It was all coming together according to plan. The Dodd-Frank Act was signed into law July 21, 2010, which included section 1033 intending to enable everyday Americans with more control of their financial data and to foster innovation and more secure data sharing practices. The Consumer Financial Protection Bureau (CFPB) lived up to their obligations under section 1033 and published rules by October 2024 that established dates for bank and credit union compliance based on asset size between April 2026 and April 2030.
Third party data aggregators like Plaid, Finicity, Akoya, and Yodlee/Envestnet had an early start establishing data sharing agreements across banking cores, transaction processors, and digital banking providers, with business models built on the back of financial institutions obligated to share customer data at no cost. Some of the largest institutions proactively enabled these capabilities ahead of their compliance date which began changing consumers’ views on how easy it should be to connect external accounts across financial institutions to aggregate data and move money.
Then it kind of all started to unravel.
When Open began to feel like NOPEn
Early cracks began to appear in the absence of a final rule from the CFPB, and as banks and independent third parties began to make their own moves:
- Eleven banks1 who desired to maintain control over their customer data acquired Akoya from Fidelity. Akyoa would then compete against other independent third parties like Plaid, Finicity, and Yodlee/Envestnet and offer a financial counterbalance for these banks against their obligations to offer access to their customer data at no cost to third parties.
- Bankers influence on data sharing through their Akoya-owned consortium began to play out in moves such as in October 2023 when Fidelity limited third party access to only Akoya for investment and 401(k) account data sharing.
- Visa announced plans to acquire Paid, in January 2020, which was ultimately blocked by the Department of Justice (DOJ) via an Antitrust lawsuit in November 2020. Visa abandoned the acquisition in January 2021 and acquired European open banking provider Tink in March 2022.
- The Bank Policy Institute (BPI), Kentucky Bankers Association (KBA) and Forcht Bank filed lawsuits claiming the CFPB exceeded its statutory authority by requiring banks to share their customer data with non-fiduciary companies like third party aggregators.
2025—The catalyst year to NOPEn
Political and judicial changes ushered in through the current Administration caused further disruption on the journey to secure, free, and open data sharing for everyday Americans. Early cracks turned into canyons, leaving credit unions stuck in the middle of an unraveling rule framework, and respective members already experiencing the consumer benefits of open banking through their relationships with fintechs and some of the largest banks.
- New leadership at the CFPB pushed to be able to legally vacate their current rule entirely; a rule that took five years to complete and even with Section 1033 of the Dodd-Frank Act still requiring the CFPB to provide a rule for financial institutions to comply. A new rule would still need to be written and by a CFPB with 90% less of their initial staffing due to laying off some 1,500 workers.
- JP Morgan Chase (JPMC) began notifying third party data aggregators of their plan to charge for access to their customer data. A move possible for a bank like JPMC due to their scale and ownership of much of their tech stack and own Application Programing Interface (API) as the only access point to their customer data.
- The CFPB responding to JPMCs pricing move, and perhaps also grappling with the realities of their new staffing model, pivoted their stance in court from completely vacating their initial rule to instead proposing re-writing the areas of the current rule which cause the greatest concern, like banks obligations to offer third party aggregators unfettered access to covered customer data at no cost.
Picking a path forward for your credit union
I’ve heard several different perspectives from leaders in the open banking industry as well as leaders among credit unions on the best way to move forward, which the deciding factors being between fear, regulatory obligation, and creating opportunity through investing in an improved member experience.
Some shared a sense of relief that their obligation to share member data with fintechs and other financial institutions may be paused or eliminated. Grounded in fear that this is just another expensive investment required only because of regulation, and if required to do so they would lose member relationships and engagement to fintech apps and larger institutions. This stance highlights the risk of their role being reduced to simply a financial clearing house for someone else’s best-in-class digital experience, while the other bank or fintech benefits as everyday debit card, ACH, and real-time payment transactions migrate from the credit union to the app or brand their account was connected to via open banking.
Others were intrigued about the possibility of being able to monetize third party access to their member data because of JPMC’s move and respective CFPB response; an outcome only possible if your credit union is going to build and own your own API access point to your data and force each third party aggregator to develop to your tech solution.
But most see the broader benefits for their member’s experience by allowing financial consumers across all brands to be able to share their data in a way that is safe and secure, betting their member relationships and credit union value proposition outweigh the risk of lost engagement when their accounts are connected elsewhere.
The open banking train has already left the station, and now is the time to decide how you’ll enable your members to buy a ticket to ride.
Need help evolving your credit union’s payments function from operations into a strategic contributor to your growth strategy? Visit https://www.christopherdanvers.com/advisory and request a consultation today.
