As open banking evolves, financial institutions can keep building for data resilience

Uncertainty surrounding Section 1033, the open banking rule, does not change market momentum. Rather, API-based data sharing remains essential for meeting consumer demand and enabling banks’ participation in the burgeoning embedded finance market.

Advocates for these changes will argue that regardless of the rule’s final form, the core principles of 1033 can still serve as a guide for banks’ data modernization strategies.

In fact, waiting for clarification from Washington could mean missed opportunities for financial services leaders.

How did we get to this point? In October 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-awaited Section 1033 rule, which advocates argued aimed to expand consumer rights to personal financial data and secure data-sharing standards. The rule arguably marked a milestone for open banking in the U.S., recognizing secure APIs as the foundation for consumer-permissioned data flows.

But within the year, the rule’s future was already in question. With a change in executive leadership, in May 2025, the CFPB asked a federal court to vacate the decision, arguing in a motion for summary judgment that the agency exceeded its statutory authority. Subsequently, in July, the CFPB reversed course, filing a motion to stay proceedings and announcing it would initiate a new rulemaking process “with a view to substantially revising it.”

With the CFPB signaling it plans to engage in an “accelerated” rulemaking process, the extent of any revisions — and the future of ongoing legal proceedings — remains to be seen.

Codifying a market already in motion

Well before the CFPB issued its final rule in 2024, banks and fintechs were transitioning toward standardized approaches to data sharing. Consider that the Financial Data Exchange (FDX) developed an industry-led API standard to simplify data sharing between financial institutions and fintechs — a standard that now supports roughly 114 million customer connections.

Such efforts were driven by consumer demand. As new fintech products for budgeting, lending, and payments proliferated, customers came to expect choice and control over how their financial data moves across platforms.

Banks, consequently, began embracing embedded finance to stay relevant and reach new and underserved markets. This strategic shift prompted many institutions to explore infrastructure upgrades and partnerships with tech providers to enable secure, scalable connectivity with fintech partners.

In this context, Section 1033 was less a regulatory disruption than a formal recognition of best practices adopted by banks, fintechs, and industry groups. Whatever the rule’s fate, auditable data sharing arguably remains essential to bank–fintech collaboration.

Three core data hygiene pillars that are here to stay

Even as Section 1033 undergoes revision, banks should continue to build resilient data practices. Portability, transparency, and governance are crucial for long-term growth and regulatory readiness:

First, invest in systems that support data access and portability

Section 1033 called on banks to give consumers greater control over their financial data. While parts of the rule may not withstand the new rulemaking process, prioritizing data portability equips your institution to innovate safely and stay aligned with market forces.

In particular, standardized API simplifies collaboration with fintech partners. Institutions that streamline integration with trusted third parties can launch new digital offerings tailored to customer needs. A partnership with a payroll provider, for example, could enable early wage access for small business clients you serve.

As embedded finance ecosystems grow, data portability is a prerequisite for participation. Whether your institution builds APIs in-house or partners with a specialized technology provider, secure data exchange that supports a frictionless customer experience should be the priority.

Second, maintain transparent infrastructure

Even without a regulatory mandate, banks must consider: If a customer requests access to their account data information, can we provide it and verify its accuracy?

The Synapse bankruptcy demonstrated the risks of depending on third-party infrastructure for core operational oversight. When Synapse shut down access to its bank-facing dashboards, some partner banks reported losing visibility into account balances and transactions, ultimately prompting them to freeze customer accounts.

To avoid operational blind spots, infrastructure that provides real-time, independent access to account-level details is foundational. This means investing in systems — or selecting technology partners — that ensure records can be reconciled and audited without sole reliance on third-party platforms.

As embedded finance relationships expand, assessing how customer data flows across your ecosystem positions your institution to protect customers and meet evolving compliance expectations.

Third, align cross-functional teams around data governance 

A key benefit of Section 1033 was its push for consistency. By standardizing definitions and protocols around consumer-authorized data access, the original rule encouraged fintechs and “data providers” like financial institutions to operate from a shared playbook.

Forward-looking institutions are already establishing robust internal protocols for customer data governance. As API and third-party integrations become core to service delivery, stakeholders from legal, compliance and engineering teams need a seat at the table. Sustained communication across departments helps ensure that customer data-sharing practices remain consistent — regardless of regulatory changes.

For example, the FDIC’s recent exemption permitting banks to rely on third-party service providers to collect sensitive information like TINs underscores the importance of standardized data protocols. Without interoperable frameworks, such dependencies can introduce significant operational risks and inefficiencies.

Regulatory cycles come and go, but the demand for customer control over financial data is likely to endure. The foundation your bank establishes now to enable secure data access will dictate how you innovate for years to come.

Regulation may shift, but data best practices remain 

Consumer demand and fintech innovation continue to push the market toward more secure, user-directed data flows. And banks, too, have a vested interest in advancing data portability to better serve their customers and extend the reach of their financial products.

Financial institutions that hope to lead in this environment should not interpret legal uncertainty as a reason to delay innovation. Instead, they should build for where banking is headed — toward embedded ecosystems that demand seamless data connectivity.

Sheetal Parikh is General Counsel and Chief Compliance Officer at Treasury Prime.