Banks should look to their core providers to ensure they have the API frameworks to be compliant with this week’s Consumer Financial Protection Bureau ruling on open banking. 

The Section 1033 ruling or open banking rule, published Oct. 23, states that “banks and credit card companies have to provide an API for data sharing in a commercially reasonable manner,” David Silberman, senior adviser at advisory Financial Health Network and former acting deputy director of the CFPB, told Bank Automation News.

Nearly all core providers, including Fiserv, FIS, Finastra and Jack Henry, have APIs, and a majority of the banks already use API connections, Moira Vahey, head of advocacy and public affairs at fintech Plaid, told BAN.  

“For some of [the core providers], it’s like almost as easy as flipping a switch” to get a bank ready for open banking regulations, she said. 

Plaid has nearly 2,500 U.S. banks on its platform, including Bank of America, Citi and JPMorgan, Vahey said, adding that nearly 80% of all data being shared on the platform is through APIs with the rest being done through screen scraping. 

While smaller FIs might look to their core providers or other vendors for API connectivity, big banks prefer to use their own APIs, Vahey said. 

Banks will need to work with their internal tech departments or third parties to ensure they have an appropriate developer interface to enable the transmission of the data, Dennis Irwin, chief compliance officer at fintech Alkami Technology, told BAN. A bank’s tech lift depends on its size and tech capabilities. 

Implementation costs, timeline 

The CFPB is aware that preparing for open banking will be a major undertaking for many smaller FIs, Ryan Blumberg, senior attorney at law firm Clark Hill whose practice focuses on financial services, told BAN. 

Open banking compliance deadlines differ based on FI size: 

• April 1, 2026, for banks with total assets of $250 billion or more; 

• April 1, 2027, for banks with total assets of $10 billion to $250 billion;  

• April 1, 2028, for banks with assets of $3 billion to $10 billion; 

• April 1, 2029, for banks with asset size $1.5 billion to $3 billion;

• April 1, 2030, for banks with assets of $850 million to $1.5 billion; and
• FIs under $850 million in assets done have to comply to the ruling.

While the CFPB has given FIs time to prepare for ruling, the agency left data concerns in a grey area, Blumberg said. While it didn’t ban screen scraping, it has promoted the use of APIs. 

The CFPB has been hesitant to ban screen scraping because many fintechs still do it, Vahey said. As the cost and time to onboard API drops, the industry will move away from the practice, she said. 

Many of “these third parties who are collecting the data are not accountable for the data security,” Blumberg said. Under the ruling, the bank must ensure safe data transfer, which will make many banks hesitant to share data. 

The Bank Policy Institute, a trade organization, filed a lawsuit against the CFPB on Oct. 23, asking it to create stricter rules on sharing data, Blumberg said. The lawsuit might affect implementation of the ruling, he said. 

Register here for early-bird pricing for Bank Automation Summit U.S. 2025, taking place March 3-4 in Nashville, Tenn. View the full event agenda here.