All Posts

Section-1033

Mon, 25 Aug 2025

What's going on with Open Banking regulation in the U.S.?

It's in the headlines every few weeks: it's finalised, it's paused, it's re-written... The CFPB’s Open Banking rule laid out a bold framework: free consumer data access, API-first standards, and tight guardrails on third-party use. Then litigation hit pause, triggering delays and a rework in progress. So how do you plan for what’s next when the rule keeps moving?

The road to now (very short version)

  • 2010 → Section 1033 is born.
    Dodd‑Frank creates a consumer right to access personal financial data; the CFPB later implements this authority in 12 CFR Part 1033.

  • June 2024 → Standards track finalised.
    The CFPB sets criteria for recognising industry standards bodies to anchor API/data norms.

  • October 2024 → The open‑banking rule is finalised.
    The Personal Financial Data Rights rule requires data providers to give consumers (and consumer‑authorised third parties) free access to covered data in standardised electronic form.

  • January 2025 → FDX recognised.
    Financial Data Exchange (FDX) becomes the first recognised standards body.

  • Late 2024–2025 → Litigation and deadline tolling.
    A federal court stays the case and tolls compliance dates by 90 days across all tiers.

  • Summer 2025 → “Rewrite” begins.
    The CFPB moves to substantially rework the 2024 rule while the case is paused.

The current state (as of August, 2025)

  • The 2024 rule is still on the books - but being reworked.
    The case is paused; the Bureau is pursuing a revised rule making.

  • Tiered compliance dates remain, shifted by 90 days.
    Original Federal Register dates were April 1 of 2026. With the 90‑day tolling, the earliest tier now starting from 30, 2026.

  • Who’s covered (headline view).
    Coverage includes depository institutions and certain non-banks (e.g., payment apps/digital wallets), while small depositories under the SBA “small” threshold (currently $850M in assets) are exempt from developer‑interface obligations.

  • Data access is free of charge.
    Providers may not charge consumers or authorised third parties to access covered data.

  • Guardrails on data use.
    Authorised third parties must limit collection/use/retention to what’s needed for the consumer’s requested service; targeted advertising, cross‑selling, and selling covered data are out‑of‑bounds.

  • APIs and standards.
    Providers must stand up a developer interface that makes covered data available in a standardised, machine‑readable format; aligning to a recognised consensus standard (e.g., FDX) is a strong signal of compliance.

  • Screen scraping is not (yet) banned.
    The final rule pushes industry toward APIs but does not prohibit scraping outright. Expect this to be revisited in the rewrite.

What to expect next (and the big questions)

  • Timing of the redo.
    Watch for a new proposal and updated timelines tied to the litigation stay. How far will the Bureau go in re‑scoping or re‑sequencing obligations?

  • Standards & conformance.
    With FDX recognised, will additional standards bodies be recognised, and will conformance become de facto (or de jure) mandatory for a “safe harbor”?

  • Fees & cost recovery.
    Today’s rule requires free access to covered data. Will the rewrite keep that bright line, allow limited cost recovery, or clarify charging for non‑covered datasets?

  • Sunsetting screen scraping.
    Will the Bureau set a firm deprecation period (e.g., “API‑only by X date”) and a migration plan for long‑tail integrations?

  • Scope expansion.
    The initial rule centers on transaction accounts/credit cards and payment apps; will the redo pull in additional products (e.g., broader lending, investments) and richer data fields needed for underwriting or pay‑by‑bank use cases?

  • Liability clarity for A2A/pay‑by‑bank.
    How will liability be allocated among banks, aggregators, and fintechs for unauthorised transfers and disputes as direct account payments scale?

  • Certification & assurance.
    Who will verify conformance (self‑attestations vs. third‑party audits), and how will changes to standards or an SSB’s status ripple through integrations?

  • Deadlines under a stay.
    If the CFPB issues a new rule, do the tolling adjustments reset (again), or will the court’s stay convert into a new compliance calendar? Plan for more date movement - but assume minimal slack for the largest entities.

The bottom line

Open banking in the U.S. is real and inevitable, even as the CFPB rewrites the specifics. The 2024 rule remains the reference point, with free consumer data access, strict third‑party guardrails, and API‑first implementation via recognised standards. The 90‑day court‑ordered shift means the first tier now starts from June 30, 2026, unless and until a new rule says otherwise.

If you build to FDX‑style APIs, honour Subpart D limitations on data use, and watch the rewrite for changes to fees, scraping, scope, and conformance, you’ll be directionally aligned - whatever the final contours.

Posted by

Coco Armstrong

Coco Armstrong

Share this post