Since the release of the Consumer Financial Protection Bureau’s (CFPB’s) Personal Financial Data Rights rule, commonly referred to as Rule 1033, the financial services industry has been closely monitoring the impacts on an open banking ecosystem that is already market-led. A major moment came on July 29 when the court granted the CFPB a stay, pausing the ongoing litigation with the Bank Policy Institute (BPI). CFPB indicated substantial revisions would be made to Rule 1033 to address concerns raised by stakeholders and an advance notice of proposed rulemaking (ANPR) would be issued within three weeks of the ruling.
What to Watch in the Rule Rewrite — and Why It’s Time to Rethink the Norm
Open banking and APIs for consumer-permissioned data sharing generally have bipartisan industry support. But some areas of the revised rule are worth watching closely for their potential impact on community financial institutions, including liability, secondary use of data and charging data access fees. While each of these is important, the latter two deserve a closer look, especially when community banks are on the receiving end of consumer-permissioned data sharing:
- Secondary use of data – If a community financial institution offers a personal financial management or wellness tool and uses consumer-permissioned data to help an accountholder refinance a high-interest loan from another financial institution, is that a violation? Under the current rule, it could be. If restrictions on secondary use remain too tight, these types of truly accountholder-centric innovations may be stifled.
- Charging third parties for API access – There’s a reasonable case to be made for charging fees for access — governance, security and infrastructure aren’t free for the financial institution to build and maintain. But what happens when a community bank wants to use third-party data itself as the data recipient? For instance, according to the Harris Poll Fintech Effect 2023 Report, 63% of consumers say their credit score doesn’t fully reflect their ability to repay and 60% would share banking data to provide the lender with a fuller picture of their financial reality. If access fees to bank data are high, smaller financial institutions may be priced out from using cash flow scores and attributes to improve risk modeling and underwriting, capabilities that larger banks can afford to subsidize.
Despite the litigation and the CFPB’s recommitment to a regulatory framework for consumer-permissioned data sharing, smaller financial institutions should keep the following front of mind when considering their open banking strategy:
- Deepen member trust – Screen scraping still accounts for 30%–50% of data sharing, according to insights shared at the 2025 FDX Summit. Community financial institutions must take steps to ensure greater transparency and control for their accountholders and their own organization in sharing data.
- Gain actionable insights – According to a 2023 Visa survey, 91% of consumers link their financial accounts to third-party services enabled by open banking. With open banking APIs, community financial institutions can better understand which products or services accountholders are using elsewhere — and act accordingly.
- Redefine your community financial institution’s role in the connected ecosystem – Think beyond what is needed as a “data provider.” Smaller financial institutions that build a strategy around the central concept of consumer-permissioned data sharing and APIs will go from provider to player.
The end goal isn’t just to move from screen scraping to APIs. It’s to be part of an infrastructure (the “plumbing”) and a framework (the “rules”) that support responsible and transparent permissioned data sharing, as well as building value through ecosystem participation.
Don’t Wait on Washington
While regulatory timelines may shift (note in the final rule that the earliest compliance date is June 30, 2026, for the largest providers), community financial institutions shouldn’t wait for rulemaking to finalize their approach. Instead, they should focus on crafting an open banking strategy and business model that balances:
- Security and risk – As customer data flows through third-party aggregators and further downstream, financial institutions must implement robust security and risk mitigation strategies to safeguard sensitive information across the entire data-sharing ecosystem.
- Fair, sustainable economics – This could take the form of charging for API access, reciprocal agreements between data providers or other models, depending on the specific context and value exchange.
- Future-proof design – Regulations can and will shift. Design your approach to be flexible across different political climates.
- Ecosystem relationships – This foundational pillar is often-overlooked. Building strong partnerships within the ecosystem creates shared value and future innovation opportunities.
Recent headlines, including JPMorgan’s announcement that it will begin charging for access to its open banking APIs, underscore a larger truth: open banking is moving forward with or without Rule 1033. The march toward open banking is not slowing down, regardless of whether Rule 1033 is rewritten, delayed or vacated.
Technology and innovation won’t wait for Washington to catch up. The demand for more personalized, responsive and transparent financial services is growing, and data is the fuel.
Consumer-permissioned data sharing is already beginning to dismantle traditional data silos. Stakeholders are pressing ahead, exploring how to leverage consumer-permissioned data to create better financial experiences. Smaller financial institutions need trusted partners to help them fully participate in this ecosystem without taking on unnecessary risk or complexity.
Consider forming strategic partnerships with organizations that understand your community financial institution’s mission and operating model – collaboration is key. These partnerships will help your financial institution participate in consumer-permissioned data sharing and APIs in ways that are aligned, effective — and accountholder-first.
This open banking moment isn’t just about what will be needed for compliance, it’s about capturing opportunity. Financial institutions can leverage consumer-permissioned data and APIs to give accountholders more time, money and peace of mind — ultimately, the things people really care about. If your smaller financial institution can deliver them more transparently and with greater trust, you won’t just keep pace in an open data era, you’ll begin to lead.