What Open Banking Means for Banks
Making Sense of the CFPB's Data-Sharing Proposal
The CFPB put out a proposal last fall for what's being called open banking, and it has been on my mind since. The idea is that clients should be able to share their financial data with third parties through secure APIs, and that banks should be required to make that possible. I read most regulatory proposals trying to picture what I'll eventually have to build. This one I read as someone who has spent years building data plumbing, and from that angle it's the most interesting thing to cross my desk in a while.
The Problem with Screen Scraping
Today, when someone connects their bank account to a fintech app, the data usually moves through screen scraping. An aggregator like Plaid or Yodlee logs in as the client, navigates the online banking portal, and pulls the data out. It works, and it has quietly powered a huge amount of fintech. But every time I think about it I get a little uncomfortable. The client hands their banking credentials to a third party. The bank has no real control over what gets accessed, how often, or for how long. And because the whole thing depends on mimicking a human in a browser, it breaks the moment anyone changes the website. If I proposed building something that fragile and that permissive inside a company, I'd expect to get talked out of it.
Replacing Scraping with APIs
The proposal points at the obvious better answer, which is structured API access. Instead of logging in as the client, a third party requests specific data through a defined interface, and the client authorizes exactly what gets shared and can revoke it later. The Financial Data Exchange has been building a standard for this that much of the industry is converging on. None of that is novel technology. It's how data should have been moving between systems all along.
The legal foundation goes back to Section 1033 of Dodd-Frank, which established that clients have a right to their own financial data. I'm not the person to walk you through the statutory history, and I won't pretend to be. Turning a one-line right into a rule that works across thousands of institutions of wildly different sizes is genuinely hard, and the careful pace of that work makes sense to me. What I can speak to is the building.
The Build for a Community Bank
This is where it stops being abstract for me. The largest banks already run developer portals and have spent years negotiating data-sharing terms with the aggregators. Community banks generally have none of that. If a rule like this takes effect, an institution that size has to build or buy API infrastructure to serve client data to authorized third parties, and that's a real investment for a balance sheet that doesn't have a platform team sitting idle. The core providers will almost certainly offer something. The open questions are how good it will be, what it will cost, and whether it actually meets the standard.
Europe went down a version of this road a few years back, and the lesson I take from watching it is to be careful about over-building for demand that can take years to show up. I'd rather plan for the requirement than chase a usage curve nobody can predict yet.
Switching Gets Easier
There's a strategic shift underneath the compliance question that I find more interesting than the build itself. Open banking makes clients easier to move. If an app can pull a full transaction history and balances through an API, changing banks gets noticeably simpler. That's good for competition, and it's uncomfortable for any bank that has quietly relied on switching being annoying. The friction was never a real moat. This just makes that obvious. A bank keeps clients by being worth keeping, not by being hard to leave.
Who Owns the Data
The piece I find most interesting is ownership. Banks have always behaved as though they own client financial data. Open banking treats the client as the owner and the bank as a custodian. I think that's the right outcome, and it changes what the job actually is. If the data belongs to the client and can go anywhere, holding it is no longer the advantage. What you do with it is. The banks that use client data to deliver better decisions and better products will pull ahead, and the ones that were content to sit on it will feel the ground move.
There's no compliance timeline yet, and the proposal could change a lot before it's final. But I'd rather be thinking about the build, and the shift behind it, now.