The Rise of Open Banking in the United States: What to Expect

Open banking has been a reality in the United Kingdom since 2018 and across much of the European Union since the implementation of PSD2. In the United States, however, the transition has been slower, messier, and more contentious. That is now changing. The Consumer Financial Protection Bureau's Section 1033 rulemaking, which establishes a federal framework for consumer financial data sharing, represents the most significant regulatory development in the American open banking landscape to date.

What Section 1033 Requires

Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted in 2010, grants consumers the right to access their financial data in electronic form. For over a decade, this provision remained largely unimplemented because the CFPB had not issued the rules needed to put it into practice. That changed when the Bureau began its rulemaking process in earnest, issuing a proposed rule in late 2024 that established specific requirements for how financial institutions must make consumer data available.

Under the framework, banks and other covered financial institutions will be required to make consumer financial data available through developer interfaces — essentially standardized APIs — at no cost to the consumer. This data includes transaction history, account balances, payment information, and other categories of financial records. Third parties that access the data must be authorized by the consumer and must comply with data security, use limitation, and retention requirements.

The rule is designed to be phased in over several years, with the largest financial institutions required to comply first and smaller institutions given more time. This phased approach acknowledges the significant technical investment required to build and maintain the API infrastructure that open banking demands.

How the U.S. Compares to the UK and EU

The UK's Open Banking Implementation Entity, established in 2018 following a Competition and Markets Authority order, created a centralized governance structure that defined technical standards, certified third-party providers, and oversaw the rollout of open banking across the country's nine largest banks. The EU's PSD2 directive took a broader approach, requiring all payment service providers across member states to open their payment account data to licensed third parties.

The U.S. approach under Section 1033 is more decentralized. Rather than establishing a single governing body or mandating a specific technical standard, the CFPB is setting baseline requirements and allowing the market to develop interoperable solutions. Industry bodies like the Financial Data Exchange (FDX) have been working to fill the standards gap, developing technical specifications for data sharing that many banks have already begun to adopt voluntarily.

This market-driven approach has advantages — it allows for more flexibility and can accommodate the enormous diversity of the U.S. banking system, which includes everything from multinational megabanks to community banks with a handful of branches. But it also creates uncertainty, because the absence of a centralized authority means that implementation will inevitably vary across institutions.

What This Means for Banks

For large banks, Section 1033 formalized what many had already been doing voluntarily. Institutions like JPMorgan Chase, Wells Fargo, and Truist had already built data-sharing partnerships with companies like Plaid, Finicity (now part of Mastercard), and other aggregators. The rule provides legal clarity about the terms of these arrangements — what data must be shared, how consumers must consent, and what security standards apply — but it does not fundamentally change the direction these banks were already heading.

For mid-sized and smaller banks, the compliance burden is more significant. Building and maintaining API infrastructure requires technical investment that many community banks may struggle to make on their own. This has created a growing market for open banking middleware providers — companies that offer turnkey API solutions that smaller institutions can plug into their existing core banking systems.

One area of ongoing tension is liability. When a consumer authorizes a third-party app to access their bank data and something goes wrong — whether a data breach, unauthorized transaction, or simple error — the question of who bears responsibility is not always clear. The CFPB's rule addresses some of these questions, but significant gray areas remain, particularly around the intersection of open banking and fraud prevention.

What This Means for Fintechs

For fintech companies, Section 1033 is largely welcome news. The rule legitimizes the data access that fintechs have been building their products around for years, and it replaces the legally precarious practice of screen scraping — where apps collected data by logging into bank accounts with the consumer's credentials — with a more secure, standardized API-based model.

However, the rule also imposes obligations on fintechs. Third parties that access consumer financial data must limit their use of that data to the purposes for which the consumer authorized access. They must implement data security measures. And they must provide consumers with a clear way to revoke access. These requirements will likely increase compliance costs for smaller fintechs, potentially creating a barrier to entry that benefits larger, better-resourced companies.

The Consumer Perspective

For consumers, the promise of open banking is straightforward: more control over their financial data, more choices about which apps and services can access that data, and a more seamless experience when managing finances across multiple institutions. In practical terms, this might mean easier account switching, better budgeting tools that can see all of a consumer's accounts in one place, and faster loan underwriting based on real-time financial data rather than static credit reports.

The risk, from a consumer perspective, is that increased data sharing creates more opportunities for misuse. Even with regulatory safeguards, the more parties that have access to sensitive financial data, the larger the attack surface for potential breaches. Consumer education about how to manage data permissions — and how to revoke them — will be an important part of making open banking work in practice.

What to Watch

Several developments will shape the trajectory of open banking in the United States over the next 12 to 18 months. The finalization and implementation timeline of the Section 1033 rule will determine how quickly banks must comply. The evolution of FDX standards will influence how interoperable the resulting systems are. And the competitive dynamics between banks and fintechs — whether they trend toward partnership or confrontation — will determine whether open banking becomes a seamless consumer experience or a fragmented landscape of incompatible systems.

What is clear is that the era of screen scraping is ending. The question now is what replaces it — and whether the American approach to open banking can deliver the consumer benefits that regulators and industry advocates have promised.