WASHINGTON—With a federal judge now pausing the compliance deadlines for the CFPB’s Section 1033 open-banking rule, credit unions are turning their attention to what comes next—and how the agency will reshape the sweeping data-sharing mandate.
As CUToday.info reported, a U.S. District Court in Kentucky halted enforcement of the rule’s compliance dates last week in a lawsuit brought by bank trade groups, citing likely legal flaws in the CFPB’s framework and its treatment of data-sharing fees, security risks, and timelines. The CFPB has already signaled it plans to re-propose the rule, but has not yet issued a formal pause on deadlines.
For credit unions, the ruling buys time—but not clarity.
“Sooner or later something will go into effect,” said Ann Petros, vice president of policy engagement and credit union operations at America’s Credit Unions. “The CFPB is statutorily required to issue a regulation to implement Section 1033…we could see a balanced approach, but there’s also significant pressure from fintechs to create a very fluid system for sharing consumer information.”
Petros noted that while litigation has slowed the original rule, the fintech industry has intervened to push the Bureau forward.
“We haven’t seen anything yet from the CFPB formalizing a compliance pause," she added, the court acted because the CFPB didn’t and institutions were concerned about the impending compliance dates.”
Industry Warning: Terrifying Liability If Data Leaves CU Control
Greg Mesack, senior vice president of government affairs for America’s Credit Unions, emphasized that the next phase of rulemaking will be one of the Bureau’s most consequential—and most contested.
“This gets at the transition in financial-services delivery,” he said, calling the coming rewrite “incredibly critical.”
Mesack warned of major risks if the final rule forces credit unions to share sensitive member data with third parties that do not operate under the same requirements for privacy, cybersecurity, and oversight.
“Under the rule, we’re required to hand over member data every time it’s requested,” Mesack said. “Once that data leaves our hands, it can be misused. There is potential for fraud, misuse, or bad actors getting access—and if something goes wrong, the institution that released the data could still be held responsible. That’s frankly terrifying for credit unions.”
Mesack said credit unions support innovation and consumer access, but stressed the need for a more appropriately tailored framework for managing the risks of third-party access.
“Depositories live under strict standards. A lot of fintechs do not,” he said.