Data Points: Privacy & Data Security Blog

On October 29th, the Eastern District of Kentucky (the “Court”) enjoined the CFPB from enforcing the Personal Financial Data Rights Rule (the “Rule”) until it has completed its reconsideration of the Rule.[1] The Rule had been released by the Consumer Protection Financial Bureau (“CFPB”) in October of 2024 pursuant to the CFPB’s authority under Section 1033 of the Dodd-Frank Act.[2] The Rule requires financial institutions to share consumers’ personal financial data with other providers at no cost upon the consumer’s request. The Court, having determined that challenges to the Rule were likely to succeed on the merits, has now enjoined the CFPB from enforcing the Rule, finding that requiring financial institutions to comply with the Rule while it is under reconsideration by the CFPB would cause irreparable harm.

Background on the Litigation

Upon the Rule’s release, Forcht Bank, N.A., the Kentucky Banker’s Association and the Bank Policy Institute (the “Plaintiffs”) brought an action in the Court challenging the Rule and alleging that the various provisions of the Rule exceeded the CFPB’s statutory authority and were arbitrary and capricious. However, after the change in presidential administrations, the CFPB has since changed course, determining that the Rule is unlawful and that it should be set aside. The CFPB first asked the Court to vacate the Rule but later moved for an indefinite stay of the litigation, stating that it has decided to initiate new rulemaking to reconsider the Rule. The Court granted the CFPB’s motion to stay pending the new rulemaking.

In August of 2025, the CFPB published an advance notice of proposed rulemaking (the “Advanced Notice”), seeking public comment on various issues regarding the current Rule.[3] In the Advanced Notice, the CFPB stated that it intended to extend the compliance deadlines. However, as of October 29th, the CFPB had not extended the compliance deadlines and the current deadlines beginning June 30th, 2026 (as extended by the Court in previous orders), remain in place. 

Plaintiffs’ Motion for Preliminary Injunction & the Court’s Analysis

The Plaintiffs moved to temporarily lift the stay on the litigation for the limited purpose of issuing an order staying the Rule’s compliance deadlines and enjoining enforcement of the Rule. In determining whether to grant the preliminary injunction, the Court considered (1) whether the Plaintiffs had shown a strong or substantial likelihood of success on the merits; (2) whether the Plaintiffs have demonstrated irreparable injury; (3) whether the issuance of the injunction would cause substantial harm to others; and (4) whether the public interest would be served by the issuance of the injunction.

• The Court determined that the Plaintiffs are likely to succeed on their claims. In each instance, the Court pointed out that the CFPB agreed with the Plaintiffs.
• The Court stated that the Plaintiffs were likely to succeed on the merits of their claim that the CFPB exceeded its authority under the Section 1033 (“Section 1033”) of the Dodd-Frank Act (the “Act”) by requiring banks to make financial data available to third parties.
  • Section 1033 requires certain financial providers to make available certain financial information of a consumer to the consumer and directs the CFPB to prescribe rules accordingly. The Act defines consumer as “an individual or an agent, trustee, or representative acting on behalf of an individual”. [4]
  • The Plaintiffs argued that the Act’s definition of consumer should not apply, stating that the context and structure of the statute override the definition.[5] The Plaintiffs argued that even if the definition applied, commercial third parties like fintech companies or data aggregators did not qualify as agents, trustees or representatives because those roles require a fiduciary-like relationship.
  • The Financial Technology Association (“FTA”), which had intervened in this case to defend the Rule, argued that the Rule aligns with the Act’s definition of consumer as “authorized third parties” under the Rule falls within the ordinary meaning of “representative”[6]. The FTA argued that Section 1033, by directing the CFPB to prescribe standards to “promote the development and use of standardized formats for information, including through the use of machine-readable files, to be made available to consumers,”[7] intended to facilitate a broader ecosystem in which authorized third parties securely access financial data on behalf of consumers.
  • The Court determined, agreeing with Plaintiffs, that “representative” must be read in context of its surrounding words, “agent” and “trustee”, thus requiring a fiduciary-like relationship. The Court also noted that the only reference to Section 1033 in the Act’s legislative history states that Section 1033 ensures that consumers are provided with access to their own financial information. As such, the Court stated that there is no indication that Congress intended a broad interpretation of the definition of “consumer” such that it should include authorized third parties and that the Plaintiffs are likely to succeed on the merits in their claim.

• The Court further agreed that the Plaintiffs were likely to succeed on the merits of their claim that the Rule’s data sharing framework is arbitrary and capricious because the CFPB failed to consider the cumulative impact of the provisions affecting data security and failed to explain such omission.
• The Court did not make a specific determination that the Plaintiffs were likely to succeed in their challenge to the Rule’s prohibition on banks charging fees for interface access.
• Finally, the Court also determined that the Plaintiffs are likely to succeed on the merits of their claim that the Rule’s fixed compliance deadlines were arbitrary and capricious, stating that the Plaintiffs raised a reasonable argument that the CFPB failed to address how data providers are expected to comply with the Rule when consensus standards required for compliance may not yet exist by the deadlines.
• The Court determined that the unrecoverable costs of compliance that are being or will be incurred to prepare for enforcement of the Rule constitute irreparable harm. The Court noted that because the CFPB is currently conducting rulemaking to replace the Rule, funds spent on compliance are likely to be wasted.
• The Court stated that the CFPB will suffer no harm if it is unable to enforce a rule that it is currently reconsidering.
• Finally, with respect to public interest, the Court noted that the public could arguably lose some benefit from the Rule not being enforced because it could delay consumer control over their information, but that in light of the contentions that the Rule puts consumers at risk due to data security issues, this factor does not tip the scale in either direction.

The Court’s Order

The Court stated that, ultimately, the Plaintiffs were being compelled to incur expenses that would be unrecoverable and unnecessary if the new rule substantially revises the existing Rule or if the existing Rule is vacated. The Court determined that a preliminary injunction would be granted to “preserve the status quo” while the CFPB completes its rulemaking process. Thus, the Court ordered “the [P]laintiffs’ motion to temporarily lift the stay of the litigation for the limited purpose of issuing a preliminary injunction [is granted]” and that “the [CFPB] is [enjoined] from enforcing the [Rule] until it has completed its reconsideration of the Rule[.]”

What Next?

In light of the Court’s ruling enjoining enforcement of the Rule until the CFPB has completed its reconsideration of the Rule, the CFPB will likely no longer need to extend the compliance deadlines in the interim.

This ruling raises interesting questions about how the CFPB may revise the Rule in order to avoid potential challenges. If and when the CFPB tries to implement a rule pursuant to Section 1033, the Court’s order may inform (and limit) the scope of any future rule. 

The comment period for the Advanced Notice ended on October 21st, 2025. The CFPB has not yet issued a new rule, nor has it provided any indication of when it would do so. Until then, however, financial institutions appear to have been granted a reprieve from compliance with the current Rule.

[1] Memorandum Opinion and Order, Forcht Bank, N.A., et. al. v. Consumer Financial Protection Bureau, et. al., No. 5:24-cv-00304-DCR, Doc #90 (E.D. Ky. Oct. 29, 2025).

[2] See CFPB Finalizes Personal Financial Data Rights Rule 1033.

[3] See CFPB Returns to Rulemaking on Personal Financial Data Rights Rule 1033.

[4] 12 U.S.C. § 5481.

[5] The Plaintiffs cited cases that suggest that a term defined by statute may not carry the same meaning every time it is used.

[6] The FTA cited the Black’s Law Dictionary definition of representative: “one who stands for or acts on behalf of another”.

[7] 12 U.S.C. § 5533(a), (d).