Open Banking Is Coming Whether You're Ready or Not

One in three American adults has already connected a financial account to an app powered by Plaid. They didn’t ask their bank for permission. They just did it.

That’s the reality of open banking in 2025 — not a future event, not a compliance checkbox. A behavioral shift that’s already reshaping how consumers interact with their money, with or without regulatory mandates telling banks to participate.

The CFPB’s Section 1033 rulemaking has become a case study in regulatory whiplash. The original final rule — issued in October 2024 — got stayed by a federal court in late 2025. The CFPB, under new leadership, declared the rule exceeds its statutory authority. A new Advance Notice of Proposed Rulemaking dropped in August 2025. The compliance deadlines that once loomed for June 2026 are now frozen indefinitely.

Community bank executives who’ve been waiting for regulatory clarity before acting are reading this as a signal to keep waiting. That’s the wrong read.

The Rule Is on Hold. The Market Is Not.

Regulatory uncertainty doesn’t pause consumer behavior. More than 8,000 financial apps currently use Plaid’s infrastructure, and Plaid facilitates over 10 billion transactions a month. When someone links their bank account to Venmo, Robinhood, a budgeting app, or a payroll platform, data flows — regardless of whether a federal rule mandates how that flow is governed.

What’s happening in the absence of regulation is a power struggle worth understanding. Large banks — Wells Fargo, JPMorgan, PNC — are moving aggressively to control how their customer data gets accessed. JPMorgan renegotiated contracts with the major data aggregators, establishing paid access terms. Wells Fargo sent cease and desist letters to aggregators that weren’t routing through Akoya, the bank-backed data infrastructure platform owned jointly by 11 large institutions and The Clearing House.

This is big banks using their market position to put a toll booth on data access — exactly what Section 1033 was designed to prevent. Whether the rewritten rule ultimately strengthens or weakens consumer data rights, the infrastructure battles are happening now.

Community banks are mostly watching from the sidelines.

What Open Banking Actually Means for a $500M Institution

Strip away the buzzwords. Open banking, at its core, is this: your customers’ financial data can travel securely to third-party apps and services — with their consent. The question for a community bank is whether you’re a participant in that ecosystem or a data source being quietly drained by it.

Right now, most community banks are the latter.

When your customer connects their checking account to a personal finance app, a wealth management tool, or a competitor’s refinancing calculator, you’re providing data that helps someone else build a relationship. You’re getting nothing back. No insight into what your customer is shopping for. No ability to present a counter-offer. No signal that a deposit relationship is at risk.

Banks that have invested in open banking infrastructure — even modestly — can flip this dynamic. They become distribution points rather than just data sources. A bank with functioning data-sharing APIs can surface its own products inside partner apps. It can receive enriched data from aggregators that improves its own risk models. It can serve customers who want to manage their finances through third-party tools without losing the primary relationship.

Open banking done right isn’t about giving your data away. It’s about getting into rooms your customers already walk into.

The fact that 37% of community banks call open banking a “moderate” priority — and another 29% call it low or not a priority at all — isn’t comforting. It’s a gap. And gaps in banking tend to get filled by people who move faster.

Why the Section 1033 Rewrite Still Matters

Here’s what changed and what didn’t.

The original rule finalized in November 2024 would have required banks with over $850 million in assets to be compliant by April 2026, with smaller institutions given until 2030. That timeline is now on ice while the CFPB rewrites the framework.

The current CFPB is scrutinizing four issues: who can represent a consumer in a data request, whether banks can charge fees for data access, data security cost-benefit analysis, and privacy risks in data sharing. The fee question matters most for community banks — big banks want to charge aggregators for data pulls, and the new rule may give them legal cover to do so. If that happens, and community banks haven’t built their own data-sharing infrastructure, they’ll pay tolls to access their own customers.

CFPB regulatory compliance community bank strategy

The practical implication: the 2030 compliance deadline was always aspirational for smaller institutions. The rewrite could push that out further or alter what’s required. But the underlying direction — that consumers have a right to move their data, and that banks will need to support that movement in a structured way — isn’t reversing. Congress isn’t about to pass legislation making financial data harder to share. The market won’t accept it.

The question is whether your institution shapes how you participate or reacts to terms set by others.

The Financial Data Exchange Is the Standard That Survived

One reason community banks can move now, even without regulatory clarity, is that the technical standard exists independent of the CFPB rule.

The Financial Data Exchange (FDX) is a nonprofit organization building API standards for consumer-permissioned data sharing. It has over 250 members — including banks, credit unions, fintechs, aggregators, and core vendors. Plaid, Akoya, Jack Henry, Fiserv, and dozens of others have aligned on FDX as the common protocol.

What this means: the technical plumbing is in place. Community banks don’t need to build anything from scratch. If your core vendor is Jack Henry, Fiserv, or Q2, FDX-compatible data sharing is either available now or on a near-term roadmap.

Community bank technology vendor evaluation core banking

The implementation question isn’t “should we wait for the CFPB to tell us what to build.” It’s “can our core support FDX APIs, and have we turned them on.”

What Good Looks Like

The Citizens Bank example is instructive. Citizens deployed FDX-compatible open banking APIs and saw 96% of legacy screen-scraping traffic migrate to the API layer. Onboarding times for fintech integrations dropped from weeks to minutes. The bank gained visibility into how its data was being accessed and by whom — something screen scraping never allowed.

Citizens isn’t a community bank. But the playbook scales down.

A $600M community bank in the Midwest that joined the FDX network and enabled API-based data sharing with Plaid, MX, and Akoya would accomplish three things: eliminate the security risk of screen scraping, gain insight into what tools their customers use (and what products they might need), and position for two-way data flows as the ecosystem matures.

Fintech partnership community bank due diligence

The investment isn’t enormous. The barrier is usually organizational — someone has to own the project, and most community banks don’t have a clear owner for digital infrastructure decisions. That’s a different problem, but a solvable one.

What to Do Before the New Rule Lands

The CFPB rewrite will take time. The court injunction means no one is facing an imminent compliance deadline. Use that time.

Audit your current data-sharing posture. Do you know which aggregators are screen scraping your online banking portal? Do you have API relationships with any of them? If you don’t know the answer, your IT team should be able to find out in a few days.

Talk to your core vendor. Ask specifically about FDX API support and their open banking roadmap. If the answer is vague or the roadmap is more than two years out, factor that into your next contract negotiation. Your core vendor’s position on open banking will shape your options more than any regulation.

Decide whether open banking is a threat to manage or an opportunity to pursue. These aren’t the same response. Managing the threat means getting control of how your data is accessed — auditing aggregator relationships, eliminating unauthorized screen scraping, establishing terms. Pursuing the opportunity means going further: enabling your institution to appear inside third-party financial tools, exploring data partnerships that improve your product offerings.

Community bank digital strategy technology roadmap

Most community banks should start with threat management. A meaningful few are positioned to move to offense.

The Bottom Line

The CFPB’s Section 1033 rewrite will land eventually. It will clarify some things — fees, authorization standards, liability — and leave others to the market to sort out. What it won’t do is make open banking go away.

One in three American adults already lives in an open banking world. They link their accounts to apps, share their transaction history with lenders, and authorize payroll platforms to pull directly from their checking accounts. They’ve been doing it for years.

The community banks that treat open banking as a compliance question they’ll deal with when the rule is final are playing defense on a field where the game has already started.

The ones that understand it as a distribution question — how do we show up where our customers are making financial decisions — are playing a different game entirely. That’s the game worth winning.