks.
This is a rare strategic window
The rule's vacatur has created a window of opportunity. This is a moment to stop reacting and start designing. Here is where community-minded institutions should be focused now:
- Build future-ready infrastructure. Adopt standards like OAuth2 and FDX 5.0. These protocols are already becoming the de facto baseline for secure, consent-driven data access. Even if the next rule version allows for flexibility, aligning with these frameworks now sets the institution up for long-term scalability and credibility.
- Define your institution’s access principles. Instead of waiting for rules to tell your team what’s acceptable, decide internally. What data will the institution share? With whom? Under what conditions? What technical, legal, and business safeguards will you require? Owning these answers now will make compliance easier later, but more importantly, it will help build customer trust.
- Pressure-test your institution’s partnerships. Many community institutions already have aggregator agreements in place, often signed out of necessity or urgency. Now is the time to revisit those deals. Are your partners prioritizing consumer consent? Are they investing in security and interoperability? Are they aligning with your institution’s goals, or just siphoning data? Ask the hard questions while your institution still has leverage.
- Model a sustainable fee structure. The original rule prohibited fees for data access. The next version probably will not. That would create a window to develop fair, risk-adjusted pricing models for data access, models that reflect infrastructure investments, cybersecurity costs, and operational complexity. If community institutions do not define what “fair” looks like, others will, and they will not be thinking about your institution’s bottom line.
- Show up in the rulemaking process. The CFPB has committed to stakeholder engagement as part of its rewrite. Participate. Whether through trade associations, industry coalitions, or direct comment, community institutions need a voice. Sitting on the sidelines means watching others shape the rules your institution will have to live with.
Bottom line
This moment should not be mistaken for a regulatory retreat. It is a realignment. The rule may be paused, but the expectation that financial institutions provide consumer-controlled, secure access to data is not going away.
For community banks and credit unions, this is not about compliance. It is about competitiveness. The institutions that use this time to modernize their data strategies and define their own rules of engagement will be the ones that thrive, regardless of what version 2.0 of 1033 looks like.
Community institutions do not need to become technology companies overnight. But they do need to own the strategies for how the institutions show up in an open banking world.
If you do not define it, someone else will.
Chris Miller a senior director at Cornerstone Advisors. Follow him on LinkedIn .