Mounaim Cortet
Mounaim Cortet
Mounaim Cortet
INNOPAY
William Hanley
William Hanley
William Hanley
INNOPAY
Patrick de Haan
Patrick de Haan | INNOPAY
Patrick de Haan
INNOPAY
Thorben Peter
Thorben Peter
Thorben Peter
INNOPAY

Open Banking in the US: from a market-led to a regulatory approach via Section 1033

As of 9 February 2025, the Trump administration has introduced significant uncertainty surrounding the future of the Consumer Financial Protection Bureau (CFPB). This uncertainty is marked by the closure of CFPB offices and a suspension of funding, reflecting a continued hostility towards the bureau that was evident during the first Trump administration. Additionally, public comments from DOGE director Elon Musk questioning the necessity of the CFPB further contribute to this climate of uncertainty. The potential outcomes of these actions in the court system remain unclear, and the agency's future plans are yet to be determined. These developments may have implications for the implementation of Section 1033. The following article is written according to the information previously available, but INNOPAY will be closely monitoring these events as they unfold, with a focus on their impact on Open Banking in the United States moving forward.   

With the introduction of Section 1033 of the Consumer Financial Protection Act (i.e. Dodd-Frank), the Open Banking market in the US stands at an inflection point. This regulatory framework has the potential to transform and reshape the US Open Banking landscape, which has traditionally been market-driven. But before they act, it is crucial for banks and authorised third-party providers (TPPs) to understand both the nature of the US Open Banking market, what Section 1033 entails and how it compares to initiatives in other jurisdictions such as Europe. This article forms the first in a series assessing the implications of Section 1033 for the US Open Banking market. 

An overview of Open Banking in the US

Unlike in many other parts of the world, where regulations have shaped the evolution of Open Banking (e.g. PSD2, FIDA in the EU, CDR in Australia, Open Banking Framework in Saudi Arabia, and CMN-BCB No1/2020 in Brazil), the approach to Open Banking in the United States has traditionally been market-driven. This approach entails giving banks the latitude to determine their overall engagement as well as individual Open Banking initiatives and strategies based on market dynamics and practices, rather than governments dictating required functionalities and standards. 

Some of the larger US financial institutions have recognised the opportunities of Open Banking and started creating Open Banking portfolios that are competitive with global leaders. However, many smaller banks have so far refrained from making investments in the space. Without the regulatory push present in other countries, these banks have shied away from attempting to build up a comprehensive API portfolio, technological infrastructure, business model and operating model. While a regulatory-driven approach can help drive innovation, especially in a traditionally mature and slow-moving industry such as banking, this does not mean that such an approach is necessarily superior. In fact, a regulatory push can also create ‘solutions without problems’ situations.

The recently finalised Section 1033 of the Consumer Financial Protection Act (i.e. Dodd-Frank) will put the effectiveness of the regulatory-driven approach to the test. Announced on 22 October 2024 by the Consumer Financial Protection Bureau (CFPB), Section 1033 will bring regulatory standards and requirements around provisioning of financial data to the US market for the first time. The aim of the rule – which was first proposed by the CFPB in October 2023 – is to accelerate Open Banking innovation and establish stronger data rights for American consumers.

Section 1033: A turning point for Open Banking in the US  

With the introduction of Section 1033, the Open Banking market in the US stands at an inflection point. Thousands of US banks will have to create API connectivity to provide access to the underlying customer data, enabling authorised third-party providers (TPPs) to build new and innovative financial products and services. This regulatory framework could potentially prove transformative and reshape the US Open Banking landscape. But before acting, it is crucial for banks and TPPs to understand both the nature of the US Open Banking market and exactly what Section 1033 entails.

Intention of Section 1033 

So what helped to spur the CFPB towards implementing rules in the space for the first time? Besides the relatively slow adoption of Open Banking in the US, it was ultimately the desire to provide consumers with standardised access as well as safer and more transparent control over their financial data. The CFPB’s rules aim to level the playing field and allow FinTechs to better compete with large, established financial institutions. When fully implemented, Section 1033 will require all banks with more than $850M of assets under management to provide API access to various types of data from several account types, including checking and savings accounts, credit and prepaid cards, and digital wallets. 

Implementation will be conducted over the course of the next five years, with larger banks needing to act first. By the end of the 2030, according to the implementation plan laid out by Section 1033, all affected institutions will have to provide API-based access to the following data and services: 

  • Transaction history (must include at least 24 months of data)
  • Account balances
  • Basic account information (account holder name(s), address, contact information, etc.)
  • Billing information (scheduled and upcoming payments)
  • Account verification
  • Terms and conditions (fees, APRs, overdraft agreements, etc.)
  • Customer consent management (ability to view and revoke consents) 

 

This connectivity can ultimately be created by building APIs in-house, or by utilising off-the-shelf Compliance-as-a-Service solutions, similar to those that arose during the revised Payment Services Directive (PSD2) implementation.  

Comparison to European regulations on financial data access

The rationale now being pursued by the CFPB is the same as that of PSD2, which created the first iteration of an Open Banking framework in Europe in 2018. In comparison to PSD2 and other seminal pieces of Open Banking regulation, however, Section 1033 has a different scope as shown in Figure 1.

Open Banking in the US
Figure 1: Comparison of Section 1033 and various EU regulations.

Section 1033 focuses exclusively on ‘read-only’ access to data on financial accounts, which makes its scope more similar to the proposed Financial Data Access (FiDA) regulation. In contrast, PSD2 (which is being updated with PSD3 and the Payment Services Regulation, PSR) also covers ‘write’ access via payment initiation services, enabling new options for customers in ecommerce payments, bill payments and business-to-business (B2B) payments. Payment use cases in the US are currently largely limited to individual banks pursuing API-based business models by offering premium treasury management solutions (i.e. submit payments to vendors and suppliers).

In addition, PSD2 and PSR use more stringent rules on the use of Strong Customer Authentication (SCA), which mandates the use of two or more authentication factors across banking operations to reduce fraud. FiDA brings along the requirement for mandatory schemes – which are to be developed by market actors within strict deadlines – to set all relevant rules and mechanisms to ensure secure financial data access.

Meanwhile, Section 1033 does not detail the exact requirements on how to share data. While approaches like screen scraping are not forbidden under the new rules, the CFPB is fostering a standardised way to share data by stimulating banks to follow data standards issued through certified standard setting bodies. At the time of writing, the only entity that has been approved by the CFPB as a standard setting body is Financial Data Exchange (FDX), but it is expected that more will emerge as the implementation of Section 1033 nears. 

Section 1033 also differs from PSD2 due to its staggered implementation deadlines. Depository institutions will have different compliance deadlines based on their size (measured in total assets), having been categorised into five separate tiers (see Figure 2). The largest banks are required to offer the full range of functionalities by as early as April 2026, while the smallest banks will have until April 2030 to do so. 

Open banking in the US
Figure 2: Section 1033 implementation timelines for US banks. (Source: Consumer Finance Protection Bureau)

This contrasts with the regulatory deadline for PSD2, which didn’t differentiate between size of financial institutions. In this regard, Section 1033 grants smaller banks more time to build up their technical capabilities and learn from the implementation processes of larger banks. Many of the largest banks in the United States, such as Bank of America, Citibank and US Bank, have already established developer portals and API functionalities that seem to surpass those required by Section 1033. However, most of the other 4,000+ banks in the United States have yet to offer any form of API connectivity to their banking operations. This exposes them to a significant capability gap and consequential time pressure. Given the historical difficulties that banks have faced in their efforts to comply with PSD2, it is likely that more ‘Compliance-as-a-Service’ providers will begin to emerge in the US to offer banks off-the-shelf solutions for becoming Section 1033 compliant.

Implementation approaches for banks to become compliant

Ultimately, the cost of complying with Section 1033 will largely depend on how banks decide to approach their compliance efforts. They will essentially be able to choose between three main strategic options:

  1. Building the required technical capabilities in-house
  2. Outsourcing this to external firms by implementing their solutions
  3. Acquiring an external firm to obtain the capabilities to build the connectivity in-house

 

Of these three options, outsourcing is likely to be the fastest and most cost effective. This option would, however, also mean banks having to sacrifice control and flexibility. Meanwhile, building the connectivity in-house is an option likely reserved only for firms with sufficient financial resources, capacity and know-how. Acquiring an external firm to gain access to the necessary technological capabilities usually requires the largest investment. This option is often utilised to speed up time to market and obtain proven capabilities. 

It is important to note that all these costs cannot be offset by monetising the obligated API products, as Section 1033 prohibits banks from charging usage fees. Therefore, banks will have to find alternative ways to capture value from their newly created connectivity, such as offering complementary value-added services and nascent API functionalities beyond the functionality included in Section 1033. Banks can pursue their own strategies around premium APIs and can also collaborate with other market players to introduce premium API services. In Europe, for example, banks and third parties collaborate on premium API services in the context of the SEPA Payment Account Access (SPAA) scheme managed by the European Payments Council.  

Outlook on implementation 

With a cutoff point of $850M in managed assets, Section 1033 will affect all but the smallest regional banks in the United States. As many of these institutions have yet to embark on their Open Banking journey, this will represent a huge leap forward in the broader realm of Open Banking in the US. Most financial accounts will soon be accessible through third-party applications leveraging API connectivity, giving consumers the ability to have more control over their data and utilise services that better fit their financial needs and preferences (e.g. creditworthiness and personal financial management solutions). 

However, it remains to be seen how far the industry will go to create solutions that go beyond Section 1033 compliance. Given the relatively mixed results of PSD2 in driving innovation and competition, this is what will decide the future of Open Banking in the United States. More and more players across the globe are attempting to capture the opportunities created by Open Banking beyond compliance. INNOPAY’s Open Banking Monitor highlights banks’ efforts to expand their API product offering and improve the developer experience.

Reach out to learn more about how INNOPAY can support you in designing, launching and scaling your Open Banking API platform and strategy. In the meantime, stay tuned for more insights on the Open Banking market in the United States. Further articles in this series* will document the current functionalities and developer experiences of leading US banks. Keep a lookout for these articles on our social media channels and be sure to subscribe to our newsletter to ensure you don’t miss any new publications! 

 

*While this series is focused on the effects and status of depository institutions, Section 1033 will also affect non-depository institutions, payments firms and mobile wallets.

 

Let's get in touch

Ready to do business with the experts at INNOPAY?