The Consumer Financial Protection Bureau’s decision to rescind Rule 1033, combined with ongoing litigation from the Bank Policy Institute, has created uncertainty across the financial services industry. As institutions question their digital transformation strategies, executives need clarity on practical implications and actionable next steps.
Open Banking Strategy: Business as Usual
Despite the regulatory turbulence, open banking strategies should remain largely unchanged. The fundamental drivers that pushed financial institutions (FIs) toward API-based data sharing—customer demand, competitive pressure, and operational efficiency—persist beyond Rule 1033.
The United States already operates a robust, market-driven open banking ecosystem facilitating billions of secure data transfers monthly. This infrastructure, built through bilateral agreements and industry standards, functions independently of regulatory mandates. Many institutions may find the return to voluntary frameworks better aligned with their risk management preferences.
FIs that invested in open banking capabilities should continue their roadmaps. Technology investments, partnership frameworks, and customer experiences developed over the past few years remain valuable competitive assets.
Consumer Fee Structures Return to Market-Based Pricing
One immediate practical change involves consumer fee structures. Rule 1033’s prohibition on access fees no longer applies, allowing FIs to charge for data access services.
This shift will likely impact:
- Direct charges for account aggregation services
- Fintech partnership economics requiring cost structure renegotiation
- Screen scraping resurgence as banks create friction
Institutions should review any increased data liability as fees expand their risk profile. While some may reintroduce fees, others might maintain free access as a competitive differentiator.
Enhanced Security Scrutiny: The New Operational Standard
Perhaps the most significant operational change involves heightened security scrutiny of fintech partnerships. Without regulatory oversight requirements for third parties, FIs assume greater responsibility for vetting their partners. Expect to see:
Enhanced Due Diligence Processes
- More comprehensive security assessments of fintech partners
- Regular audits of third-party data handling practices
- Stricter certification requirements for API access
Contractual Safeguards
- Detailed data security and breach notification clauses
- Clear performance standards and monitoring requirements
- Enhanced termination rights for security violations
Risk Management Frameworks
- Updated vendor risk assessment protocols
- Continuous monitoring of third-party security postures
- Regular review cycles for existing partnerships
This increased scrutiny adds operational overhead but benefits the ecosystem by ensuring only well-prepared fintechs access sensitive financial data. However, additional friction may eliminate some fintech participants.
Liability Allocation: The Critical Unknown
The most complex unresolved issue remains data breach and fraud liability. Without clear regulatory guidance on responsibility allocation between banks and third parties, institutions must navigate uncertainty through contractual arrangements. Key considerations include:
Indemnification Structures
- Comprehensive liability coverage for data breaches
- Clear allocation of fraud losses
- Insurance requirements for fintech partners
Incident Response Protocols
- Coordinated breach notification procedures
- Joint investigation frameworks
- Customer communication responsibilities
Ongoing Monitoring
- Real-time fraud detection collaboration
- Shared threat intelligence
- Regular security posture assessments
The absence of regulatory clarity means institutions must proactively define relationships contractually, potentially creating more robust risk management frameworks than regulations might have required.
Strategic Action Plan for Financial Services Leaders
For FIs:
- Maintain open banking momentum: Don’t pause digital transformation initiatives due to regulatory uncertainty
- Review fee strategies: Evaluate whether access charges align with your competitive positioning
- Strengthen partner vetting: Implement enhanced due diligence for fintech relationships
- Revise contractual terms: Ensure liability allocation and security requirements are clearly defined
For fintech companies:
- Invest in security: Demonstrate robust data protection capabilities to potential bank partners
- Prepare for scrutiny: Develop comprehensive security documentation and audit trails
- Create flexible pricing models: Be prepared to adapt to potential access fee reintroduction
- Secure adequate insurance: Ensure sufficient liability coverage for data handling activities
The Path Forward: Market-Driven Innovation Continues
Rule 1033’s rescission doesn’t end open banking—it returns the industry to market-driven evolution. This approach has already proven successful in creating a thriving ecosystem of financial innovation.
While regulatory uncertainty creates short-term challenges, it also provides an opportunity for the industry to demonstrate that effective open banking can emerge through collaboration rather than mandate. Institutions that focus on building secure, customer-centric data sharing capabilities will be best positioned regardless of future regulatory developments.
The key is maintaining momentum while adapting to the new reality. Open banking’s fundamental value proposition—better customer experiences through secure data sharing—remains compelling. The path forward may be less regulated, but it’s no less important for the future of financial services.
Ready to navigate the post-Rule 1033 landscape? We help FIs develop open banking strategies that balance innovation with security. Contact us to learn how we can support your digital transformation initiatives in this evolving regulatory environment.
