#CFPB

Executive Order Targets Smaller Bank Participation in Mortgage Markets

March 18, 2026 By Morey Barnes Yost

What Happened?

On March 13, President Trump issued an Executive Order titled “Promoting Access to Mortgage Credit,” addressing factors that may have negatively impacted the ability of community banks and other smaller financial institutions to participate in mortgage lending and servicing.

In order to expand access to mortgage credit, the Executive Order directs the Consumer Financial Protection Bureau (“CFPB”) and other financial regulators (the Board of Governors of the Federal Reserve System, the National Credit Union Administration, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the “Regulators”)) to take action to reduce regulatory burdens, modernize reporting requirements, and utilize digital mortgage processes, among other actions.

Why Does it Matter?

The Executive Order includes broad directives to the Regulators to update regulations and processes that impact the mortgage markets, including:

Changes to Origination Regulations: The Executive Order directs the CFPB to consider regulatory changes including tailoring Regulation Z requirements as applicable to smaller banks (including ATR and QM, TILA, RESPA, and TILA-RESPA Integrated Disclosure (TRID) rules), updating TRID timing rules, modifying or exempting small mortgage loans from caps on QM points and fees, and amending rescission rights.

HMDA Modernization: The Executive Order requires the CFPB to consider proposing amendments to Regulation C to increase the asset threshold for exemption from HMDA data collection and reporting requirements for smaller banks, exclude inquiries from the scope of HMDA, and reduce burdens related to disclosures.

Alignment of Capital and Liquidity Standards: The Executive Order directs the Regulators to consider: (a) updating capital regulations and collateral valuation and transfer systems between the Federal Reserve and Federal Home Loan Banks; (b) expanding access to longer‑dated FHLB advances tied to residential mortgage assets; (c) creating targeted FHLB liquidity programs for entry‑level housing, owner‑occupied purchase loans, and small residential builders; and (d) modernizing collateral boarding and valuation processes.

Construction and Housing Supply: The Executive Order directs the Regulators to consider revising supervisory guidance to: (a) exclude one-to four-family residential development and construction lending from commercial real estate concentration guidance; and (b) ensure that supervisory expectations support responsible construction lending by community banks.

Appraisal Modernization: The Executive Order directs the Regulators to consider certain changes to appraisal processes, including with respect to valuations performed in connection with FHA-insured and VA-guaranteed loans and with respect to the use of alternative valuations (AVMs, desktop and hybrid appraisals, and artificial intelligence valuation tools).

Digital Mortgage Modernization: The Executive Order requires the Regulators to consider certain changes to facilitate digital mortgages, namely eliminating unnecessary wet signature requirements, standardizing acceptance of electronic signatures, e-notes, and remote online notarization, and promoting digital mortgage standards.

Servicing and Supervisory Certainty: The Executive Order directs the Regulators to consider supervisory changes relating to mortgage loan servicing, including: (a) aligning supervisory expectations to support portfolio mortgage servicing as a core community banking function; (b) extending cure‑first standards to good‑faith servicing errors; (c) simplifying loss mitigation requirements; (d) issuing a proposed rule providing exemptions from complex mortgage services for smaller banks; and (e) ensuring that supervisory evaluations of performing, prudently underwritten portfolio loans do not focus on technical defects or rely on evolving supervisory interpretations.

Duplicative or Unnecessary Licensing Requirements: The Executive Order requires the Regulators to consider eliminating duplicative or unnecessary requirements regarding licensing or registration (i.e., MLO licensing) for mortgage loan officers of any smaller bank.

What Do You Need to Do?

While the Executive Order does not directly impose obligations on mortgage lenders and servicers, it has the potential to significantly impact the mortgage market by changing the rules of the game, particularly for community banks and smaller banks. Industry participants appear open to the possibility of reform – for example, Mortgage Bankers Association President and CEO Bob Broeksmit issued a statement applauding the focus on “addressing costly mortgage regulations that have increased costs and limited access to credit,” and supporting efforts to address other structural factors (including valuations and construction regulations) impacting access to housing.

We will continue to monitor the Regulators’ activities to implement the directives of the Executive Order, particularly as the 21st Century ROAD to Housing Act (which includes provisions on some of the same topics) advances in Congress; we encourage mortgage market participants to do the same.

UDAAP Update: New York’s FAIR Act Signed Into Law

January 29, 2026 By Josh Dhyani

What Happened?

On December 19, 2025, New York Governor Kathy Hochul signed into law Senate Bill 8416, the Fostering Affordability and Integrity through Reasonable (FAIR) Business Practices Act, (the “FAIR Act”), which updates Section 349 of New York’s General Business Law (GBL). In our prior post we explained that following the law’s passage by the legislature, the FAIR Act expands the state’s consumer protection statute beyond just deceptive practices to also prohibit “unfair” and “abusive” business acts or practices, marking a major broadening of the New York Attorney General’s enforcement powers. Notably, the final law clarifies that only the Attorney General (“NYAG”) can bring claims for unfair or abusive practices, while private lawsuits remain limited to deceptive acts. The FAIR Act will take effect 60 days after signing, on February 17, 2026.

Why Does It Matter?

The FAIR Act represents a sweeping update to New York’s consumer protection law. Previously, New York law only prohibited deceptive acts and practices. The FAIR Act amends Section 349 of the GBL to also prohibit “unfair” and “abusive” acts or practices in the conduct of any business, trade, or commerce. In practical terms, this aligns New York with the consumer protection laws of almost every other state (47 of which already outlaw unfair practices) and with federal UDAAP standards. Key elements of the new law include:

Expanded Definitions

The statute now defines an “unfair” act as one that “causes or is likely to cause substantial injury” to consumers which is not reasonably avoidable and not outweighed by countervailing benefits. This definition is modeled on the Federal Trade Commission’s standard (15 U.S.C. § 45(n)). An “abusive” act is defined in line with the federal Consumer Financial Protection Act standard (12 U.S.C. § 5531(d)), i.e., something that materially interferes with a person’s understanding of a product or takes unreasonable advantage of someone’s lack of understanding or inability to protect their interests. These broad definitions mean practices that might not be outright deceptive could still be illegal if they unjustifiably harm consumers or exploit imbalances in knowledge or power.

Attorney General Enforcement & Private Rights

Importantly, the law limits enforcement of the new “unfair” and “abusive” provisions to the NYAG. Private plaintiffs can continue to sue under Section 349 only for “deceptive” acts, just as before – there is no new private right of action for unfair or abusive practices. This was a critical concession to avoid opening floodgates of litigation. However, the AG can now bring enforcement actions against businesses for unfair or abusive conduct, seeking injunctions, restitution, and civil penalties. We can expect the NYAG (which has been actively advocating for this law) to launch investigations and actions under the expanded provisions once the law is effective.

“Consumer-Oriented” Standard Preserved (for Now)

A contentious aspect of the FAIR Act was whether it would eliminate the judicially-created requirement that Section 349 cases be “consumer-oriented” (i.e. directed at the public at large, not private contract disputes). The version initially passed by the legislature removed the consumer-oriented limitation entirely, which would have meant the AG (and possibly private plaintiffs) could pursue claims even for one-off transactions or business-to-business dealings. However, in approving the law, Governor Hochul noted an agreement with legislators to ensure the act “does not override” existing case law on the consumer-oriented standard. In effect, this signals that commercial transactions and purely private disputes will not suddenly all become actionable under Section 349. The statute text still says an act can be unlawful “regardless of whether or not it is consumer-oriented” in an AG enforcement, but this may be revisited by a chapter amendment. For now, compliance should assume that private lawsuits still require a consumer-facing element (as before), while the NYAG might test the boundaries of targeting misconduct affecting small businesses or other non-consumer victims in the public interest.

What Do You Need to Do?

For banks, lenders, and other financial services companies operating in New York, the FAIR Act demands a thorough compliance review beyond the traditional focus on deception/fraud. Even though private litigation risk remains mostly unchanged (as it remains limited to deception claims), the NYAG can now act as a mini-CFPB, bringing the full range of UDAAP claims at the state level. Financial services companies must proactively ensure their products and practices meet these standards and should stay aware of any further regulatory guidance issued by the NYAG.

Ohio Mortgage Rules Have Changed: Servicing Now Covered

September 26, 2025 By Anoush Garakani, Morey Barnes Yost

What Happened?

Effective September 19, 2025, the Division of Financial Institutions (“Division”) of the Ohio Department of Commerce adopted amended rules (the “Amended Rules”) under the Ohio Residential Mortgage Lending Act (“RMLA”) to add and clarify obligations for mortgage servicers.

Why Does it Matter?

The Amended Rules are largely intended to provide clarity to mortgage servicers regarding the application of the RMLA to mortgage servicing businesses, and to implement procedures to prevent servicing problems. For entities licensed under the RMLA, the Amended Rules address registration of offices, unlicensed activity, recordkeeping, prohibited practices, servicing transfers, escrow payments, payment processing, error resolution, borrower requests for information, and a servicer’s obligations upon loss of license. The Amended Rules largely mirror the CFPB’s mortgage servicing rules (i.e., 12 C.F.R. Part 1024, Subpart C (Regulation X) and, to some extent, 12 C.F.R. Part 1026 (Regulation Z)).

Notably, an entity that violates the Amended Rules may be subject to penalties under the RMLA, which are up to $1,000 per day for each day a violation of law or rule is committed, repeated, or continued (and up to $2,000 a day of there is a pattern of repeated violations of law or rule).

Below, we highlight some of the most impactful provisions of the Amended Rules.

Amended Rules

Registration Requirements: The Division amended Section 1301:8-7-02 of the Ohio Administrative Code (the “OAC”) to require entities subject to the RMLA (mortgage brokers, lenders and servicers) to register each office location at which it transacts business.

Standards for Applications, License, and Registration: The Division amended Section 1301:8-7-03 of the OAC, to clarify that a mortgage broker, mortgage servicer, or loan originator cannot conduct business if they fail to renew their registration on or before December 31. (The Division indicated that it was amending the renewal date to correct a drafting error that incorrectly identified January 31 as the renewal date.)

Recordkeeping: The Division amended Section 1301:8-7-06 of the OAC, which relates to recordkeeping, to require a mortgage servicer to retain records that document actions taken with respect to a borrower’s account for four years following the date the loan is discharged or transferred to another servicer; and to maintain specified documents and data in a manner that facilitates compiling the documents and data into a servicing file within five days. (The rule does not expressly address maintenance of records of telephone calls with borrowers.) While the rule requires retention of the same records required under Regulation X (12 C.F.R. § 1024.38(c)), note that the retention period is much longer than Regulation X’s and does not exempt small servicers under Regulation X.

Prohibited Practices: The Division amended Section 1301:8-7-16 of the OAC, to add a list of actions specific to servicing that constitute improper, fraudulent, or dishonest dealings under Ohio Revised Code section 1322.40. Specifically, the rule prohibits a servicer from, among other things:
- assessing a borrower any premium or charge related to force-placed insurance unless the servicer: (i) has a reasonable basis to believe that the borrower has failed to comply with the residential mortgage loan contract’s requirement to maintain hazard insurance; and (ii) delivers or mails to the borrower a written notice at least 45 days before assessing such charge or fee;
- misrepresenting or omitting any material information in connection with the servicing of a residential mortgage loan, including misrepresenting the amount, nature, or terms of any fee or payment due or claimed to be due on a residential mortgage loan, the terms and conditions of the servicing agreement, or the borrower’s obligations under the residential mortgage loan;
- failing to apply payments in accordance with a servicing agreement or the terms of a note; (d) making payments in a manner that causes a policy of insurance to be canceled or causes property taxes or similar payments to become delinquent;
- failing to credit a periodic payment to the borrower’s account as of the date of receipt, except when a delay in crediting does not result in any charge to the borrower or in the reporting of negative information to a consumer reporting agency (except where the servicer specifies in writing requirements for the borrower to follow in making payments, but accepts a payment that does not conform to the requirements, where the servicer has five days to credit the payment);
- requiring any amount of money to be remitted by means which are more costly to the borrower than a bank or certified check or attorney’s check from an attorney’s account to be paid by the borrower;
- charging a fee for handling a borrower dispute, facilitating routine borrower collection, arranging a forbearance or repayment plan, sending a borrower a notice of nonpayment, or updating records to reinstate a loan; or
- pyramiding late fees.

Mortgage Servicing Definitions: The Division added Section 1301:8-7-35 to the OAC, which defines terms relevant for the provisions of other new sections (as discussed below), including: (a) “confirmed successor in interest,” “escrow account,” and “qualified written request,” which are consistent with Regulation X; and (b) “federal lending law” and “residential mortgage loan,” the latter of which is defined to limit the Amended Rules’ application to closed-end loans, consistent with Regulation X and Regulation Z.

Mortgage Servicing Transfers: The Division added Section 1301:8-7-36 to the OAC, to prohibit a transferee servicer from treating an on-time payment made to the old servicer within the 60-day period following the transfer of servicing. It also requires the old servicer to either forward the payment to the new servicer, or return it to the borrower and notify the borrower of the proper recipient. This rule generally mirrors 12 C.F.R. § 1024.33(c).

Escrow Accounts: The Division added Section 1301:8-7-37 to the OAC, which requires a mortgage servicer to: (i) make all required escrow payments in a timely manner, and (ii) timely return any payments due to the borrower. It also allows a servicer, if the borrower agrees, to credit any amount remaining in a borrower’s account to a new escrow account for a new loan. This rule generally mirrors 12 C.F.R. §§ 1024.34 and 1024.17(k).

Error Resolution Procedures: The Division added Section 1301:8-7-38 to the OAC, which establishes error resolution procedures that mirror the requirements of the CFPB mortgage servicing rules (12 C.F.R. § 1024.35).

Requests for Information: The Division added Section 1301:8-7-39 to the OAC, which establishes information request procedures that mirror the requirements of the CFPB mortgage servicing rules (12 C.F.R. § 1024.34).

Mortgage Servicer Obligations upon Loss of License: Finally, the Division added Section 1301:8-7-40 to the OAC, which provides that the revocation, suspension, or failure of a servicer to obtain or maintain a license does not affect a servicer’s obligations under a preexisting contract with a lender or borrower.

What To Do Now?

The Amended Rules significantly expand the requirements applicable to mortgage servicers subject to the RMLA. While many of the Amended Rules mirror those under the CFPB’s mortgage servicing rules, certain provisions impose additional obligations on mortgage servicers and/or apply to servicers that may otherwise be exempt from certain requirements under the CFPB’s mortgage servicing rules (e.g., small servicers). Accordingly, mortgage servicers should carefully review the Amended Rules and ensure that their policies, procedures, and controls are updated as appropriate to ensure compliance. Alston & Bird’s Consumer Financial Services Team is actively engaged and monitoring these developments and can assist with any compliance concerns regarding the changes imposed by the Amended Rules.

CFPB’s “Overdraft Lending” Rule Faces Immediate Legal Challenge

January 6, 2025 By Sam Bragg, Jennifer Aguilar

What Happened?

On December 12, 2024, the Consumer Financial Protection Bureau (CFPB) issued its final “overdraft lending” rule aimed at curbing overdraft fees charged by banks and credit unions with more than $10 billion in assets, also known as very large financial institutions (VLFIs). The CFPB characterized the rule as closing “an outdated overdraft loophole that exempted overdraft loans from lending laws.” This is the most recent development in the CFPB’s effort to address so-called junk fees.

That same day, a group of banks and financial trade associations—including the Mississippi Bankers Association, the Consumer Bankers Association, the American Bankers Association, and America’s Credit Unions—filed a lawsuit against the CFPB challenging the rule and seeking an injunction.

Why Does it Matter?

Key Provisions

Under the final rule, Regulation Z will apply to overdraft credit provided by VLFIs unless the VLFI provides such overdraft credit at or below costs and losses. As a result, VLFIs will have to choose one of the following options in connection with fees for overdraft credit: (1) capping fees for overdraft credit at the greater of $5 or at an amount that covers their costs and losses; or (2) disclosing the terms of overdraft credit in accordance with the Truth in Lending Act (TILA) and its implementing regulation, Regulation Z.

The CFPB’s final rule amends the definition and exemptions related to “Finance Charges” under Regulation Z and establishes new definitions related to “Overdraft Credit.” Currently, most overdraft fees are generally excluded from the definition of “Finance Charge”, and, therefore, overdraft services are not covered by TILA and Regulation Z The final rule amends this exclusion by creating a new defined term, “Above Breakeven Overdraft Credit,” and excludes such overdraft credit from the exemption for “charges imposed by a financial institution for paying items that overdraw an account.”

“Above Breakeven Overdraft Credit” is defined as “overdraft credit extended by a very large financial institution to pay a transaction on which, as an incident to or a condition of the overdraft credit, the very large financial institution imposes a charge or combination of charges exceeding the average of its costs and charge-off losses for providing non-covered overdraft credit.” The charges will be deemed to exceed the average costs and charge-off loses if they exceed the greater of: (1) the pro rata share of the very large financial institution’s total direct costs and charge-off losses for providing non-covered overdraft credit in the previous year; or (2) $5. A charge that exceeds this amount will be considered a finance charge and, therefore, imposing such charge on overdraft credit will result in the overdraft credit being considered “Covered Overdraft Credit.”

VLFIs should prepare to comply with this new rule by its effective date of October 1, 2025.

The Challenge to the Rule

A group of financial trade associations and banks filed suit in the Southern District of Mississippi challenging the final rule as improperly imposing an expansive and complex new regulatory regime on overdraft services offered by VLFIs, replete with de facto price caps and significant restrictions on the terms under which overdraft services can be offered.

The plaintiffs bring four challenges to the rule under the Administrative Procedure Act (APA), TILA, and the Consumer Financial Protection Act (CFPA).

First, they allege that the CFPB exceeded its statutory authority under TILA by interpreting “Credit” as encompassing overdraft services, and amending “Finance Charge” to include “Above Breakeven Overdraft Credit.” This, they argue, implicates the major questions doctrine—which bars agencies from making major policy decisions without clear congressional authorization—because the final rule will likely impact millions of Americans and billions of dollars of transactions.

Second, the plaintiffs allege the CFPB exceeded its statutory under TILA by imposing substantive credit restrictions when TILA is merely a disclosure statute. They argue this, too, implicates the major questions doctrine.

Third, the plaintiffs allege that the CFPB exceeded its statutory authority under the CFPA by imposing an unlawful fee cap on discretionary overdraft services because the CFPA itself expressly prohibits this kind of fee cap: the CFPB is prohibited from “establish[ing] a usury limit applicable to an extension of credit offered or made by a covered person to a consumer.”

Finally, the plaintiffs allege that the rule is arbitrary and capricious in violation of the APA because, among other things, it: (1) contains an inadequate cost-benefit analysis; (2) does not explain the change in the CFPB’s interpretation of TILA—namely, the CFPB’s reinterpretation of the definition of “Credit” as encompassing overdraft services; and (3) targets large institutions by imposing a $10 billion asset threshold, but ignores smaller financial institutions that similarly charge overdraft fees.

What Do I Need To Do?

VLFIs should consider what changes they need to make to their overdraft services to comply with the new rule by October 1, 2025, assuming that the new rule survives legal challenge.

That said, the legal challenge here has a meaningful chance of success. Recently, courts have been more willing to strike down rules under the major questions doctrine. It is also unclear how much genuine resistance the CFPB will put up in response to this challenge given the forthcoming change in administration. Assuming the new administration does not support this rule, it would likely be more efficient for the CFPB to allow the rule to be challenged and struck down than for it to attempt to repeal the rule, which will require a formal notice-and-comment rulemaking.

Financial Services Advisory: CFPB Finalizes Open Banking Rule on Consumer Financial Data Rights

November 25, 2024 By Cliff Stanford, Duncan Douglass, Dorothy Giobbe

Executive Summary

8 Minute Read

Our Financial Services Group unpacks the Consumer Financial Protection Bureau’s final rule on consumer financial data rights under Section 1033 of the Dodd–Frank Act.

The rule requires “data providers” to provide consumers and authorized third parties, upon request, with access to certain consumer financial data
“Data providers” include Regulation E banks and credit unions, Regulation Z card issuers, payment facilitators, and digital-wallet providers
Compliance deadlines are staggered based on institution size, with an exclusion for financial institutions with less than $850 million in assets

_______________________________________________________________

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its rule on personal financial data rights under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act. Known as the “open banking rule,” it permits consumers to access, control, and share their financial data with authorized third parties. The rule creates a significant shift in control over consumer data in the United States, and it is intended to provide consumers with greater control over financial data, foster competition, and stimulate innovation across the financial services industry. The rule applies broadly to banks, credit unions, and nonbank financial institutions, all of which must make consumer financial data available upon authorized request.

Key Provisions

The rule requires a “data provider” to make available, without charge, “covered data” about consumer financial products and services to consumers and certain “authorized third parties,” in electronic form, upon request by the consumer. The rule requires the provision of such data in standardized, machine-readable formats to promote consistency between financial institutions and third parties. The CFPB will name standard-setting bodies to develop consensus standards to assess compliance with the rule.

Who is a “data provider”?

The CFPB has said its definition of “data provider” will continue to evolve, but it has prioritized financial institutions and card issuers. The rule defines a “data provider” as:

A financial institution – that is, a bank or credit union – as defined in Regulation E, 12 CFR 1005.2(i), excluding those with less than $850 million in assets.
A card issuer as defined in Regulation Z, 12 CFR 1026.2(a)(7), including buy now/pay later providers.
Any other person that “controls or possesses information concerning a covered consumer financial product or service that the consumer obtained” from that person, including providers offering payment facilitation products and services such as digital-wallet providers.

What is “covered data”?

The rule defines “covered data” as essential consumer financial information, including:

At least 24 months of transaction information in the control or possession of the data provider.
Account balance information.
Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider, including an account and routing number that can be used to initiate an Automated Clearing House transaction.
Terms and conditions, or agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, including pricing information such as APRs and other pricing terms.
Upcoming bill payment information.
Basic information needed for account verification, limited to name, address, email address, and phone number associated with the covered consumer financial product or service.

Data providers will not have to provide confidential commercial information, including proprietary algorithms that might be used to derive credit or risk scores and information that is used solely for the purpose of fraud detection, money laundering, or other unlawful behavior.

Who is an “authorized third party”?

Fintech apps and data aggregators that offer services to consumers using their data are included as third parties. Authorized sharing with these entities must be based on informed consent that is to be renewed annually.

A “third party” means any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.
To access a consumer’s data, the third party must (1) provide the consumer with an authorization disclosure containing key terms of the data access; (2) provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to obligations set forth in the final rule; and (3) obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
Third parties are limited in the collection, use, and retention of covered data to what is “reasonably necessary” to provide a product or service to a customer. Use of the data for targeted advertising, cross-selling of other products or services, or the sale of covered data are prohibited.

Stakeholder Perspectives and Compliance Considerations

Reactions to the final rule have been split. Consumer advocates have voiced support for the rule and the empowerment of consumers to control how and where their data can be used, as well as the ability to switch banks more easily. Just hours after the final rule was released, however, the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, a community bank in Kentucky, filed a joint lawsuit in the Eastern District of Kentucky requesting injunctive relief. The plaintiffs allege that the CFPB overstepped its statutory authority (in that Section 1033 relates to a consumer’s right to access their own information and does not speak to access by authorized third parties) and will expose banks to unreasonable liability risk. Forcing banks to share customers’ sensitive financial information while handcuffing banks from managing the risks of doing so, they allege, will increase fraud and the misuse of customer data.

Some of this concern stems from the allocation of responsibility for data security and accountability in the rule. It allows that data providers can deny access to data, but only if the denial is (1) directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and (2) applied in a consistent and nondiscriminatory manner. Data providers must keep a record of when a consumer or third-party request is refused. In the event of a security breach, data providers must notify affected consumers and the CFPB promptly. Notably, the rule requires data providers to verify that third parties uphold data privacy and security standards, but it places limited regulatory obligations on third parties themselves, leaving accountability for data security largely with the data providers. Data providers argue that the rule essentially forces them to subsidize third-party access to consumer data without sharing the cost burden.

During the rule comment period, a range on commentators raised concerns about potential overlaps and compliance complexities with other existing consumer financial laws, and the CFPB has attempted to address those issues in the final rule. Many comments focused on the need for clarity on how the rule interacts with laws such as the Electronic Fund Transfer Act (EFTA), Fair Credit Reporting Act (FCRA), and Gramm–Leach–Bliley Act (GLBA).

In comments before the final rule, data providers requested that the CFPB extend the Regulation E error resolution requirements to third parties such as data aggregators. The CFPB reasoned, however, that consumers should address these concerns with their primary financial institution, in line with statutory error resolution rights under the EFTA. Furthermore, data providers and third parties that are Regulation E financial institutions will continue to have error resolution obligations in the event of data breaches.
During the comment period to the final rule, there was concern that it would expand FCRA compliance. In the final rule, the CFPB clarified that data providers sharing information at the consumer’s request “does not cause data aggregators to incur legal liability under the FCRA that they would not otherwise assume through their ordinary operations” and would not “alter the types of data, parties, or permissible purposes covered by the FCRA.”
Some commentors asked how the rule’s data limitations align with GLBA permissions. The CFPB states Section 1033’s data sharing requirements coexist with GLBA but do not override or replace its mandates, maintaining distinct protections under each law.

Compliance Tiers and Timeline

The rule provides compliance deadlines that are staggered based on institution size:

First Tier: Depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024 must comply by April 1, 2026.
Second Tier: Depository institution data providers that hold at least $10 billion in total assets but less than $250 billion in total assets and nondepository institution data providers that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024 must comply by April 1, 2027.
Third Tier: Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets must comply by April 1, 2028.
Fourth Tier: Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets must comply by April 1, 2029.
Fifth Tier: Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets must comply by April 1, 2030.

Conclusion: Prioritizing Readiness

The CFPB’s Section 1033 rule represents a transformative shift in the U.S. financial regulatory landscape, centering consumer control over data rights and driving the industry to an open banking model. Fintech advocates view it as an essential step towards consumer empowerment, while banks and credit unions warn of risks to data security and have liability concerns. Even as the CFPB begins assessing applications for standard-setting bodies, legal and compliance teams from institutions and fintech companies alike should begin to look ahead, with a focus on data security, potential contractual updates with third parties, and regulatory alignment.

Originally published November 22, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.