When most people hear the phrase “Section 1033” or “open banking,” they imagine abstract federal rulemaking about data standards that only banks, fintech founders, and regulatory lawyers care about. The truth is far more urgent and far more alarming. When, not if, the Consumer Financial Protection Bureau mishandles this rule, tens of millions of Americans may soon find that their rent payments, the single largest monthly bill they pay, become less reliable, less secure, and significantly more vulnerable to fraud. This is not a theoretical concern or a distant possibility. It is a direct consequence of the rule’s structure.
Every month, millions of Americans use Plaid and similar data-aggregation services to connect their checking accounts to rent-payment platforms or interface with financial resources. They take this route because paying rent with a credit card often comes with an extra 2.5 to 3 percent fee. To avoid those fees, tenants authorize a rent-payment platform to draw funds directly from their bank account through a Plaid connection.
Former CFPB Director Rohit Chopra previously finalized the Section 1033 rule, which states that simple authorization would become a regulated data-transfer event. Banks would be required to transmit sensitive financial information on demand to the third-party rent processor selected by a consumer. They would have to do so without compensation and while assuming legal liability for data they do not control. A seemingly routine monthly transaction suddenly becomes structurally risky.
This is where the crisis emerges. The CFPB’s suspended Personal Financial Data Rights (PFDR) rule would have required banks to build and maintain costly Application Programming Interface (API) infrastructure, provide consumer-permissioned data to third parties at no charge, accept responsibility for downstream data mishandling, and transmit transaction histories to platforms that are not subject to Gramm-Leach-Bliley Act (GLBA) privacy or cybersecurity obligations. Meanwhile, the rent-processing platforms that receive this data are not uniformly regulated, consistently audited, or held to the same liability standards as banks. In effect, banks become responsible for the behavior of a landlord’s chosen rent-processing vendor, even if that vendor misroutes payments, stores data insecurely, or suffers a data breach. Under the original framework, banks assume the liability, fintechs procure the data, and consumers bear the risk.
Rent is the single largest transaction for roughly 44 million American households. If even a small percentage of these newly mandated data transfers go wrong, and, given record data breach levels, some will, the consequences cascade immediately. Tenants incur late fees through no fault of their own. Landlords stop receiving rent payments. Banks absorb fraud losses. Aggregators disavow responsibility. Confidence in digital payments deteriorates. And the entire pipeline, from bank to aggregator to landlord, becomes a regulatory fault line.
The most troubling dimension of this saga is how closely the original rule’s structure aligns with the interests of the country’s largest data aggregators. These firms would receive free access to bank data, bear no obligation to fund API development, operate without meaningful GLBA oversight, and face virtually no liability for breach or misuse. It is difficult to frame this as anything other than regulatory capture: a federal rule designed to shift costs to banks, risk to consumers, and value to data-harvesting intermediaries.
Recent investigative reporting makes the stakes painfully clear. Reuters revealed that Meta displays billions of scam ads per day, earns significant revenue from fraudulent activity, and ignores an overwhelming majority of user fraud reports. When platforms of that scale face few consequences for enabling fraud, it becomes reckless for regulators to impose vast new obligations on banks while leaving central data intermediaries largely unregulated. Trusting Big Tech more than banks is an invitation to systemic failure.
Congress never authorized a national open-banking regime. Section 1033 is a simple consumer-access statute that ensures individuals can retrieve information about their own accounts. It does not require banks to build APIs, subsidize data aggregators, or transmit data to unregulated third parties. The Supreme Court’s ruling in Loper Bright affirms that agencies cannot invent sweeping policy frameworks without apparent statutory authority. If the CFPB wishes to reengineer the American financial data infrastructure, the proper venue is Congress.
Meanwhile, the market has solved most of the problems the rule tries to address. Bilateral agreements between banks and aggregators already power a thriving ecosystem. Plaid connects more than 200 million accounts. FDX-compliant APIs cover nearly 100 million more. Over 120 aggregators operate nationwide. Screen scraping is declining naturally. Consumers enjoy unprecedented digital access without federal intervention. This is the model that works, not a government-designed imitation of Europe’s open-banking experiments.
The CFPB must not turn “rent day” into “data-breach day.” The next version of the 1033 rule must respect statutory limits, preserve fair market pricing for data access, apply liability evenly across banks and aggregators, end screen scraping only when aggregators are fully regulated, and avoid subsidizing unregulated intermediaries through forced data flows. If regulators get this wrong, Section 1033 will become the largest untested cybersecurity experiment in the history of American finance, conducted not on corporations but on everyday people trying to pay their rent.
Rent should not be a regulatory hazard. Banks should not be liable for costly fintech mistakes. A rule designed to empower consumers should not empower data brokers instead. The CFPB must start over and build a framework that protects consumers and the financial system, not the companies eager to mine America’s financial lives.