Banks face compliance risk as open banking stalls

risk

Open banking has firmly arrived in the US, yet the regulatory framework underpinning it remains anything but settled. The concept traces back to 2010, when Section 1033 of the Dodd-Frank Act obliged financial firms to give consumers free access to their personal financial data so they could share it with other providers.

According to AscentAI, it took until 2024 for the Consumer Finance Protection Bureau (CFPB) to finalise the statutory foundations for open banking through the Personal Financial Data Rights rule, which implements Section 1033.

AscentAI recently discussed how despite regulatory uncertainty, banks’ path to compliant open banking is clear.

That rule, however, is not currently in force. In 2025, the Bank Policy Institute, the Kentucky Bankers Association and Forcht Bank launched litigation in the Eastern District of Kentucky challenging the regulation. Following the change of administration, the CFPB reversed course and backed the litigation, informing the court that it now regarded its own rule as unlawful.

The regulator then asked the court to pause the case and announced plans to launch fresh rulemaking to substantially revise the framework. Reports suggest the CFPB will pursue a formal notice-and-comment process rather than the interim final rule it initially planned, leaving firms that already depend on open banking facing a regulatory question mark.

The original rule was designed to level the playing field, helping smaller institutions compete while unlocking new services for consumers.

Its core requirements included returning data in a machine-readable format shareable with authorised third-party apps via secured APIs, standardised APIs supporting strong customer authentication and consent management, a ban on charging consumers for data access, parity between externally exposed data and internal records, robust data security, and published uptime and performance metrics.

Predicting the shape of a revised rule is difficult, even with the current administration favouring deregulation. The Bank Policy Institute’s legal challenge objected to third parties gaining free access to systems that banks build and maintain, and accused the CFPB of failing to hold those third parties accountable.

Whether a new rule will require FinTechs to compensate banks for data access, or impose tougher obligations on them, remains unknown.

That uncertainty is precisely why banks should act now. When federal regulators step back from consumer protection, states frequently step in, so institutions should not bank on looser requirements.

Instead, they should translate data-access obligations into concrete capabilities: adopting open, industry-standard APIs such as the Financial Data Exchange (FDX) standard, backed by secure gateways, developer portals and sandboxed testing; building consent management platforms that give customers granular, real-time control over data access with clear revocation options; strengthening data governance through comprehensive data inventories that track ownership, location and usage; and establishing structured frameworks for onboarding, monitoring and even monetising third-party partnerships.

The market has already endorsed open banking’s benefits. The outlook appears more volatile for FinTechs than banks, given litigation has centred on their free access to bank data and regulatory responsibilities. The road to consumer and data protection has been mapped, and it is in banks’ best interest to walk it.

Read AscentAI’s post here. 

Read the daily RegTech news

Copyright © 2026 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.