The CFPB's revisit of Rule 1033 and related Advance Notice of Proposed Rulemaking have reignited national discussion around consumer data access, security, and accountability. Financial institutions across the country are watching closely as they plan for how new rules could define their responsibilities within the open finance ecosystem.
Join Akoya for an executive conversation on our formal response to the CFPB’s Section 1033 proposed rules and what it means for the future of open finance in the United States. As a trusted data access network created in collaboration with the financial industry, Akoya provides a clear and experienced perspective on how institutions can prepare for and help shape the next phase of open finance.
In this on-demand session, Akoya leaders will share:
- Our position on the future of screen scraping and what potential regulatory action could mean for consumers and institutions.
- How a refined approach to data access fees could influence innovation and inclusion.
- Why firm deadlines can promote consumer access and drive progress toward a more equitable open finance ecosystem.
- How Akoya is helping financial institutions navigate the transition toward a secure, consumer-centric data ecosystem.
Who should watch
Compliance officers, digital strategy leaders, and decision makers at mid to large financial institutions who are navigating the evolving data access landscape.
Why watch
The open finance conversation is moving from planning to execution. This on-demand webinar will unpack Akoya’s formal response to the CFPB and offer guidance on what comes next so your institution can plan effectively, adapt to regulatory change, and lead with confidence.
Learn more about open finance.
See Akoya's Open Finance Solution.
Read the transcript
Paul Horan: Hi, and good afternoon everybody. I think we're now live, so we're going to kick off this webinar. This is the Akoya webinar concerning our response to the CFPB’s proposed rules — the ANPR under section 1033 — and what it means for the future of open finance in the United States.
My name is Paul Horan. I'm the General Counsel here at Akoya, and I'm joined today by Courtney Robinson, who is our Head of Policy and Communications. We have a short program today in which we're going to walk through the points that Akoya made in our response to the CFPB this week.
Before I do that, just to lay a little bit of background information: Akoya is a connector in the open finance ecosystem. We focus on secure connections, allowing consumers to control who they share their data with. We connect over 4,600 financial institutions to thousands of fintechs and others. Our focus is on API-only connections, and we don't store data. We don't retain data. We are somewhat unique in that perspective.
We're going to talk about the five points we made in our letter to the CFPB today. I'm going to describe what those five are, then turn it over to Courtney to give a little more background.
The five points are:
-
Screen scraping remains a systemic risk and should be banned in the rule.
-
Data providers should be able to charge reasonable access fees.
-
Consumer consent, control, and secondary-use limitations should remain part of the rule.
-
“Representative” under the rule should be interpreted to include commercial third parties.
-
The framework for open banking under this rule should be implemented with urgency.
That's a sneak preview of the points we'll cover in detail. First, I'll turn it over to Courtney to give more background about the ANPR process and where things stand.
Courtney Robinson: Thank you, Paul. Just setting the stage for where we are right now in the 1033 world: Section 1033 of the Dodd-Frank Act is one of two required rulemakings for the CFPB, and it concerns personal financial data rights — the rights of the consumer to take their own information and use it to control their financial lives.
There is a rule that was finalized in October of last year, with compliance dates set to start next year. We are now in a space where, because of a new administration and because of litigation, there is a re-look at 1033. It is being revisited, and they put out an advance notice of proposed rulemaking.
The ANPR, for which the comment period ended two days ago, asked a series of questions about issues that were unsettled in the rule — things that folks had questions about — and the new CFPB is taking that into consideration as they potentially write a new rule for 1033.
I would say the stakes here are fairly high. The CFPB under the last administration had a good rule, and we're glad to see that there was a rule, but there were definitely areas that could have been addressed in a better way to ensure protection for consumers and their data. There is still an opportunity here to build a data-sharing infrastructure shaped by API-based data sharing versus less secure measures like credential-based access. That is very important for financial institutions for data security reasons, and for customers for the same reason. No oversharing, no unnecessary access.
It is Akoya’s perspective — as always — that open banking should be secure, permissioned, and sustainable. The consumer’s interest, data privacy, and choice are always at the forefront.
The ANPR is a chance for the CFPB to get right what was missed in the previous rulemaking. We can potentially move toward an aligned structure that supports consumer protection, existing market operations, and the integrity of the open finance ecosystem.
Paul, with that, I’ll hand it back to you to talk about screen scraping.
Paul Horan: Great, thanks Courtney.
The first point we made in our letter was regarding screen scraping. Straightforwardly, screen scraping remains a systemic risk and should be banned outright. Screen scraping is where, in order to grant access, consumers are asked to provide their online banking credentials to a third party, which then logs in as if they’re the customer and literally scrapes the data off the screen.
Historically that’s how much of the ecosystem developed. But there has been a significant industry move — even before the rule — toward API-based connections. Akoya supports that. Akoya is an API-only network. We've never screen scraped, and we don’t collect credentials.
The rule mandated that banks build developer interfaces that are API-based. That’s good. What it didn’t do was take the next step — saying that once those interfaces are available, third parties can no longer screen scrape. That, in our view, was the biggest miss.
As long as screen scraping remains an option, consumers will continue sharing credentials, and third parties will continue holding large sets of those credentials, which become vulnerable to breach. Absent a ban, the rule creates an obligation for banks to build APIs but gives third parties the option not to use them.
We think this is a simple fix: once APIs exist, they should be the exclusive method for access. Third parties should be prohibited from screen scraping and required to delete credentials once APIs are available.
Secure APIs are key to protecting consumers and are the sustainable way to promote data sharing.
That turns us to our next topic: access fees. Courtney.
Courtney Robinson: In our comment letter, we took the position that financial institutions should be able to charge fair, transparent, and reasonable fees to sustain secure infrastructure and improve open banking without harming competition.
This is a major issue — the economics. Building and maintaining a secure API interface costs millions of dollars for institutions. There are ongoing security, maintenance, and risk-management costs. Third parties benefit from that investment without having to put in similar resources.
This is important not only for the largest financial institutions but also for small and mid-sized institutions and credit unions. A balanced fee framework promotes innovation and consumer protection while ensuring institutions of all sizes can participate in open finance.
This is ultimately about competition, safety, and sustainability. The CFPB can enable both competition and sustainability by defining what “reasonable” means in a fee framework, instead of alternatives like price caps that inject too much government influence into market competition.
Now I’ll turn it back to Paul to discuss privacy, consent, and data usage.
Paul Horan: Sure. One of the major topics in the ANPR was security and privacy — specifically whether any security and privacy provisions from the existing rule should be changed.
We think most provisions should remain, especially those around consumer consent, consumer control, and secondary-use limitations.
First: consent enhancements. The rule could be clearer that third parties must disclose the frequency, duration, and scope of data access. That information is essential for consumers. Some consumers may want a one-time access, while others may permit daily or even multiple daily data pulls. The consumer needs to understand what they’re agreeing to.
Second: revocation mechanisms. The rule allows consumers to revoke consent, which is important. But as currently written, revocation might be interpreted as all-or-nothing — either all accounts or none. We think revocation should be more nuanced. Consumers may want to stop sharing data for one account but continue sharing for another. Data providers should have flexibility to design revocation mechanisms that support consumer choice.
Third: secondary-use limitations. The rule rightly limits third parties to collecting only the data reasonably necessary to provide the service the consumer signed up for. Data must not be used for secondary purposes like product enhancements, marketing, or anti-fraud controls. Secondary uses are not tied to the consumer’s intent.
We strongly support these limitations. Data sharing should enable consumers to get the services they want — not serve the interests of third parties. This is all about trust and transparency.
This connects directly to the question of who counts as a “representative” under the rule.
The statute says financial institutions must make data available to consumers, and other parts of Dodd-Frank define “consumer” to include their agent, trustee, or representative. This is why fintech apps have historically been treated as consumer representatives.
There was litigation arguing that “representative” should mean only someone with fiduciary duties — which would exclude commercial fintech apps. That argument is still out there, although the litigation is paused.
The CFPB asked whether commercial third parties should continue to be considered representatives acting on behalf of consumers. We believe the answer is yes — that is the entire premise of open finance.
But that is only true when the fintech app is truly acting on behalf of the consumer. If a fintech begins using data for secondary, unauthorized purposes, it is no longer acting as a representative and should not be treated as such.
With that, I’ll turn it back to Courtney to talk about timing.
Courtney Robinson: Time is always of the essence. One of our major arguments is that a regulatory framework for open banking should be implemented with urgency.
Most large financial institutions have already prepared for compliance with 1033. Delays only benefit bad actors — especially those still using screen scraping and other outdated practices that put consumer data at risk.
From Akoya’s work with institutions, we know the deadlines in the existing rule are reasonable and achievable. We encourage the Bureau to balance flexibility with urgency, because every day without a regulatory mandate is another day consumer data is exposed to unnecessary risk.
This ties into issues like liability, breaches, and the costs borne by financial institutions when incidents occur. API-only, no-screen-scraping frameworks reduce those risks significantly.
With that, we’ll transition to Q&A. If you have questions, please continue adding them in the Q&A window.
Q&A Portion
Question: What role should financial institutions play in enforcing API-only standards?
Paul Horan: Over time, many financial institutions have set up API connections and required third parties to use them. The rule contemplates a similar structure going forward. Once a financial institution has built its API under the compliance timeline, everyone should be required to use it.
Where the CFPB seems to assume the market will naturally migrate away from screen scraping, we disagree. We believe regulatory pressure is needed.
Financial institutions may also pursue technical and contractual approaches to discourage screen scraping. These aren’t perfect, but they increase friction and encourage migration to APIs.
Question: Where do you see opportunities for industry-led collaboration post-rulemaking?
Paul Horan: One major area is risk-management standards. Authorized third parties will need to meet risk-management criteria before getting API access, but the rule does not define those criteria. Existing prudential guidance applies, but additional clarity will likely develop through groups like FDX or others.
Question: Where does Akoya’s positioning differ from groups like BPI or FDX?
Paul Horan: The biggest difference is on the representative issue. BPI argued that “representative” should not include commercial third parties. We disagree. We believe third parties can be consumer representatives when acting on behalf of the consumer and complying with consent, protection, and secondary-use requirements.
On fees, screen scraping, and disclosure obligations, we are largely aligned with other groups.
Courtney Robinson: Another comment was about compliance deadlines and readiness. If you’re working with Akoya or plan to, we understand that institutions vary. We tailor setups as needed and recognize that institutions depend on different systems — including core providers.
Paul Horan: And to the related question about ongoing CFPB supervision or audit requirements: it depends on the final rule and the agency’s resources, but supervision and audit are core responsibilities of the CFPB. 1033 is important to both the prior and current administrations. While implementation challenges may occur, oversight will remain part of the landscape.
Courtney Robinson: On timing: the CFPB has stated repeatedly that they intend to move quickly, and their rapid release of the ANPR supports that. With the comment period closed and this not being an election turnover year, a revised final rule in 2026 is reasonable.
Paul Horan: Open finance is an important topic — for consumers and for competition. If you’re not already working with Akoya, please reach out to myself, Courtney Robinson, or Ted Anastasi on our growth team.
This webinar was recorded and will be emailed out on demand. If you have additional questions after today, we are available.
Thank you again for your time.
Courtney Robinson: Thank you all for joining us today.
Paul Horan: Thanks everyone.
-1.svg)
.svg)