Continue Reading
The US has been behind on open banking for years. Europe’s PSD2 framework mandated data portability for bank customers in 2018. The UK built a dedicated Open Banking Implementation Entity to standardize API access. The US, characteristically, left it to market forces, which meant a messy ecosystem of screen-scraping, bilateral data sharing agreements, and aggregators operating in a regulatory gray zone. That era is ending.
CFPB’s Section 1033 rulemaking finalized in late 2024 created the first enforceable right for US consumers and small businesses to access and share their financial data. It’s not PSD2 — it doesn’t mandate specific API standards or create a central implementation body. But it establishes the legal foundation that was missing, and the market is moving quickly to build on top of it.
Section 1033 gives consumers a legal right to access their financial data from covered institutions, and to authorize third parties to access that data on their behalf. It prohibits data holders from charging fees for access to third-party providers. It sets standards for data security and authorizations. And it creates a compliance deadline structure that phases in by institution size, with the largest banks first.
What it doesn’t do is mandate a specific technical standard. That’s left to market-driven standards bodies like the Financial Data Exchange (FDX), which has been building API standards for years in anticipation of this moment. The practical effect is that institutions can meet their 1033 obligations by implementing FDX-compliant APIs, which most of the largest banks are now doing or planning.
The screen-scraping era worked, sort of. Aggregators could access bank data by logging in as the user and scraping account pages. It was fragile, created real security risks (users were sharing passwords with third parties), and banks could technically block it. Several did, intermittently, when it served their competitive interests.
The 1033 framework makes data access a right, not a courtesy. Banks cannot block authorized access, cannot use anti-competitive practices to throttle aggregators, and must maintain data quality standards. For the financial apps and infrastructure companies that have been negotiating bilateral data access agreements for years, this is a structural shift in their leverage.
We’ve had portfolio companies spend six to twelve months negotiating data access agreements with individual banks, only to have the agreement terminated or throttled. The 1033 framework changes that dynamic fundamentally. Data access becomes a right, not a relationship to maintain.
The interesting investment question is not the aggregation layer itself — that market has incumbents — but what becomes possible when reliable, standardized financial data access is a given rather than a variable.
Credit underwriting improves. Permissioned bank account data is the most accurate picture of a borrower’s true cash flow. When lenders can access this data at origination, and when the data quality is reliable because it comes through a standardized API rather than scraped HTML, underwriting models can be substantially more accurate. We expect meaningful improvement in approval rates for creditworthy thin-file borrowers, and meaningful improvement in loss detection for marginal applications.
Personal financial management gets better data. The consumer PFM apps have always been constrained by data quality problems from screen-scraping. Standardized API access means better transaction categorization, more complete account coverage, and real-time data rather than batch updates. The apps that can execute on this data advantage will have a material product improvement to offer.
Business cash flow management becomes automated. For small businesses, the combination of reliable bank data access and the invoicing/AP data in their accounting software creates the foundation for genuinely automated cash flow management. Sweep excess cash into yield. Predict upcoming payables shortfalls. Optimize timing of vendor payments. None of this required new technology. It required reliable data access that is now achievable.
The 1033 framework also creates new compliance obligations. Third-party apps accessing consumer data need to meet authorization, security, and data minimization standards. There will be a certification and audit market that develops around these requirements. The companies that build their data access infrastructure to be 1033-compliant from the ground up are better positioned than those that retrofitted screen-scraping architectures.
The US open banking market is roughly five years behind the UK. The UK experience suggests the first-order impact is in lending and personal finance. The second-order impact — which takes longer but is larger — is in account switching and competition between financial institutions. When consumers can move their financial history with them when they switch banks, incumbents lose a key retention mechanism. That dynamic hasn’t played out in the US yet, but it will.
Building on open banking infrastructure? We’re watching this market closely.
