Open banking has firmly arrived in the US, yet the regulatory framework underpinning it remains anything but settled, leaving banks facing a strategic dilemma: prepare now or risk compliance failures later.
According to AscentAI, the legal foundations stretch back to 2010, when Section 1033 of the Dodd-Frank Act obliged financial firms to give consumers free access to their personal financial data so it could be shared with other providers.
AscentAI recently discussed how despite regulatory uncertainty, banks’ path to compliant open banking is clear.
It took until 2024 for the Consumer Financial Protection Bureau (CFPB) to finalise the Personal Financial Data Rights rule implementing that provision. The rule, however, never came into force.
In 2025, the Bank Policy Institute, the Kentucky Bankers Association and Forcht Bank launched litigation against the rule in the Eastern District of Kentucky. Following the change in administration, the CFPB switched sides, informing the court that it now considered its own rule unlawful.
The regulator then asked for the case to be stayed and confirmed it would begin fresh rulemaking to substantially revise the framework, reportedly via a formal notice-and-comment process rather than an interim final rule.
The original rule aimed to level the playing field for smaller institutions and unlock new consumer services.
It required data to be returned in machine-readable format via secure, standardised APIs supporting strong customer authentication and consent management. Institutions were barred from charging consumers for data access, obliged to match the accuracy of internal systems, and required to publish uptime and performance metrics.
What replaces it is anyone’s guess. The litigation objected to third parties enjoying free access to infrastructure banks built and maintain, and accused the CFPB of failing to hold FinTechs accountable. Whether a new rule will force third parties to compensate banks, or impose tougher obligations on them, remains unknown.
That uncertainty is precisely why institutions should act. When federal regulators retreat from consumer protection, states frequently step in, so banks would be unwise to bank on lighter-touch rules.
Practical priorities include adopting open, industry-standard APIs, with the market converging on the Financial Data Exchange (FDX) standard and moving away from screen scraping; building consent platforms that give customers granular, real-time control over data access with easy revocation; establishing data inventories to audit the movement of customer information; and creating structured frameworks for onboarding, monitoring and monetising third-party partnerships.
The forecast looks choppier for FinTechs than for banks, given the litigation centred on their free access to bank data. But the direction of travel is clear, and institutions that walk the consumer protection road now will be best placed whatever the final rule says.
Copyright © 2026 FinTech Global









