What Does Section 1033 Mean for Open Banking in the US?

Time flies in the open banking world, and that certainly rings true on the Nordic APIs blog. We first wrote about PSD2 in 2016, and we’ve hosted countless open banking sessions at our Platform Summits and webinars. However, it’s not all about Europe, and open banking has recently become a hot topic in the USA. Market commentators are talking about Section 1033, a revised regulation from the Frank-Dodd Act, and how it might affect the state of the open banking ecosystem in the US. Our last comments on the US were in 2019, so it is high time to revisit the state of open banking in the USA.

The Current State of Open Banking in the USA

The first thing to make clear is that, even without regulatory changes, open banking is a “big thing” in the US financial services market. According to Visa, 87% of account-holding customers use open banking solutions to connect their account to third-party solutions, enabling use cases like personal financial management, account onboarding, and payment initiation. Third parties use whatever means necessary to connect to accounts, including screen scraping, financial services vendor APIs, account aggregators like Plaid, or standardized APIs from organizations like the Financial Data Exchange (FDX).

For most global open banking markets standardization is a key feature of the marketplace, together with clear guidance or regulations on participation. Standardized APIs and API security offer simplicity and ease of use for API consumers, and templated APIs for providers, with the goals of facilitating interoperability and efficiency in implementation. FDX is almost certainly the most prevalent standardized API in the US, with 76 million accounts connected using FDX APIs. FDX provides API descriptions for account information and a security profile based on FAPI 1.0 Advanced.

Standardization is perhaps the biggest theme in Section 1033. The US open banking market is undeniably healthy. Still, it is not standardized to the point that a given customer or third party can expect open banking APIs from any bank. Participation varies based on the bank size, with most large banks having APIs, but only 21% of community banks providing APIs. Participation and standardization are what the version of Section 1033, known as the “Final Rule,” serves to provide.

Open Banking Under Section 1033

Section 1033 is part of the Dodd-Frank Act, a regulation from the Consumer Financial Protection Bureau (CFPB) that has existed since 2010. Section 1033 aims to strengthen the rights of consumers to access their account data from platforms they choose to use. In some ways Section 1033 is like a more specific version of PSD2, in that it sets the framework for open banking, but with more specific provisions on participants and who should be providing APIs.

The significant change to Section 1033 on October 22, 2024, is the finalization of the rules, including:

The qualification for financial services organizations (Data Providers) to provide consumer data to third parties (Data Aggregators) with Data Provider participation deadlines included in the Rule and qualified by business size.
At a high level, how the data must be provided, including the requirement for “developer interfaces” (or for this audience, APIs).
The establishment of the fact that APIs must be provided at zero cost to the consumer.
The requirements for market participants on safeguarding data, including how the participant APIs are certified.

The point on certification is important. Data providers are required to use a “certified” standard to provide their APIs, which means a standards body accepted by the market. The original ruling stopped short of defining who acceptable standards bodies are, relying on the market to drive standardization. The certification requirement also moves towards outlawing screen scraping, as this method of data collection is neither certified by a standards body nor a dedicated developer interface.

The Role of Standards under Section 1033

Section 1033 is, therefore, big news for standards bodies, as the ruling brings API standards, both functional and security-related, into US regulatory scope for the first time. Data Providers can rely on API standards from the aforementioned FDX, who have shaped their design to preempt the finalized requirements of Section 1033, and API security standards from the OpenID Foundation in the shape of the FAPI Security Profile, to implement their APIs and provide them to the market. The case for using FDX is significantly boosted in their certification by CFPB as an API standards provider, making them the first standards body to be certified.

Data Providers could, of course, pull in Berlin Group or UK Open Banking standards if they were also certified by CFPB, but FDX has been specifically designed for the general requirements of the US market and is therefore likely to be most suited to the information Data Providers are obliged to provide. FDX members represent some of the largest financial services organizations in the US, and this has a significant influence on the shape of API standards and addressing market needs.

However, open banking ecosystems are not simply built on API standards. Other aspects of the market require addressing, namely:

A directory of participants: The majority of evolved open banking markets implement some sort of directory that allows organizations to be listed, together with the metadata that allows a Data Aggregator to connect to a Data Provider in the most efficient means possible.
Recognized trust anchors: Most open banking ecosystems implement a public key infrastructure with a certificate authority that supports the ecosystem. There currently appear to be no specific provisions for such a trust anchor in the US open banking market under Section 1033.
Certification of conformance to standards by Data Providers: Data Providers are required to use certified standards, but there appears to be limited provision for certifying the Data Providers’ implementation. While this is not a consistent feature of open banking markets, it is an indicator of maturity in the market.

The future development of such features remains to be seen, especially from the point of view of the role of CFPB and how the standards bodies might provide some of the features described above in the market-wide view of registered participants. As with much in the US market, the development of a directory of participants or a recognized trust anchor might be market-led, which may have positive benefits if these features reflect real market needs rather than the sometimes hypothetical “best fit” prescribed by a regulatory body.

The Future of Open Banking in the USA

Section 1033 lays the groundwork for a standardized participation framework for the US market, together with standards-based APIs that facilitate open banking use cases across the US market. The market is already buoyant, but Section 1033 increases market reach, addressing participants who have yet to become Data Providers or have not fulfilled the data requirements in their existing APIs. While Section 1033 is not a silver bullet in allowing third parties to consistently consume APIs through a common security standard and registration mechanism, it does provide the impetus to move toward more common API models.

There are, however, two wrinkles to iron out before Section 1033 can help shape the US open banking market.

Firstly, Section 1033 is subject to a legal challenge by The Bank Policy Institute and Kentucky Bankers Association. The lawsuit states that CFPB oversteps its authority by mandating that customer account data must be shared with third parties, with limited oversight of the third parties themselves. Data sharing in this manner is fundamental to open banking, and if the legal challenge succeeds, it will fundamentally thwart the efforts of establishing a mandate for banks to provide APIs. Champions of organic growth and market-driven APIs will state that this does not matter, as commercial opportunities will drive the creation of APIs. Still, if PSD2 and other open banking regulations provide nothing else, that proves that the market needs some form of regulatory driver to succeed.

The second, and perhaps less clear in terms of impact, is how the incoming US administration will view regulations related to APIs and open banking. An agenda of increasing government efficiency with a reduction in regulations, which could affect the implementation of Section 1033, is not beyond comprehension.

Whatever happens, it is clear that Section 1033 will, notwithstanding current challenges, bring about increased standardization in the US open banking market. Whether this makes life easier for ecosystem participants remains to be seen.