“The open banking market is expanding rapidly due to rising digital payment adoption, API-driven banking services, and increasing fintech integration across global financial ecosystems. More than 67% of financial institutions implemented open API frameworks during 2025 to improve customer-centric banking services and digital transaction efficiency.”
Open banking is clearly here, even as regulators continue to hash out the details. In 2010, Section 1033 of the Dodd-Frank act required financial firms to allow consumer free access to personal financial data to share with other providers. The Consumer Finance Protection Bureau (CFPB) finalized the statutory basis for open banking in the US in 2024—the Personal Financial Data Rights rule implementing Section 1033. However, that rule is not in force. In 2025, the Bank Policy Institute, Kentucky Bankers Association, and Forcht Bank (E.D. Kentucky) initiated litigation against the rule. With the change in administration, the CFPB supported the litigation, telling the court that it now viewed the rule as unlawful.
Subsequently, the CFPB asked the court to stay the case and announced it would initiate new rulemaking to “substantially revise” the rule. That leaves organizations who already rely on open banking with a regulatory question mark. (As of this writing, it is reported that CFPB will undertake a formal notice-and-comment rulemaking process instead of the initially planned interim final rule.)
What the CFPB final rule did
The initial version of the open banking rule sought to level the playing field and enable smaller institutions to better compete, as well as give consumers access to new services. It had several key requirements:
- Data must be returned in machine-readable format, easily shareable with authorized third-party apps via secured APIs
- Standardized APIs must support strong customer authentication and a consent management flow
- Financial institutions could not charge consumers for access to their data
- The accuracy of data exposed to third-party entities must be the same as in the internal systems
- Consumer information must be protected with reliable data security measures
- Institutions must publish uptime and performance metrics
Even with the current administration prioritizing deregulation, it’s difficult to predict what a new final rule will look like. The Bank Policy Institute litigation objected to allowing third parties free access to systems that banks built and maintain. It also accused the CFPB of failing to hold third parties accountable.
Will the new rule require third parties to compensate banks for access to customer data? Will it place more stringent rules on third parties? There’s no way to know. That’s why banks and other financial institutions need to prepare for multiple outcomes. They need to be ready for updated open banking rules, knowing that everything they don’t do right now could become a compliance violation later.
What banks should do now
Consumer protection is a given in financial services. When the feds back away from it, states will often step in to fill the gap. Banks should not assume relaxed consumer protections in updated open banking rulemaking. Instead, they should focus on translating data-access requirements into data inventories, API controls, third-party oversight, consumer permissions, and auditable evidence while the CFPB continues reconsidering the rule.
- API management: Adopt open, industry-standard APIs. Banks need secure API gateways, developer portals, and sandboxed testing environments. They need to be reliable, scalable, and auditable. The market is converging on the Financial Data Exchange (FDX) API standard for regulated access, and away from screen scraping (the allowance of screen scraping was one of the points in the Bank Policy Institute’s litigation against the CFPB final rule).
- Consent management: Platforms should give customers granular, real-time control over who can access their data, for what purposes, and for how long, with clear, accessible options to revoke that consent. This is not a back-office function; it is a front-line customer experience.
- Data governance: Open banking expands data exposure and the need to accurately monitor data movement. Data inventories allow a comprehensive record of an organization’s data assets. Data inventories would allow banks to better audit the movement of customer data in areas from data ownership to data location, usage, and more.
- Partner ecosystem management: As the universe of authorized third parties grows, banks need structured frameworks to manage onboarding, agreements, monitoring, and, importantly, monetization. Data sharing is not just a compliance obligation; it can also be a revenue opportunity for institutions that approach it strategically.[1]
The market has spoken on the benefits of open banking. Now, it’s up to the regulators to hash out the details. The forecast for fintechs looks more volatile than that of banks; litigation against the initial version of the final rule centered on fintech’s free access to bank data and their regulatory responsibilities. The road to consumer/data protection in open banking has already been mapped. It’s in banks’ best interest to walk it.
[1] https://www.techmahindra.com/insights/views/open-banking-inflection-point-why-banks-must-act-now/


