The President Donald Trump administration is gearing up to review the final rule, which was issued by the CFPB in October and covers consumer-permissioned data that touches banks, FinTechs, apps and digital wallets. The rule, known as 1033, applies to data security, liabilities and fee structures as financial institutions share account-level data with FinTechs.
However, the very fate of the CFPB has been up in the air for months, as have its rulemaking authority and the status of dozens of rules and guidelines that have been finalized and put in effect over the past several years.
The open banking rule took effect in January. It requires banks to develop standardized APIs or other secure methods for data-sharing, moving away from less secure practices like screen scraping, among other things. The rule also bans institutions from charging fees for data access.
As for the implementation schedule, depending on the asset size of the financial institutions — with the largest firms first in line — banks are required to tie the banking rules to deposit accounts, payment services and credit cards. Implementation will stretch from 2026 to 2030. However, forging new practices, along with new bank-FinTech partnerships, and with some technological changes in the mix, takes time, planning and resources.
Data Security Concerns
The onus of data security falls on banks, but as financial institutions themselves alleged in an October lawsuit, they have not been given the power to deny access to third parties when security concerns arise. Much remains unclear as to the fate of standards-setting for the technical requirements of data-sharing. While it’s true that Financial Data Exchange has been recognized as a standard-setting body, any reshaping or striking down of the rules might impact standard-setting, too.
Rule 1033 also denies financial institutions from levying “fees or charges on a consumer or an authorized third party” for data access.
Banks, in turn, said in their October lawsuit that “having imposed these enormous out-of-pocket costs and exposed banks to a substantial and unreasonable risk of liability, the rule impermissibly bans banks from charging any fees designed to recoup those costs to the third-party FinTechs and aggregators who will profit from the new framework. Section 1033 does not authorize the bureau to adopt such a one-sided fee prohibition that effectively gives a windfall to commercial entities like FinTechs and data aggregators.”
Strides are being made in open banking even with the lack of clarity on regulatory changes.
For example, One Inc. Chief Product Officer Sarah Owen told PYMNTS last month that banks are modernizing their legacy and back-office systems, especially as insurers have gone through “a massive transformation. It started with moving from old mainframes to … modernized core system providers” to link to the One platform, which processes premiums paid by the consumer and disbursements from the enterprises, with shared data crossing the platform.
In a March interview, Scott Brackin, executive vice president of bank account and payment intelligence at ValidiFI, told PYMNTS: “Open banking enables real-time data-sharing through APIs, and what businesses are looking for in consumers is a level of security that they have not been able to have before. Consumers expect to be able to share that information, in a secure fashion … and at the end of the day, it makes the consumers’ purchase, and the decision ecosystem a lot cleaner for both parties involved in the transaction.”
For now, as the financial services industry awaits clarity, open banking’s evolution will be market-driven, but details on liabilities and the financial/fee structures that might incentivize all providers may do much to turbocharge that evolution.
