The “Fintech-ification” of Everything

“People don’t need a bank, they need banking,” says Carlos Missao, head of innovation, Americas, at GFT, a fintech consulting company. “Regardless of the institution you’re using, what you need is a good financial service.” 

“From a consumer standpoint, we’re already sharing our data,” he adds, “but we don’t have a full understanding of how we control that data.”

Industry experts say the open banking revolution is well under way. In the U.S., it’s already proved a boon to consumers in myriad ways, driving down costs for consumers and small businesses while enabling new functionality and financial tools: Personal finance apps can now aggregate accounts to offer personalized advice. Investment platforms use analytics to align portfolios with risk tolerance. And services like Venmo, Cash App and Robinhood have leveraged open banking to streamline peer-to-peer payments, simplify investing and offer seamless access to financial markets.

But some industry experts have sounded the alarm that without strong oversight, the financial ecosystem could evolve in a way that would do the opposite of open banking’s promises to democratize financial services, instead cementing the dominance of big banks and creating a walled garden controlled by incumbents.

The “Incumbent Advantage”

“No player in the market is better positioned to take advantage of open banking than the large financial institutions,” says Steve Boms, executive director of the Financial Data and Technology Association of North America, which represents more than 30 fintech firms.

With existing customers numbering more than a hundred million, deep technological resources and expansive financial services offerings, big banks could leverage their scale to entrench their market power.

“It puts them in the position to significantly lean into their incumbent advantage in ways that could be problematic to competition,” Boms says. “Many financial institutions, even today, will exert restrictions over the manner, cadence or particular use cases with which you can share your data.”

Throughout the process of finalizing the agency’s ruling, concerns over ensuring a level playing field were top of mind for then–CFPB director Chopra.“We know dangers exist when more powerful players weaponize industry standards,” Chopra said at the Financial Data Exchange Global Summit in March of last year. “We have to be vigilant that standard-setting does not skew to benefit dominant firms and their prevailing market power.”

Establishing those standards in the U.S. — unlike Europe and Latin America, for instance — is unique in that there isn’t a centralized, top-down regulator.

“That’s never going to work in the United States,” says Adam Rust, director of financial services at the Consumer Federation of America. “It’s not our culture.”

Instead, the process has evolved within a free market and a consensus-building framework, a carrot-and-stick approach to establish industry-wide standards. That process has revolved around application programming interfaces (APIs), which have emerged as the critical architecture of open banking. APIs, of course, are effectively digital bridges that allow banks and financial apps to communicate securely. They’re essential for interoperability in the market.

Before APIs gained widespread adoption, and without clear regulatory guidance, banks were often reluctant to share customer data. As a result, many third-party apps resorted to a process called screen-scraping in order to access the information, which required customers to effectively share their login details. It was a common but clumsy workaround that introduced security risks.

“When you tell consumers that people are out there recording your login credentials and just keeping them, that bothers them,” Rust says. “It’s not safe, and it breaks all the time. That’s a mess.”

The CFPB’s new rule aims to eliminate that risky practice. Now, thousands of financial services firms have to create or upgrade their systems so consumers can share data directly and safely with authorized third parties. Deadlines for compliance are phased according to bank size: April 2026 for the biggest banks, and 2030 for the smallest covered institutions.

Until recently, stakeholders were largely on their own when it came to ensuring security while navigating a patchwork of proprietary data-sharing systems, bilateral agreements with banks and industry-led guidelines. But in January, the CFPB officially recognized the nonprofit Financial Data Exchange (FDX) as a standard-setting body to promote secure and standardized data-sharing protocols.

FDX — whose APIs are royalty-free — is required to operate transparently, without financial conflicts and with equal access for all market participants. Its recognition as a standard-setting body lasts for five years, at which point the CFPB will reevaluate it (if the agency still exists then, which is an entirely different story).

Although FDX is currently the only recognized standard-setting body, using its protocols isn’t mandatory, and banks can use any API they choose (including proprietary ones), as long as they comply with security, privacy and access rules by the relevant deadlines.

FDX’s APIs are already used widely — 32 million American consumers use their security protocols via banking and fintech apps — but the formal recognition helped to clarify an amorphous, market-based governance structure.

“This is good news,” Missao says. “It unleashed a lot of initiatives that were unclear for banks and for the market.”

Missao says it was a smart move not to force banks that weren’t already using those standards to transition to FDX’s APIs, or others, immediately. “They can keep working in parallel and they’re free to have other standards. They can either use them, or challenge FDX, or even challenge the CFPB.”

The Big Bank Backlash

Not everyone has been happy about the CFPB’s open-banking ruling. Within 24 hours of its announcement, the Bank Policy Institute, a trade association that represents America’s biggest banks, along with the Kentucky Bankers Association, sued the agency, arguing it had overstepped its authority and claiming that the rule threatens consumers by putting the banking system at risk.

“This isn’t open banking, it’s open season for more fraud and scams,” said Trish Wexler, a spokesperson for JPMorgan Chase & Co., the largest bank in the U.S., in a statement obtained by Bloomberg. “By mandating banks must hand over sensitive customer account data to any third party that got someone to click ‘I accept’ on their app, this rule handcuffs banks’ ability to demand high security standards from third parties.”

Others say those fears are overblown. Zach Perret, CEO of fintech company Plaid, which connects users’ bank accounts to about 8,000 apps and more than 12,000 financial institutions, has said he predicts growing collaboration among fintechs to fight fraud, calling it the one area where competition takes a back seat to collective security.

The “Fintech-ification” of Everything

The push for clearer rules comes as fintech continues to blur the lines between traditional banking and everyday digital services.

APIs are also crucial for what’s called “embedded finance” — the integration of financial services into businesses that aren’t banks, often referred to as the “fintech-ification of everything.” It was a term coined in 2010 by Angela Strange, general partner at tech venture capital firm Andreessen Horowitz.

Fast-forward to today: Platforms like Shopify offer merchant financing, Uber provides drivers with debit cards and instant payouts, landlords use APIs to enable digital rent payments, and Apple has even launched its own credit card and savings accounts. 

“We are already fintech-ified,” says Missao. “The CFPB have to look not only to the core of the financial system — they have to look to the surrounding players as well, the smaller companies, fintechs and startups, which is a challenge. … Ultimately, the CFPB will have to propose policies that go beyond the banking lifecycle.”

The regulatory road ahead is unclear, but Boms believes the U.S. should take a page out of other countries’ books by staying nimble when regulating new technology. “You’re not going to get it right as a regulator, right off the bat,” he says. “And that's something U.S. policymakers are not at all comfortable with.”

In the U.K., Brazil, Singapore and Australia, Boms says, regulators “started with what they thought was the best practice and then continually took market feedback on where the friction points were, what was working and what wasn't, and made changes accordingly.”

As the U.S. continues to chart a uniquely American path forward, the future of open banking is at a pivotal intersection: The country’s approximately 4,000 banks, 4,000 credit unions, and 13,000 fintech startups — nearly half of the world’s total — will be watching the CFPB’s next moves closely as it navigates shifting political winds.