Open banking in the United States has spent a long time as something that happened elsewhere. That's changing. With the CFPB's Section 1033 personal financial data rights rule now shaping the landscape, the question for community banks and credit unions is no longer whether members can move their data to third parties — it's whether your institution will do it securely, on your terms, or scramble to react.
The headline is straightforward: your members have the right to access and share their own financial data. The implications are anything but.
What 1033 actually establishes
At a high level, the rule requires covered institutions to make a consumer's financial account data available — to the consumer and to third parties the consumer authorizes — through secure, reliable methods. In practice, that means moving away from the old, fragile approach of screen scraping (where an app stores a member's username and password and logs in as them) and toward proper, permissioned API access.
That transition is genuinely good news for security. Screen scraping has always been a liability: it requires sharing credentials, it breaks constantly, and it gives third parties far more access than they usually need. Tokenized, permissioned APIs let a member share exactly what they intend to share, and revoke it just as easily.
The risk isn't the rule — it's disintermediation
The strategic worry for community institutions isn't compliance mechanics. It's what open banking makes easy: a member connecting their account to a budgeting app, a competitor, or a fintech that then sits between your institution and the relationship. Once someone else owns the daily financial experience, you risk becoming a dumb pipe — the place the money sits, not the brand the member trusts.
Open banking doesn't decide whether you keep the relationship. It just removes the friction that used to protect it. What keeps the member is being genuinely useful.
How to play offense
The institutions that will benefit from open banking treat it as a two-way street. Data sharing isn't only about members exporting data to others — it's about your institution using permissioned data to serve members better. A few ways to lean in:
- Account aggregation inside your own app. Let members connect their outside accounts to your digital banking, so your app becomes the place they see their whole financial life.
- Smarter, faster lending. Permissioned cash-flow data can support underwriting for thin-file borrowers and speed up decisions.
- Proactive advice. If you can see the full picture (with permission), you can flag a better rate, a fee to avoid, or a savings opportunity — the kind of value that earns primacy.
What to get right operationally
On the compliance and security side, a few priorities matter most: implement a proper developer interface rather than relying on scraping; give members a clear, simple way to see and revoke which third parties have access; and treat third-party data recipients with the same diligence you'd apply to any vendor touching member data. Get the plumbing right and the member experience — connect, authorize, revoke — should feel effortless.
The mindset shift
For years, the moat was that member data was hard to move. That moat is draining. The replacement moat is usefulness: being the app the member actually opens, the institution that gives them a reason to keep their primary relationship where it is. Open banking is a threat to institutions that were coasting on inertia — and an opportunity for the ones ready to compete on experience.