As it works to determine how to safeguard the sharing of and access to consumer financial data, the Consumer Financial Protection Bureau (CFPB) faces a clear choice.
It can allow market-based frameworks developed by the private sector to continue evolving, stepping in only where genuine gaps or abuses emerge. Or it can try to revive broken and ineffective Biden-era rules that override the marketplace with one-size-fits-all mandates that will hurt innovation without protecting individuals.
The free market should prevail here.
Consumer financial data is deeply personal. How that data is accessed, protected, and shared also has large economic consequences. It shapes incentives across the financial system and influences innovation, security, and consumer trust.
Decisions about data sharing affect who bears risk, who is accountable when things go wrong, and how quickly firms can adapt to new technologies and emerging threats.
Striking the right balance between access and security is difficult, which is precisely why regulators should be cautious about imposing one-size-fits-all rules on a rapidly evolving marketplace.
The Section 1033 rule is a Biden-era “open banking” mandate that was promoted to modernize banking. In practice, it imposed a sweeping federal framework on banks, fintechs, and data aggregators. Rather than allowing the ecosystem to set up market-based pricing and risk-based limits on data access, liability, and security, the rule tried to standardize those decisions from Washington, despite the inherent tradeoffs involved.
When the rule was halted by a federal court, it created an unintended but valuable policy experiment. With the mandate paused, banks, fintechs, and data aggregators were given an opportunity to experiment with alternative pricing, access, and security practices rather than following the one-size fits all regulatory directives. That pause shows that markets do not stand still in the absence of federal mandates. They progress.
In that environment, firms began developing voluntary agreements governing data access, security standards, liability, and fees. These arrangements spelled out who could access what data, under what conditions, and who would be responsible if safeguards failed. Importantly, these agreements emerged not because regulators required them, but because firms bear the costs of breaches and failures directly. Reputational damage, legal exposure, and the loss of consumer trust create strong incentives to get data-sharing right.
These market-based agreements matter because financial data-sharing is not static. Cyber risks evolve. Technologies change. Consumer expectations shift as digital services become more integrated into daily life. Voluntary frameworks allow firms to adapt quickly as new threats emerge, or new tools become available. Federal mandates, by contrast, are slow to adjust and often lag the realities they are meant to govern. Once codified, regulatory rules can lock in outdated assumptions, making the system less secure rather than more.
It also has the potential to negatively impact California’s innovation-driven economy, where flexibility and rapid adaptation are essential. The state is home to a wide range of financial institutions and technology firms operating at different scales and levels of complexity. Smaller institutions are often least able to absorb regulatory rigidity, even though they play a critical role in competition and consumer choice. Uniform federal mandates tend to advantage large incumbents that can absorb compliance costs, while smaller players face higher barriers to participation.
Safeguarding personal financial data is essential, but protection does not require government micromanagement of every data-sharing relationship. Instead, it requires clear incentives, enforceable accountability, and standards that can evolve alongside technology. Markets, when allowed to function, are well-positioned to provide these safeguards precisely because participants have skin in the game.
Good policy recognizes its limits. It avoids undoing private solutions simply because they did not originate in Washington. The goal should not be to replace functioning market arrangements with centralized mandates, but to ensure that incentives remain aligned with consumer interests.
The CFPB should resist regulatory backsliding on Rule 1033 and allow markets the continued opportunity to prove that innovation and privacy are not opposing goals. When incentives are properly aligned, consumers and the economy both win.
