It also highlights basic disagreements about who should control access to consumer financial data and what rules should govern its use.
The proposed rule, revised from October of last year, would require financial institutions to give consumers and their authorized third parties access to their financial data through standardized, secure interfaces.
The goal is to let consumers share account information more easily and use third-party services for payments, lending and budgeting.
Yet, as the filings show, the financial ecosystem is far from aligned on how this should work or who should bear the costs. What follows are explorations of the issues via comment letters, from individual firms that help represent a segment of stakeholders across the financial services ecosystem.
Payments Players: Privacy by Design, Not by Mandate
Apple Payments Services told the Bureau that the rule must not sweep in providers that do not actually maintain consumer accounts. The company wrote that “the Bureau should take care that rules under Section 1033 do not impose obligations on technology providers like Apple that do not maintain consumer financial accounts.”
Apple explained that its design principles already minimize exposure because “whenever possible, Apple processes and analyzes data on users’ devices, where even we cannot access it.” The company described Apple Wallet as “a digital reproduction of a physical wallet” that allows consumers to view cards issued by banks but does not store or verify the underlying account data.
Apple urged the CFPB to define “data providers” as account issuers such as banks and card networks, not digital wallets that act as secure conduits. It asked that any permitted fees be limited to cost recovery and that “use case” surcharges tied to how data is used be banned. The company also recommended a “liability follows the data” rule so that a firm that securely transfers information “should not be held liable if a recipient of the consumer’s data is subject to a data breach.”
Apple cited the United Kingdom’s open-banking framework, where only account issuers must share data, as a model for balancing innovation and privacy.
Smaller Institutions Fear Fraud and Costs
Axos Bank warned that broad data-sharing mandates expose institutions to higher risk. The bank wrote that “mandated data sharing means we have to open up more commission to outside parties, which makes us more vulnerable to fraud.” It argued that access should be restricted to entities with fiduciary responsibilities to ensure that consumers’ financial information is not misused.
Axos also stressed that community and regional banks would struggle to meet new response timelines and technology requirements without cost recovery. “A full prohibition on related fees could result in undue costs to institutions,” the letter stated. The bank said that smaller firms need the ability to charge reasonable fees to cover compliance and security upgrades.
The filing concluded that the CFPB should “consider provisions for reasonable fees for data access” and strengthen privacy and security standards before broadening open-banking obligations. For Axos, the priority is ensuring that consumer protections keep pace with data exposure risks.
Credit Unions: Controlled Access Through Verified Standards
Suncoast Credit Union, which serves more than 1.3 million members in Florida, supported the idea of open banking but called for tighter controls. The credit union wrote that it “supports the ongoing efforts of the CFPB to foster collaboration in building a secure environment for safeguarding personal financial data.” It warned, however, that without uniform technical and security requirements, consumers could face new vulnerabilities.
Suncoast recommended that the Bureau mandate use of secure communication standards such as FAPI 2.0 and Mutual Transport Layer Security, supported by independent audits like SOC 2 Type II or ISO 27001. It proposed that covered institutions be allowed to recover marginal costs of compliance, estimating that “the marginal cost for covered financial institutions to respond to individual consumer data access requests … falls within a reasonable range of $0.05 to $0.25 per request.”
The credit union urged a phased rollout of the rule: 24 months for large institutions, 18 months for midsize, and up to 12 months for smaller players. It also encouraged the CFPB to create a continuous-compliance certification program “modeled after the Cybersecurity Maturity Model Certification (CMMC)” to ensure that third parties accessing financial data maintain verified security maturity.
FinTechs: Free Access and Broader Participation
The American FinTech Council, representing FinTechs (as the name implies), argued that access to consumer data must remain free. The group wrote that Section 1033 “constitutes an absolute demand upon the covered entity to provide the data to the consumer, free from impingement.”
It warned that allowing banks to charge for access would “unduly favor large legacy institutions” that can afford to build proprietary channels.
The Council opposed requiring that third-party representatives have fiduciary duties, noting that “there is nothing to suggest that Congress intended to ascribe fiduciary duties upon a representative acting on behalf of an individual.” It argued that FinTechs and aggregators acting under transparent consent frameworks already operate responsibly.
The group also asked the CFPB to revisit restrictions on secondary use of consumer data, saying that responsible data analysis allows firms to “help develop and train algorithms that more accurately underwrite consumers than traditional models.” It said this can expand credit access for individuals who have been excluded under conventional scoring methods.
AFC also proposed that whenever a consumer refreshes or re-links their account, that act should count as a new authorization rather than requiring a separate annual opt-in. It said that flexibility would prevent disruption to legitimate services such as credit-building or recurring payments.
Aggregators: APIs, Portability, and Standardization
Plaid, one of the largest data aggregators, called on the Bureau to mandate standardized application programming interfaces to replace outdated credential-sharing. The company said the CFPB should “codify APIs as the mandated access method to eliminate credential sharing” and align U.S. standards with international protocols such as OAuth 2.0, FAPI, and ISO 20022.
Plaid also opposed access fees, warning they would raise barriers for smaller developers and ultimately reduce consumer choice. It endorsed a registration and certification model to ensure transparency and accountability across all data recipients, along with explicit consumer rights to revoke access or port data instantly to another provider.
The company framed open banking as “an API-driven trust infrastructure” that can enhance both security and innovation if implemented through consistent, interoperable standards.
Defining the Next Phase of Data Sharing
Whether or not the CFPB remains intact, these positions will shape whatever comes next. The debate over who owns consumer financial data, who can access it, and who bears responsibility when it is misused will not disappear. The next chapter of open banking, whether written by regulators, industry consortia, or market competition, will build on the same questions raised across these 13,979 comments.
