Carlin McCrory is joined by colleague Kim Phan to discuss the Consumer Financial Protection Bureau's (CFPB) recent developments regarding Section 1033 of the Consumer Financial Protection Act (CFPA).
In this episode of Payments Pros, Carlin McCrory is joined by colleague Kim Phan to discuss the Consumer Financial Protection Bureau's (CFPB) recent developments regarding Section 1033 of the Consumer Financial Protection Act (CFPA). This summer, the CFPB initiated a new rulemaking process, inviting industry comments on its final rule concerning personal financial data rights. With a deadline of October 21st for public comments, industry participants are encouraged to weigh in on access to consumer financial information.
Kim and Carlin discuss the strategic implications of the CFPB's reconsideration of the 1033 open banking rule, highlighting the agency's focus on consumer representatives, privacy, security, fee structures, and compliance timelines.
Payments Pros – The Payments Law Podcast — The 1033 Shake-Up: CFPB's New Rulemaking Adventure
Host: Carlin McCrory
Guest: Kim Phan
Aired: September 30, 2025
Carlin McCrory:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke podcast, focusing on the highly regulated and ever evolving payment processing industry. This podcast features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. I'm Carlin McCrory, one of the hosts of the podcast. Before we jump into today's episode, let me remind you to visit and subscribe to our blog TroutmanFinancialServices.com. And don't forget to check out our other podcasts on Troutman.com/Podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services and more. Make sure to subscribe to hear the latest episodes. Today I'm joined by my colleague, Kim Phan, to explore the latest developments and strategic implications surrounding the CFPB Section 1033 rule. Earlier this summer, the Consumer Financial Protection Bureau initiated a new rulemaking process concerning its final rule on personal financial data rights under Section 1033 of the CFPA. And in August the CFPB published an advanced notice of proposed rulemaking inviting comments to assist in the agency's reconsideration of its 1033 open banking rule. Industry participants have until October 21st to respond to the CFPB questions and offer additional comments, including insights on how the licensing and sale of consumers financial information may pose data privacy threats. For those listening to our episode today, you should consider whether you want to submit a comment in response to the CFPBs request to address some of their questions. Kim, thank you so much for joining me today.
Kim Phan:
I am pleased to be here and always happy to join you on Payment Pros. Thanks for having me, Carlin.
Carlin McCrory:
Of course. So let's talk about the request for comment and what are the latest developments on the CFPB Section 1033 rule?
Kim Phan:
This is actually a pretty dramatic 180 degree turn by the CFPB. We've seen over the course of the last year since the change in administration, the CFPB pull back on quite a few different rulemakings, and this was one of the ones that was teed up as a open question as far as how the CFPB would approach it. The CFPB had even earlier this year indicated that their intent was to vacate the rule entirely under the current and ongoing litigation brought by the Bank Policy Institute and other entities challenging the rule. The CFPB had communicated to the court in that case that they believed the rule to be illegal and to impose unlawful obligations on the industry and that they were seeking for the court to vacate the rule. Now this change is all speculation is something that may have been triggered by announcements by various industry participants that if the rule were to be vacated, that they would start charging fees to data aggregators and other third parties to get access the type of data that would be made available under the open banking rule. So whether or not that industry action was, what was the impetus behind this change by the CFPB? Well, I guess we'll never know, but now the CFPB is looking at cracking open the rule again, which is in final form. It was finalized last year and seeing whether or not there are changes that can be made to salvage the rule while also addressing some of the concerns raised by both the industry consumers and other commercial entities like data aggregators.
Carlin McCrory:
So what areas of the rule is the CFPB looking
Kim Phan:
To amend? Interestingly, the CFPB isn't cracking open the entire rule. It did take nine years for the CFPB to develop the final rule, but when the final rule came out, it covered a broad array of different topical areas. The CFPB is really only looking and asking for questions about five different areas in this particular request for information. One is whether or not a representative, someone stepping into the shoes of a consumer, should be treated as the consumer for purposes of Section 1033. 1: Another area is whether or not fees should be permitted to be charged by covered persons who have to build out the interfaces and other systems to make data available under the open banking rule and whether or not they should be able to recoup some of those costs through the charging of fees. Another area is data security, another area is privacy. And the fifth area that they're asking about is whether or not the current compliance timelines which are staggered based on the size of your organization, whether or not those are appropriate.
And if they amend the rules, should those be further pushed out. And those current deadlines range anywhere between 2026 and 2030. Right now, there's been some delay on some of those subject to the court case, but the earliest deadline will still go into effect sometime next year. So there's questions raised by the CFPB whether or not they should be pushing those out. So those are the five very narrow areas where the CFPB has specifically asked questions. But you had mentioned at the beginning of the podcast that for companies thinking about submitting public comments to the CFPB, I would recommend that there is no reason to try to limit those public comments to the specific questions the CFPB is asking. Yes, these are all very important issues and if a company has opinions about things like privacy, security fee structures, and otherwise they should certainly weigh in on those topics.
But if the CFPB is cracking this rule open, why not swing for the fences If there are other things that companies would like clarification on or further amendment of, they should definitely be weighing in at this stage to get the CFPB. Looking at some of these other issues, and I know specifically for the payments industry, there is somewhat of an open question as far as whether or not the definition of a covered entity, a data provider under the rule should cover different types of payment processors. That was discussed at length in the final rule, but I think there's still some ambiguities there. I think there are also opportunities for companies to weigh in on the types of covered data that have to be made available under the rule, whether or not consumer consent to secondary uses of data should be appropriate. Right now, the rule prohibits that and the CFPB is not asking questions about that, but I think that is a pain point for industry that they would like clarification on. Also, data retention mechanisms, right? That if you get data as an authorized third party under a rule from one of the banks or other data providers, you're only allowed to keep that data for a year without getting consumer reauthorization. Is that an issue that the industry would like to see if be to revisit? So I think there's a lot of opportunity here to improve, to enhance, to clarify different aspects of the final rule. Now that we know that the CFPB intends to amend them further.
Carlin McCrory:
And Kim, we can't predict the future here, but I'd like your opinion on if you think the changes would be sufficient to avoid any possible future litigation. I mean, I'm thinking about what you said as it relates to the data providers being able to charge fees, I think that's a very hot topic, and if they aren't allowed to charge fees, that perhaps creates an issue. But then if they are allowed to charge fees, those accessing the data may have an issue with the rule. So what are your thoughts there more broadly as it relates to potential litigation and whatever new rule the CFPB proposes?
Kim Phan:
Yeah, I don't know that there's a way to avoid litigation at this point, right? Is there a way for the CFPB to draw the line so that everybody is happy? I doubt it, right? If they change their minds and allow banks to charge fees, maybe that moots the current bank policy Institute litigation, but then they're opening the door to litigation from consumer advocacy groups who would then say, look, you've arbitrarily changed this and it's not benefiting consumers and we're going to sue to restore the old rule, right? So no matter how the CFPB moves forward, I don't see them being able to strike a balance that will please all sides.
Carlin McCrory:
It seems like we could be years and years away from any real meaningful 1033 rule. Do you agree with that or what are your thoughts on that?
Kim Phan:
Maybe? Right. I mean, right now the timeline for full implementation of the rule is already through 2030. So we were already looking at a five-year timeline. Yes, I agree that timeline will of course be extended. If there are amendments, they're going to have to push out those deadlines. Those amendments, again, will likely be subject to legal challenge. We could be looking at a new administration altogether by the time they are working on a new final amended rule. And again, it took them nine years to get to where they are today. And now that they're cracking the rule open again, I don't think it'll take them in another nine years, but it still will take some time.
Carlin McCrory:
And talking about timing, what is the timeline for any next steps with the CFPB?
Kim Phan:
Well, as you noted earlier, the public comment period will extend through October 21st. So companies have until then to submit public comments in response to this particular advanced notice of proposed rulemaking. But that will be the end, right? There will be future opportunities for companies to weigh in the CFPB and its rulemaking agenda that it recently published, flagged that for purposes of this particular open banking rule, they are hoping to ingest all of those public comments that are submitted in October and have a notice proposed rulemaking released in December of 2025. So later this year. Now, I am challenged to understand how the CFPB will achieve that. While it's outside the scope of our conversation, you may have seen that there was a recent judicial order that has validated the ability of the Trump administration to essentially lay off the entirety of the CFPB staff. And many of those layoffs will be in the regulatory and rulemaking division of the CFPB. So how they're able to ingest, respond to and draft new rules in the next couple of months with basically a skeleton staff. I'm not sure. I think it's ambitious. The CFPB, of course, is setting its own schedule by announcing they want to get this NPRM out by December 2025. So if they miss that deadline, it's fine. We're looking at potentially draft language that may come out in Q1 of 2026, and there will be an opportunity for companies to comment on that when it comes out.
Carlin McCrory:
And what should companies be doing in the interim? Is it worthwhile? Obviously, you're talking about multiple comment periods, so I'd love your take on whether you think companies should go ahead and respond prior to October 21st to get their thoughts in, or if they should do it once the NPRM is released. Both. What are your thoughts there?
Kim Phan:
I would definitely suggest both you as a company, if you have a stake in how this rule plays out, you should be commenting early and often, whether or not that is in your own capacity as a commenter or whether or not you're contributing to industry efforts through a trade association that may be submitting comments, the more often that you are presenting the arguments that are favorable to the industry and to others to make sure that this process rolls out in a way that is economically feasible as well as protecting consumers. I don't see a reason not to be taking advantage of those opportunities at this point in the future NPRM and otherwise, it is important to be thinking about how to advocate for your organization to the extent that you may have to make this data available or whether or not you're relying on access to this data in operating your business.
And so thinking about, again, the reality that the CFPB is only asked about changes to certain very specific provisions in 1033. So if I'm a company, I'm still thinking about how I'm going to comply with the remainder of those provisions, the ones that the CFPB appears to be wanting to leave alone. While again, I think companies should be taking the opportunity to make changes to even those provisions if that would be beneficial. But otherwise, I'm thinking about how in the next couple of years am I going to build out the internal infrastructure to either provide data to third parties or ingest data from third parties with regard to consumer account and transactional information and working with partners on how that looks, right, whether or not that's partners in the industry, whether or not that's data aggregator partners, whether or not that's partnerships with data providers or authorized third parties, making sure that the industry is doing everything it can to make this process look smooth so that the CFPB understands that there's a way for this to work. But there are a lot of stakeholders that have conflicting opinions on how things will play out.
Carlin McCrory:
And Kim, are there any changes to the rule? I mean, obviously we don't know for sure what will happen, but if you could predict what may happen based off of the litigation that is pending and the administration change, is there anything in the rule that you think the CFPB may be apt to change
Kim Phan:
As a privacy and data security lawyer by trade, I am very interested in the provisions that relate to privacy and security. And one of the issues that was raised frequently during the public comments during the hearings and workshops over the past nine years was what happens if there's a data breach, if someone has a data breach, if I'm a bank and a data aggregator is able to access my data and there's a breach of the data aggregator, who's responsible for that? I, as the bank, had to give this information to the data aggregator under 1033, but I'm not protected in any way under 1033 from the fact that I had to give this data to a third party that was then breached, and now my customer is at risk. That was a point that was raised frequently by industry. It was not addressed in the final 1033 rule from last year. It is an issue that is being asked about in this current A PRM. So the CFPB has heard those concerns is asking about what the CFPB might want to do to address that in any amendments to the rules. So I think we can anticipate at least that issue being addressed. I can't weigh in on fees. I don't know where the CFPB is going to land on that one, but I think at least that issue will be something that's addressed.
Carlin McCrory:
Any other thoughts, Kim, on the topic?
Kim Phan:
I think that this is something that the industry should be paying a lot of attention to because it's one of the very few areas that we're the seeing the CFPB express an interest to take action. We're seeing the CFPB pull back in so many other areas that for those few areas, the CFPB is being active in industry, should be paying a lot of attention because the CFPB is all in on those few topics and making sure that the CFPB gets those few topics, I think it's really important at this stage.
Carlin McCrory:
Well, Kim, thank you so much for joining me today, and thanks to our audience for listening to today's episode. Don't forget to visit our blog, TroutmanFinancialServices.com and subscribe so you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform you use. We look forward to next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.
---------------------------------------------------------------------------
DISCLAIMER: This transcript was generated using artificial intelligence technology and may contain inaccuracies or errors. The transcript is provided “as is,” with no warranty as to the accuracy or reliability. Please listen to the podcast for complete and accurate content. You may contact us to ask questions or to provide feedback if you believe that something is inaccurately transcribed.