Open Banking

Open banking is a framework enabling consumers and businesses to securely share their financial account data with authorized third parties — via APIs — with the account holder's explicit consent. In the U.S., the CFPB's Personal Financial Data Rights rule (Section 1033 of Dodd-Frank) creates the regulatory foundation for open banking.

Open banking replaces screen-scraping (storing consumer passwords to access accounts) with direct, permissioned API access — consumers authorize specific third parties to retrieve specific data without sharing credentials. In the UK, open banking was mandated by the Competition and Markets Authority in 2017. In the U.S., the CFPB issued the final Personal Financial Data Rights rule under Dodd-Frank Section 1033 in October 2024, requiring covered financial institutions to provide machine-readable access to consumer account data upon consumer authorization. ## What Data Is Covered The CFPB rule covers: checking and savings account transaction data, credit card data, and digital wallet data. Loan account data (mortgage, auto, student loan) is not in the initial scope but may be added. Covered financial institutions include banks, credit unions, card issuers, and payment facilitators above specified size thresholds. ## Business Lending Applications Open banking is transforming SMB loan underwriting: rather than reviewing static PDF bank statements, lenders can access real-time transaction data directly from the bank with borrower permission. This enables cash-flow underwriting at speed — approvals in hours rather than days. Companies like Plaid, MX, and Finicity (Mastercard) power open-banking-based underwriting. MCA funders, online lenders, and bank statement-based underwriters all benefit from live data access. ## Compliance Requirements Under Section 1033, data providers must make data available in standardized, machine-readable formats at no cost to the consumer. Third-party data recipients (apps, lenders) must comply with data use limitations — data may only be used for purposes the consumer authorized. The CFPB has enforcement authority over both data providers and third-party recipients.

Examples

Frequently asked questions

Is open banking the same as screen scraping?

No — they are fundamentally different. Screen scraping requires consumers to share their bank login credentials with third parties, who then log in as the consumer. Open banking uses direct, tokenized API connections authorized by the consumer but not requiring credential sharing. Open banking is more secure (credentials are never shared), more reliable (APIs return structured data), and consumer-revocable at the bank level.

What does the CFPB's Section 1033 rule require?

Banks and other covered financial institutions must provide consumers the right to access and share their own financial data in machine-readable format. The rule requires financial institutions to support third-party access via API when consumers authorize it. Third-party recipients have data-use limitations — they must use the data only for the authorized purpose and cannot sell it to unrelated parties.

How does open banking help small business loan applicants?

Open banking-enabled lenders can access real-time bank statement data — cash flow, deposit patterns, average balances — instantly with borrower permission. This eliminates the 3-7 day document collection cycle, enables real-time underwriting decisions, and allows lenders to assess current (not month-old) financial health. For borrowers with strong cash flow but limited credit history, open banking data can strengthen an application that PDF statements alone might not fully capture.

Related terms

Further reading