Open Questions in Open Banking: SOLO’s Comments to the CFPB 1033 ANPR
The real test of the final rule won’t be whether it creates short-term wins, but whether it sets the stage for long-term resilience.
Aug 26, 2025
–
3 min read
On August 22, 2025 the CFPB filed the Advance Notice of Proposed Rulemaking (ANPR), which highlights the CFPB’s key focus areas for revisions of its November 2024 Personal Financial Data Rights (PFDR).
The CFPB breaks this proposed rule into 4 key sections:
Scope of Who May Make a Request on Behalf of a Consumer
Defrayment of Costs in Exercising Rights Under Section 1033
Information Security Concerns in the Exercise of Section 1033 Rights
Privacy Concerns in the Exercise of Section 1033 Rights
We likely won’t receive official regulatory guidance on 1033 until the final ruling (although, attendees of our Open Banking Town Hall will have unprecedented access to a town hall with the minds behind 1033). In the meantime, the pointed questions within the proposed rule are useful for understanding the perspectives shaping open banking lawmakers in the days leading up to the final ruling.
The framing of these requests focus our attention to a few critical issues, examined through the lenses of Governance, Economics, and Architecture in open banking.
Governance
“The PFDR Rule interpreted the phrase 'representative acting on behalf of an individual' to include third parties that access consumers’ data pursuant to certain authorization procedures and substantive obligations. The Bureau estimated that ‘more than 100 million consumers have used consumer authorized data access’ in the U.S. via third parties as of 2024. The Bureau is seeking comments generally on the proper scope of how the term ‘representative’ should be interpreted.”
Who’s critical to this space, and are we all subject to the same rules of the road?
The PFDR failed to recognize a clear distinction between the roles of regulated vs. nonregulated parties, those with fiduciary duty and those without, and the responsibilities each party holds in the data sharing economy.
The current open banking infrastructure is dependent on a number of third parties with no official fiduciary duty to customers. The most notable: data aggregators – those who access institutional data via API calls to repackage transaction data and port it to other institutions. This is done at a fee determined not by the institution furnishing the data, but by the aggregator.
Aggregators played a pioneering role in the early days of open banking. However, the advancement of technical capabilities and banks’ appetite for a more collaborative, efficient data sharing ecosystem have undermined the need for aggregators. CFPB’s proposed questions within this notice indicate that the Bureau could be rethinking their role in the future of banking.
“If a ‘representative’ under 12 U.S.C. 5481(4) is interpreted to mean an individual or entity with fiduciary duties, to what extent would it limit customers’ ability to transfer their transaction data to third parties under section 1033 or the ability of financial technology and other third-party service providers to compete with incumbent market participants?”
Supporters of the aggregator model tend to lean on the argument that to alter the role or regulatory burden of third parties would hinder access to financial services. Supposedly, margins could change, convenience could suffer, and consumers could pay the price.
If banks were responsible for porting data directly without a third party, or if the third parties were determined to have a fiduciary responsibility, would it actually harm customer access? Or would it harm the aggregator business model (which are, although some may hesitate to admit, separate issues).
There is a reason that open banking, and specifically the aggregators that have propped it up, continue to run off of institutionally held data, even while more and more data lives outside of institutions with third parties and under regulated financial service providers. Why not port that?
In the current infrastructure, Trust lives with those who are regulated. Until now, the compliance standards required of those with fiduciary duty imply a level of diligence that makes data trusted at face value. Compare that with how data is treated when received from unregulated entities.
Example from a fintech customer in the SOLO ecosystem:
The compliance and regulatory work inherent to institutional data is what makes it so valuable to open banking. If it weren’t the case, any set of data from any growing financial provider could be used to power open banking. The act of data brokering is, by itself, useless within the context of financial services.
This is where the distinction of regulatory burden bleeds into a conversation on data governance.
SOLO chose to make the Clearinghouse a regulated FCRA, because we believe that all entities responsible for the porting of customer data should be regulated and governed responsibly and a contributor to the ecosystem, not a passive player.
It’s also why we’ve built the network to not just be a sharing mechanism, but to sit at the value creation stage of data origination: treating data collection, resolution, and compliance work with the same weight in our platform as data sharing — and recording the lineage of each raw data point in the process. Lineage, along with these data collection protocols, allows for any data contributor, fintechs included, to share with a level of traceable diligence that mirrors the compliance protocols required of regulated institutions.
In this network, sharing the compliance work performed with the rest of the network in a way that can be reused across contexts is what we refer to as Trust as a Service — an incentivized-by-design part of the ecosystem’s governance and economics.
The CFPB’s question of an unregulated middleman’s responsibilities within this network, then, becomes irrelevant. Much like the role of third party aggregators themselves.
Economics
“Section 1033 of the DoddFrank Act…is silent on the question of how the burden of consumers’ exercise of the rights it creates should be shared between the consumer and the ‘‘covered person. The Bureau is seeking comments and data generally on how to deal with this omission, and whether costs, benefits, or market forces might justify modifying the PFDR Rule’s provisions.”
Who pays the price for open banking?
The CFPB is reopening the questions around fees with their questions in the proposed rule. The original rule prohibited any and all fees for customer data sharing, an interpretation – not a mandate – of DoddFrank.
In July, JP Morgan Chase made headlines for their decision to essentially gouge the market with data sharing fees.
The CFPB’s request for comment in ANPR leaves the discussion open on fees, recognizing the cost burden on institutions to build infrastructure and porting a financial track record. Simultaneously, their questions recognize the potential to limit fess to modest, reasonable amounts. The definition of reasonable is still to be determined, and will be influenced by existing legal precedent.
The CFPB is right in both regards: institutional trust is valuable, and customer data not a weapon to be wielded or an asset to be hoarded.
To take this further, the Rule asks a series of questions regarding who bears the burden of data sharing in a cost infrastructure and liability perspective. SOLO urges the CFPB to address the question of fees on a more fundamental level by recognizing that the economics of data sharing cannot be separated from the governance or the architecture of the system. They are all intertwined.
In a world where data has replaced relationships, access depends on who is incentivized to share trust.
It’s not just enough to decide who gets to recoup the cost of infrastructure or what the fixed cost should be to build at each bank. Trust, in actuality, is not a fixed cost or a simple expense. What is technologically affordable and viable today will not be so in five years. Unless the foundations of open banking incentives and the dynamics motivating key players to share trust are fixed, the industry will continue to have a similar conversation again and again when infrastructure becomes outdated and the industry inevitably reopens the same questions asked today.
SOLO’s network model advocates for a foundational shift in the economic model of open banking. By turning data sharing into Trust as a Service, the network replaces third party data spend with compensation directly to the validator of data, stored atomically to be shared directly across the network at the request of the customer.
With the protocols around data collection built into the network, the $30 billion annual spend on manual data collection, entry, and processing — not yet addressed in any rule making open banking conversation — shrinks to a fraction of the cost.
Furthermore, network memory grows across institutions instead of resetting within each siloed bank. This powers seamless access for consumers, incentivizes members to share trust while enforcing mutual accountability, and ultimately grows a more competitive ecosystem in service of consumers.
The CFPB also included questions asking what costs, if any, should be pushed down to consumers. SOLO argues that costs should never be passed to customers. The right realignment of the ecosystem should generate more value for the customer.
Third party expenses become a form of revenue sharing that passes value, not expense, down to the customer in the form of more competitive pricing, greater innovation, and stronger access to services through banks and fintech providers.
Architecture
“One unfortunate byproduct of the transition to a largely digital information architecture is the increased number of threat vectors to the secure storage and transmission of data. In the context of the PFDR Rule, in which several types of covered persons are engaged in the use, retention, and transmittal of consumer financial data, adequate information security standards and controls must be in place to guard against malicious actors, including fraudsters, scammers, and ‘‘Business Email Compromise’’ or ‘‘BEC’’ perpetrators.”
“Financial institutions collect, use, and disclose data in many ways that impact consumer privacy. One major privacy threat is when customers are unaware of ongoing licensure or sale of their data. The percentage of service platform users who actually read user agreements is very low.8 While such individuals are responsible for the consequences of such inattentiveness, it does not reduce the potential annoyance or harm from use of that data to target an individual for financial profiling and aggressive marketing.”
What experience do consumers deserve?
Consumer data rights as they relate to privacy, access, and security were also addressed by the CFPB’s proposed rule. Specifically, questions to clarify technical limitations and best practices for achieving what 1033 originally mandated of financial service providers.
A customer’s right to secure, safe data collection, storage, and sharing is undisputed. According to the CFPB, ‘safe’ may include protection from a third party sale of one’s data and unlimited access to their records in perpetuity without their knowledge, “Financial institutions collect, use, and disclose data in many ways that impact consumer privacy. One major privacy threat is when customers are unaware of ongoing licensure or sale of their data.”
SOLO argues that open banking always owes consumers control over how their information is used. This is the motivating idea behind SOLO PASS. Launched earlier this year, PASS is the unified digital financial identity for consumers to control and permission their data.
The platform is a unified customer UX that gives consumers full visibility into who has access to their data at any given time, with the ability to permission or revoke access on demand. Consumer permissioning is required at every step of the SOLO network, and PASS not only enables efficient permissioning, it provides ongoing access and control for consumers to transparently understand and maintain the usage of their data across the open banking ecosystem.
The SOLO network recognizes that all three must work in cohesion for open banking to truly succeed: governance, economic incentives, and architecture. The CFPB’s latest questions are the right ones to explore for the future of open banking via 1033, however, we urge the Bureau to examine the issues on a root level rather than just looking at temporary solutions for mitigating the symptoms of today’s broken infrastructure.
For banks, fintechs, and consumers, this is both a challenge and an opportunity. The industry can continue to circle around cost burdens, third-party roles, and privacy standards — or it can lean into designing systems that align incentives, distribute accountability, and scale trust as an asset, not just an obligation.
At SOLO, we believe the real test of the next 1033 rule won’t be whether it creates short-term compliance wins, but whether it sets the stage for long-term resilience.
The proposed rule is a chance for the industry to reset. If we build with foresight — treating data lineage, permissioning, and trust as core infrastructure — open banking can mature from a regulatory requirement into an ecosystem advantage. The next chapter of 1033 is not just about rules of the road, but about reimagining the road itself.
