The CFPB's open-banking proposal and the small-business data question
Section 1033 of Dodd-Frank finally has a proposed rule, and small-business accounts are inside the perimeter
Contents 6 sections
he CFPB published its proposed Personal Financial Data Rights rule under Section 1033 of the Dodd-Frank Act on October 19, 2023, and the comment window closed December 29. The surprise, for anyone who had followed the bureau's 2020 advance notice and 2022 outline, was that small-business accounts are in scope.
Section 1033 is the statutory hook for what the rest of the world calls open banking. It was sitting dormant in 12 U.S.C. § 5533 for thirteen years. The proposed rule (88 Fed. Reg. 74796) is the first time the bureau has tried to operationalize it, and the operational details are where small-business formation, vendor selection, and compliance timelines collide.
What Section 1033 actually requires
The statute is short. Subsection (a) says a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained. Subsection (b) adds that the information must be in an electronic form usable by consumers. Subsections (d) and (e) carve out trade secrets and confidential commercial information and require standardized formats.
What the statute does not say is how. For thirteen years that gap was filled by private-sector data aggregators, principally Plaid and MX, running screen-scraping operations on behalf of fintech apps, often using customer-supplied online-banking credentials. Banks tolerated it, sued over it, built their own APIs (the Financial Data Exchange standard emerged in 2018), and generally lived with a messy equilibrium the CFPB has now proposed to replace.
The proposed rule at 88 Fed. Reg. 74796 (Oct. 19, 2023) reads Section 1033 as requiring a data provider to make covered data available through a developer interface, to a third party authorized by the consumer, at no charge, in a machine-readable standardized format, subject to performance and security requirements. Screen scraping, as a legal matter, does not disappear on day one. As a practical matter, the rule is designed to starve it.
Small-business accounts are covered
The scope definition is where the proposal diverges from what most observers predicted. The bureau defined "consumer" by reference to the Consumer Financial Protection Act, which reaches natural persons and also reaches small-business accounts in several product categories. The result, in the proposed rule, is that transaction accounts, savings accounts, and Regulation E and Regulation Z accounts held by small businesses sit inside the data-sharing perimeter.
Covered data, as defined in the proposal, includes transaction information, account balance, information to initiate payment to or from a Regulation E account (ACH routing and account numbers), terms and conditions, upcoming bill information, and basic account verification information. For a small-business checking account, that is effectively the complete operational picture: what came in, what went out, what is scheduled, and what is available to spend.
The read-only framing is load-bearing. The proposed rule does not authorize payment initiation, account-to-account transfers, or any write operation. Third parties get a pipe to look at the data with consumer authorization; they do not get a pipe to move money. That is a deliberate narrowing against the UK and EU open-banking regimes, where payment initiation was the animating use case. The CFPB has left the payments question for another rulemaking.
Who has to build the pipe
The proposal tiers compliance by size and entity type. Depository institutions with total assets of $850 million or more fall into the largest tier, with the earliest compliance deadline. Smaller depositories phase in over a longer window, with the smallest community banks and credit unions receiving the longest runway. Credit unions are in scope regardless of charter. Nonbank financial institutions offering covered products (neobanks, card issuers, payment apps) are covered with their own staged timeline.
The threshold matters because it maps roughly onto where small-business operating accounts actually sit. Community banks under $850 million carry a disproportionate share of small-business deposits by count, though not by dollar volume. Under the proposed phase-in, a founder opening an LLC checking account at a large regional bank will get API-grade data portability before a founder at a local community bank does. The gap is measured in years, not months.
The cost side is the other half of the tiering argument. Building a compliant developer interface is not cheap, and the bureau's own regulatory impact analysis acknowledges the fixed costs fall hardest on smaller institutions. That is one reason the Financial Data Exchange's standardized API, already in production at most of the largest banks, shows up throughout the proposal as a likely safe harbor in practice, even though the rule itself declines to name a specific standard.
What this does to Plaid, MX, and the aggregator layer
Plaid and MX currently occupy a legally ambiguous middle. They hold customer credentials (or, increasingly, tokens), they pull data from bank websites or APIs, and they resell normalized feeds to fintech clients. The proposed rule formalizes their role by defining a category of "authorized third party" that must make specific commitments to the consumer about data use, retention, and secondary use before accessing the developer interface. Data accessed for one authorized purpose cannot be repurposed for targeted advertising or sold to unaffiliated parties.
For small-business accounting stacks (QuickBooks, Xero, Ramp, Brex, Mercury's underlying provider, the payroll vendors pulling balances for cash-flow forecasting), the shift is less about getting data and more about what they can do with it once they have it. The proposal's secondary-use restrictions read as a meaningful tightening, not a formalization of current practice. Vendor contracts written against today's aggregator terms will need to be rewritten against the rule's authorization model.
What remains uncertain
Three things are not yet settled as of mid-May 2024. The comment period surfaced substantial pushback from smaller depositories on cost and timeline, from aggregators on the secondary-use scope, and from consumer advocates on the breadth of the trade-secret carveout in § 5533(d). The final rule will respond to those comments, and the bureau has publicly indicated a 2024 finalization target without committing to a specific date.
Second, the private-right-of-action question. The statute does not create one, and the proposed rule does not purport to. Enforcement runs through the bureau's existing UDAAP and supervisory authority, plus state attorneys general under § 5552. For a small business locked out of its own data by a provider dragging its feet, the practical remedy is likely a complaint to the bureau rather than a lawsuit.
Third, the interaction with state law. California's Consumer Privacy Act, Colorado's Privacy Act, and a growing roster of state regimes reach some of the same data. The proposed rule does not preempt them, and a covered institution serving a small-business customer across states will be complying with a federal data-sharing duty on top of state-law privacy restrictions that were written for a different problem.
The small-business takeaway, for a founder picking a bank in the second quarter of 2024, is that the identity of the bank will matter less in eighteen months than it does today. The data leaves on terms the customer controls, or it will, once the rule is final and the clocks start running. That changes what a banking relationship is actually for.
Sources
- Consumer Financial Protection Bureau, "Required Rulemaking on Personal Financial Data Rights," 88 Fed. Reg. 74796 (Oct. 19, 2023), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights
- 12 U.S.C. § 5533 (Consumer rights to access information), https://www.govinfo.gov/content/pkg/USCODE-2022-title12/html/USCODE-2022-title12-chap53-subchapV-sec5533.htm
- Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 1033, 124 Stat. 1376 (2010), https://www.congress.gov/111/plaws/publ203/PLAW-111publ203.pdf
- CFPB, "CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking" (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/
- 12 U.S.C. § 5552 (State enforcement authority), https://www.govinfo.gov/content/pkg/USCODE-2022-title12/html/USCODE-2022-title12-chap53-subchapV-sec5552.htm
- Financial Data Exchange, "FDX API Technical Specification," https://financialdataexchange.org/