Source Report

CFPB Section 1033 Open Banking Rulemaking

The CFPB's original Section 1033 rule, finalized in October 2024 under the Biden administration, mandated banks and financial institutions to share consumer financial data (like transaction history and account balances) with third-party fintechs via APIs upon consumer request, aiming for "open banking" but sparking lawsuits over exceeding statutory authority by forcing free data access and ignoring security risks; post-2025 Trump administration shift, the CFPB stayed litigation, admitted the rule was unlawful, and launched an accelerated reconsideration via an August 2025 Advance Notice of Proposed Rulemaking (ANPR), focusing on fees for data access, security threats, privacy risks, and "representative" definitions, with compliance dates extended to June 30, 2026 at earliest.[1][2][3]
- CFPB filed motion for summary judgment on May 30, 2025, conceding the rule exceeded authority and was arbitrary/capricious; court stayed case for new rulemaking.[4]
- ANPR seeks comments on four issues: representatives, fees, data security/privacy threats; plans NPR to extend compliance from original April 2026–2030 phased rollout.[5]
- Bank Policy Institute praised shift, noting it disrupts free data grabs that profit fintechs off banks' systems.[4]

For fintechs entering open banking, this buys time to lobby for fee mechanisms (e.g., compensating banks for API costs) but risks narrower data access if security/privacy win out, forcing reliance on voluntary partnerships over mandates and delaying revenue from data-driven services like lending.

CFPB Section 1071 Small Business Lending Data Rule

CFPB's 2023 Section 1071 rule required lenders to collect/report detailed small business loan data (including demographics like race/gender) for fair lending analysis, but 2025 revisions under new leadership propose slashing scope by raising origination thresholds from 100 to 1,000 loans biennially, shrinking "small business" revenue cap from $5M to $1M, excluding merchant cash advances/ag loans/small-dollar credit, dropping LGBTQ+ data/LGBTQI+-owned status/antidiscouragement rules, and uniform compliance by Jan 1, 2028—mechanism reduces ~80% of reporters while improving data quality for actual discrimination probes.[6][7][8]
- Interim final rule (June/Oct 2025) extended Tier 1 (high-volume) to July 1, 2026; Tier 2 Jan 1, 2027; Tier 3 Oct 1, 2027.[9][10]
- November 2025 NPR proposes further cuts: 5 fewer data points, no antidiscouragement, streamlined reporting.[8]

Fintech lenders (e.g., online small business platforms) gain massive relief from compliance costs/burdens, enabling focus on growth over data collection, but lose prior delays as states may fill gaps, pressuring competitive data transparency.

CFPB Buy-Now-Pay-Later (BNPL) Guidance

Biden-era May 2024 interpretive rule classified BNPL "digital user accounts" as credit cards under Reg Z, imposing billing disputes/refunds/disclosures despite BNPL's closed-end, interest-free structure; Trump CFPB revoked it May 12, 2025 as procedurally defective/poor fit, declined reissuance June 2025, citing mismatch with open-end regs—mechanism reverts BNPL to lighter closed-end rules, slashing compliance for providers like Affirm/Klarna.[11][12][13]
- FTA lawsuit prompted revocation; CFPB confirmed no reissue as "ill-fitting."[13]
- Dec 2025 report: BNPL originations hit $45.2B (335M loans) in 2023, charge-offs fell to 1.83%; still ~1% of card volume.[14]

BNPL fintechs thrive with deregulation, avoiding credit card burdens that could hike costs 20-30%; entrants should monitor state rules, as federal retreat shifts risks there, boosting scalability but exposing to lawsuits.

OCC Fintech Charter Developments

OCC revived national trust bank charters for fintechs/crypto firms post-2025, conditionally approving 6+ in 2025 (e.g., Erebor, Bridge/Stripe sub for stablecoins/custody) via de novo/conversions—mechanism grants federal preemption of state laws (e.g., money tx licenses) without deposits/lending, enabling custody/settlement/staking; Jan 2026 NPR clarifies trust banks can do "business of banking" activities beyond fiduciary, fueling 18+ apps amid GENIUS Act.[15][16][17]
- Dec 2025: 5 approvals (custody/execution/stablecoin reserves); pending: Laser Digital, World Liberty.[18]
- 2025 interpretive letters (1183-1188): OK banks outsourcing crypto custody/execution, holding native tokens for fees/testing, riskless principal trades.[16]

Crypto/fintech firms can now federally charter for digital assets without state patchwork, cutting compliance 50%+ via preemption; competitors without charters face higher costs partnering with banks, prioritizing apps now (120-day reviews).

Stablecoin Legislation (GENIUS Act)

GENIUS Act (S.394), signed July 18, 2025, created first federal stablecoin framework: only bank subs/OCC-approved nonbanks issue "payment stablecoins" with 1:1 reserves (cash/Treasuries), redemption rights, no interest/yield, bank-like supervision (OCC for >$10B issuers)—mechanism prevents runs via reserves/AML, clarifies non-security/commodity status, effective ~Nov 2026 (18 mos post-enactment or 120 days post-regs).[19][20][21]
- Bipartisan: Senate 68-30 (June), House 308-122 (July).[21]
- Smaller issuers opt state regimes; bans non-compliant issuance post-effective date.[22]

Stablecoin fintechs (e.g., Circle/Tether rivals) must seek OCC license/reserves, enabling USD dominance but raising capex ~$10-25M Tier 1 capital; non-compliant face bans, favoring incumbents/partners.

Data Privacy Laws and Crypto Market Structure

20 states' comprehensive privacy laws effective 2026 (IN/KY/RI new Jan 1), narrowing GLBA exemptions (e.g., CT to data-level), adding sensitive data (neural/financial ID), consent for sales/AI training, minors' bans—mechanism hits fintech data moats via opt-outs/assessments, no federal law. Crypto structure bills (CLARITY H.R.3633, FIT21 successor) pending Senate: divides SEC (restricted assets)/CFTC (digital commodities), secondary sales non-securities post-decentralization; GENIUS complements sans interest loopholes.[23][24][25]
- State expansions: low thresholds (RI 35K users), cure periods sunset (OR/MN/NJ).[23]
- CLARITY/FIT21: end-user distributions non-securities; Senate draft bans stablecoin interest.[26]

Fintechs must geofence compliance (20 states), conduct DPIAs for profiling/lending AI, risking 4-7.5% revenue fines; crypto platforms delay non-decentralized sales until passage, but pending bills signal CFTC-friendly trading boom.

Regulatory Posture Shifts Under Trump Administration

Trump-era CFPB (Acting Dir. Vought) slashed staff 80%+, withdrew 67 guidances, halted enforcement (1 action vs. 27 prior), paused supervision 10 mos for "Humility Pledge" (scoped exams, self-reports prioritized), funding halved—mechanism reins in Biden's "heavy hand" (24 rules '24), focusing banks over fintechs, states/FTC lead; OCC embraces crypto charters/dereg. for community banks.[27][28][29]
- Spring 2025 agenda: 24 items rescinding/revising (e.g., nonbank registry, UDAAP abusiveness).[30]
- CEA report: CFPB rules hiked rates 16bps, costs $100B+ since 2013.[31]

Fintechs face lighter federal touch (fewer exams/enforcement), but states ramp up (e.g., privacy/minors' data); pivot to partnerships/bank charters, as CFPB retreat boosts innovation but exposes to 50-state patchwork.

---

Recent Findings Supplement (February 2026)

CFPB Section 1033 Open Banking Rule Reconsideration

The CFPB issued an Advance Notice of Proposed Rulemaking (ANPRM) on August 22, 2025, seeking comments on revising its 2024 open banking rule finalized under Section 1033 of Dodd-Frank: the agency now questions core elements like "representative" access definitions, data-sharing fees, security costs, and privacy threats, signaling a potential narrowing amid litigation and new leadership priorities to align with statutory limits rather than expansive mandates.[1][2]
- ANPRM published in Federal Register August 22, 2025; comments closed October 21, 2025.[3]
- CFPB admitted in May 2025 court filing the original rule exceeds authority; plans accelerated rewrite with extended compliance dates.[4]
- Bank Policy Institute endorsed revisions October 21, 2025, to preserve secure data-sharing without disrupting bank-fintech partnerships.[4]

Implications for fintechs: New entrants gain time to adapt but face uncertainty on data access scope; incumbents like Plaid benefit from preserved APIs, but broad mandates could raise compliance costs 20-30% if fees/security rules tighten—focus pilots on consumer-requested sharing to preempt revisions.

CFPB Section 1071 Small Business Lending Data Rule Overhaul

CFPB proposed November 13, 2025, to substantially narrow its 2023 Section 1071 rule requiring small business loan data collection: raises coverage threshold from 100 to 1,000 originations/year (using only small business, not farm loans), simplifies data points/discouragement monitoring, sets uniform January 1, 2028 compliance for qualifiers, and drops tiered deadlines finalized October 2, 2025.[5][6]
- Builds on June/October 2025 extensions delaying prior deadlines to 2026-2027.[7]
- CFPB voluntary cost survey released November 14, 2025; 30-day comment period post-Federal Register.[5]

Implications for fintechs: Lenders like Kabbage/OnDeck (under 1,000 threshold) escape entirely, slashing build costs ($1-5M estimated); survivors invest in streamlined demographic collection by mid-2027—nonbanks pivot to voluntary analytics for competitive moats.

CFPB Buy Now, Pay Later (BNPL) Market Monitoring

No new formal guidance post-August 2025, but CFPB released December 10, 2025 report on 2022-2023 BNPL trends from six major providers (e.g., Affirm, Klarna): originations hit 335.8M loans ($45.2B total, avg. $135), users grew to 53.6M (avg. 6.3 loans/user), charge-offs fell to 1.83% amid tighter underwriting; late fees dropped to 0.18% of GMV.[8][9]
- Heavy users (>12 loans/year) show distress risks; BNPL ~1% of card spend.[9]
- State AGs launched inquiries December 9, 2025, probing TILA compliance post-CFPB's withdrawn 2024 interpretive rule.[10]

Implications for fintechs: Affirm/Klarna scale responsibly (focus repeat users) to dodge enforcement; HUD RFI (June 2025) flags BNPL in mortgage DTI—lenders integrate reporting to FICO for visibility, avoiding underwriting blind spots.

OCC Fintech Charter Resurgence

OCC conditionally approved five national trust bank charters December 12, 2025 (e.g., Ripple, BitGo, Fidelity Digital, Paxos conversions; First National Digital Currency de novo) for crypto custody/staking/execution/stablecoin services, amid 18+ 2025 applications and pending digital asset filings (e.g., Laser Digital January 2026); proposed NPRM January 8, 2026 clarifies non-fiduciary activities without expanding scope.[11][12]
- Interpretive Letters 1184/1186/1188 (May-November 2025) greenlight bank crypto custody/execution/network fees.[13]

Implications for fintechs: Stripe's Bridge, Coinbase seek charters for rails/reserves—bypasses state MTLs via preemption; non-custodians partner federally, but banks lobby against (e.g., stablecoin yields)—target $6-25M Tier 1 capital for 120-day approvals.

Stablecoin Legislation: GENIUS Act Enactment

GENIUS Act (S.1582) signed July 18, 2025, creates federal framework for "payment stablecoins": only permitted issuers (OCC/Fed/state-qualified) with 1:1 reserves, no yields, BSA/AML compliance; preempts state MTLs for federal qualifiers; Treasury ANPRM September 2025 seeks input on rules (e.g., state comparability).[14][15]
- FDIC/NCUA NPRMs (December 2025/February 2026) detail bank subsidiary issuance; CFTC Letter 25-40 (February 2026) adds national trust stablecoins as margin collateral.[16]

Implications for fintechs: Circle/Paxos convert seamlessly; Tether-like offshoots apply federally (2027 compliance)—yields banned drives custody to banks, but GENIUS moat locks non-compliant out by 2028.

Crypto Market Structure and Data Privacy Stalemate

CLARITY Act (H.R.3633) passed House July 2025 but stalled in Senate Banking (vote postponed January 14, 2026) over Section 404 banning stablecoin yields by affiliates/exchanges, pitting banks vs. crypto lobbies; White House mediates for March compromise.[17]
- No federal privacy law; 3 new state CCPAs (IN/KY/RI January 1, 2026), amendments (e.g., CT drops GLBA exemption, OR/MN/NJ cure periods end); CA CCPA regs mandate ADMT audits/risk assessments.[18]

Implications for fintechs: Delay favors SEC/CFTC status quo—build CFTC commodities case for non-securities; privacy patchwork hits multi-state lenders (e.g., 20 states now), prioritize universal opt-outs/data minimization for scalability.