As of February 9, 2025, the Trump administration has introduced significant uncertainty surrounding the future of the Consumer Financial Protection Bureau (CFPB). This was seen in the closure of CFPB offices and a suspension of funding, reflecting continued hostility toward the agency’s stability and role. Public disclosure, particularly from Elon Musk, has also raised questions about the necessity of the CFPB, contributing to a climate of uncertainty. The potential outcomes of these actions in the court system remain unclear, and the agency's future plans are yet to be determined. These developments may have implications for the implementation of Section 1033.
With the introduction of Section 1033 of the Consumer Financial Protection Act (also known as Dodd-Frank), the Open Banking market in the US stands at an inflection point. This regulatory framework has the potential to transform and reshape the US Open Banking landscape, which has traditionally been market driven.
But before they act, it is crucial for banks and authorized third-party providers (TPPs) to understand the nature of the US Open Banking market, what Section 1033 entails, and how it compares to initiatives in other jurisdictions such as Europe.
An overview of Open Banking in the US
Unlike in many other parts of the world, where regulations have shaped the evolution of Open Banking — such as PSD2, FIDA in the EU, CDR in Australia, Open Banking Framework in Saudi Arabia, and CMN-BCB No1/2020 in Brazil — the US has traditionally taken a market-driven approach. This model gives banks the flexibility to shape their level of engagement as well as define individual Open Banking initiatives and strategies based on market dynamics and practices, rather than adhering to government-mandated functionalities and standards.
Some of the larger US financial institutions have recognized the opportunities of Open Banking and started creating Open Banking portfolios that are competitive with global leaders. However, many smaller banks have so far refrained from making investments. Without the regulatory push present in other countries, these banks have shied away from attempting to build up a comprehensive API portfolio, technological infrastructure, business model, and operating model.
While a regulatory-driven approach can help drive innovation, especially in a traditionally mature and slow-moving industry such as banking, this does not mean that such an approach is necessarily superior. In fact, a regulatory push can also create “solutions without problems” situations.
The recently finalized Section 1033 of the Consumer Financial Protection Act will put the effectiveness of the regulatory-driven approach to the test. Announced on October 22, 2024, by the CFPB, Section 1033 will bring regulatory standards and requirements around provisioning of financial data to the US market for the first time. The aim of the rule — which was first proposed by the CFPB in October 2023 — is to accelerate Open Banking innovation and establish stronger data rights for American consumers.
Section 1033 drives the next phase of US open banking
With the introduction of Section 1033, the Open Banking market in the US stands at an inflection point. Thousands of US banks will have to create API connectivity to provide access to the underlying customer data, enabling authorized third-party providers (TPPs) to build new and innovative financial products and services. This regulatory framework could potentially prove transformative and reshape the US Open Banking landscape. But before acting, it is crucial for banks and TPPs to understand both the nature of the US Open Banking market and exactly what Section 1033 entails.
Understanding Section 1033 and Its core requirements
So, what spurred the CFPB into implementing rules in this space for the first time? Besides the relatively slow adoption of Open Banking in the US, it was ultimately the desire to provide consumers with standardized access, along with safer and more transparent control over their financial data. The CFPB’s rules aim to level the playing field and allow fintechs to better compete with large, established financial institutions. When fully implemented, Section 1033 will require all banks with more than $850 million of assets under management to provide API access to various types of data from several account types, including checking and savings accounts, credit and prepaid cards, and digital wallets.
Implementation will be conducted over the course of the next five years, with larger banks required to act first. By the end of the 2030, according to the implementation plan laid out by Section 1033, all affected institutions will have to provide API-based access to the following data and services:
- Transaction history (must include at least 24 months of data)
- Account balances
- Basic account information (account holder name(s), address, contact information, and more)
- Billing information (scheduled and upcoming payments)
- Account verification
- Terms and conditions (fees, APRs, overdraft agreements, and more)
- Customer consent management (ability to view and revoke consents)
This connectivity can be created by building APIs in-house, or by utilizing off-the-shelf compliance-as-a-service solutions, similar to those arising during the revised Payment Services Directive (PSD2) implementation.
What the US can learn from Europe on open banking
The rationale now being pursued by the CFPB is the same as that of PSD2, which created the first iteration of an Open Banking framework in Europe in 2018. In comparison to PSD2 and other seminal pieces of Open Banking regulation, however, Section 1033 has a different scope. It focuses exclusively on “read-only” access to data on financial accounts, which makes its scope similar to the proposed Financial Data Access (FiDA) regulation.
In contrast, PSD2 (which is being updated with PSD3 and the Payment Services Regulation, PSR) also covers “write” access via payment initiation services, enabling new options for customers in ecommerce payments, bill payments, and business-to-business (B2B) payments. Payment use cases in the US are currently largely limited to individual banks pursuing API-based business models by offering premium treasury management solutions (such as submit payments to vendors and suppliers).
In addition, PSD2 and PSR use more stringent rules on the use of Strong Customer Authentication (SCA), which mandates the use of two or more authentication factors across banking operations to reduce fraud. FiDA brings along the requirement for mandatory schemes — which are to be developed by market actors within strict deadlines — to set all relevant rules and mechanisms to ensure secure financial data access.
Section 1033 does not detail the exact requirements on how to share data. While approaches like screen scraping are not forbidden under the new rules, the CFPB is fostering a standardized way to share data by stimulating banks to follow data standards issued through certified standard setting bodies. At the time of writing, the only entity that has been approved by the CFPB as a standard setting body is Financial Data Exchange (FDX), but it is expected that more will emerge as the implementation of Section 1033 nears.
Section 1033 also differs from PSD2 due to its staggered implementation deadlines. Depository institutions will have different compliance deadlines based on their size (measured in total assets), having been categorized into five separate tiers. The largest banks are required to offer the full range of functionalities by as early as April 2026, while the smallest banks will have until April 2030 to do so.
This contrasts with the regulatory deadline for PSD2, which didn’t differentiate between size of financial institutions. With this in mind, Section 1033 grants smaller banks more time to build up their technical capabilities and learn from the implementation processes of larger banks.
Many of the largest banks in the United States, such as Bank of America, Citibank, and US Bank, have already established developer portals and API functionalities that seem to surpass those required by Section 1033. However, most of the other 4,000-plus banks in the country have yet to offer any form of API connectivity to their banking operations. This exposes them to a significant capability gap and consequential time pressure.
Given the historical difficulties that banks have faced in their efforts to comply with PSD2, it is likely that more compliance-as-a-service providers will begin to emerge in the US to offer banks off-the-shelf solutions for becoming Section 1033 compliant.
Navigating Section 1033 compliance with the right approach
Ultimately, the cost of complying with Section 1033 will largely depend on how banks decide to approach their compliance efforts. They will essentially be able to choose between three main strategic options: Building the required technical capabilities in-house; outsourcing the job to external firms by implementing their solutions; or acquiring an external firm to obtain the capabilities to build the connectivity in-house.
Out of these three options, outsourcing is likely to be the fastest and most cost effective. However, this option would also mean banks having to sacrifice control and flexibility. Meanwhile, building the connectivity in-house is an option likely reserved only for firms with sufficient financial resources, capacity, and know-how. Acquiring an external firm to gain access to the necessary technological capabilities usually requires the largest investment. This option is often utilized to speed up time to market and obtain proven capabilities.
It is important to note that all these costs cannot be offset by monetizing the obligated API products, as Section 1033 prohibits banks from charging usage fees. Therefore, banks will have to find alternative ways to capture value from their newly created connectivity, such as offering complementary value-added services and nascent API functionalities beyond the functionality included in Section 1033.
Banks can pursue their own strategies around premium APIs and can also collaborate with other market players to introduce premium API services. In Europe, for example, banks and third parties collaborate on premium API services in the context of the SEPA Payment Account Access (SPAA) scheme managed by the European Payments Council.
What’s next for US open banking after Section 1033
With a cutoff point of $850 million in managed assets, Section 1033 will affect all but the smallest regional banks in the United States. As many of these institutions have yet to embark on their Open Banking journey, this will represent a huge leap forward in the broader realm of Open Banking in the US. Most financial accounts will soon be accessible through third-party applications leveraging API connectivity, giving consumers the ability to have more control over their data and utilize services that better fit their financial needs and preferences (for example, creditworthiness and personal financial management solutions).
However, it remains to be seen how far the industry will go to create solutions that go beyond Section 1033 compliance. Given the relatively mixed results of PSD2 in driving innovation and competition, this is what will decide the future of Open Banking in the United States. More and more players across the globe are attempting to capture the opportunities created by Open Banking beyond compliance.
This article reflects information available at the time of writing. Developments will continue to shape the future of Open Banking in the US.