How US Open Banking Regulations Impact Merchants, Fraud Prevention, & Chargebacks
Financial institutions store an incalculable amount of personally identifying information on their customers, ranging from names and addresses to social security numbers and card numbers.
Traditionally, banks have kept this information to themselves. This resulted in data siloes and limited integrations between financial institutions and third-party financial services providers like payment processors, insurance companies, lenders, brokerage firms, credit bureaus, or fintech services. This is slowly changing, though.
Both consumers and third-party financial services providers argued that banking data could be shared like data on any other internet-based service. Doing so could allow fintechs and other providers to innovate and build a more integrated and less friction-filled banking experience for consumers and businesses.
The regulatory landscape was shifting, too. The finalization of the revised Payment Service Directive (PSD2) in the European Union was a watershed moment for open banking. For the first time, it established a legal framework governing data sharing and API access for third-party fintechs. What exactly does that mean for merchants, though?
Recommended reading
- Best Credit Card Processing Companies of 2026 REVEALED
- Merchant Identification Numbers | How Do MIDs Work?
- Issuer Declines: 7 Reasons They Happen & How to Fix Them
- Top 10 Payment Fraud Detection & Prevention
- Non-Payment Fraud: What Other Threats Do Sellers Face?
- Payment Fraud Examples: Case Studies for 2026
What Is Open Banking?
- Open Banking
Open banking is a financial services data sharing model. It allows third-party financial service providers to gain access to banking information stored by financial institutions using secure and standardized application programming interfaces (APIs).
[noun]/ō • pən • baNGk • iNG/
In practice, open banking means that fintech platforms, non-bank card issuers, budgeting apps, and other third-party software-as-a-service (SaaS) providers could soon offer online “banking-as-a-service” solutions to consumers.
On a more granular level, third-party non-banks can access financial data via account information service providers (AISPs). They can also initiate payments via payment initiation service providers (PISPs). Both of these use APIs to facilitate data sharing.
AISP and PISP are terms used in PSD2, which was finalized in the EU in 2018. If open banking comes to the US, the CFPB will likely apply different terminology to open banking data providers.
| Account Information Service Providers (AISPs) | Payment Initiation Service Providers (PISPs) | |
| Purpose | Provide consolidated access to financial data across multiple accounts | Allow users to initiate bank-to-bank transfers using a third-party interface |
| Function | Provide access to account information, like transactions or balances | Initiates payments and moves funds between accounts |
| Access | Read-only | Read-write |
| Examples | Budgeting apps, account aggregation apps, and credit monitoring services | Invoicing and bill pay providers, neobanks or fintech banking solutions |
Both AISPs and PISPs must obtain explicit user consent before sharing data with third parties. In the EU, AISPs must gain consent and use Strong Customer Authentication (SCA) before accessing account data. PISPs must also do both of those things before initiating payments or transferring funds.
Before open banking standardized secure data sharing between banks and third parties, the only way to obtain banking information was through “screen scraping.” Here, data scrapers extracted account information by collecting front-end code from a bank’s website. This posed credential exposure risks and offered users little control over what information a third-party could access.
Section 1033: The CFPB’s Open Banking Rule
While the EU was the first to pioneer open banking, the model could soon come to American shores thanks to new regulatory changes.
In July 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 1033 of the Act states that covered entities, like banks — subject to Consumer Financial Protection Bureau (CFPB) rulemaking — must “make available to consumers, upon request, transaction data and other information concerning a consumer financial product or service that the consumer obtained from the covered entity.”
In other words: consumers had the right to access their banking information and could grant those same access rights to third party service providers
The CFPB took the first steps towards implementing Section 1033 back in 2016. In November 2024, they published a final rule on personal financial data rights, which would implement Section 1033 by requiring banks to provide “covered data” free of charge to consumers and authorized third parties.
In October 2025, a federal judge blocked the CFPB from enforcing Biden-era open banking rules, keeping the policy on hold as the Trump administration moves ahead with plans to rewrite it. This move was seen as a victory for big banks, as it delays data-sharing requirements.
According to the CFPB, covered data includes up to 24 months of transaction information, including “amount, transaction date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges.” It also includes account balance information, information needed to initiate payments, terms and conditions between a data provider and the consumer, and upcoming bill information.
If implemented, “covered entities,” including credit card issuers, digital wallet providers, and payment apps, would have until 2030 to comply with the personal financial data rights rule. This is, of course, pending legal challenges that may delay the preset compliance timeline.
Bigger firms have less time to comply with the CFPB’s Personal Financial Data Rights rule.
April 1, 2026
Financial firms that hold >= $250 billion in total assets
Nondepository institution providers that generated a >= $10 billion in total receipts in 2023 or 2024.
April 1, 2027
Depository institution data providers that hold between $10–$250 billion
Nondepository institutions which generated less than $10 billion in receipts in 2023 or 2024.
April 1, 2028
Depository institution data providers that hold between $3–$10 billion in total assets.
April 1, 2029
Depository institution data providers that hold between $1.5–$3 billion in total assets.
April 1, 2030
Depository institution data providers that hold between $850 million to $1.5 billion in total assets.
Current Status of Open Banking Rules in the US
The implementation of the CFPB’s Personal Financial Data Rights Rule has been halted, at least temporarily. But, many banks and fintechs are entering into voluntary data-sharing agreements anyway to share the benefits of open banking.
So, what happens now?
As of late 2025, the implementation of the CFPB’s Personal Financial Data Rights Rule has been effectively halted. In October 2025, the US District Court for the Eastern District of Kentucky issued a preliminary injunction enjoining — that is, prohibiting — the CFPB from enforcing the rule. This ruling followed lawsuits filed by Frost Bank, the Bank Policy Institute, and other industry groups, which argued the rule exceeded the agency’s statutory authority.
Earlier in the year, new CFPB leadership under the Trump administration signaled a shift in stance when they acknowledged potential legal deficiencies in the original text. They announced plans to “substantially revise” the regulation through an “accelerated rulemaking” process. This means the mandatory compliance deadlines, originally set to begin in 2026, are now paused indefinitely while the CFPB rewrites the rule.
That said, this period of regulatory uncertainty has done little to slow the shift toward open banking in the US. Voluntary data-sharing agreements between banks and fintechs, for example, continue to flourish, largely driven by market demand for seamless and integrated financial services. For this reason, merchants who wish to embrace open banking continue to have an opportunity to do so.
How Open Banking Could Benefit Merchants
Account-to-account payments are not subject to chargebacks, involve multifactor authentication (thereby reducing fraud), and have faster settlement times for lower fees.
Recall that there are two forms of data sharing: “read-only” access via AISPs, and “read-write” access via PISPs. The latter enables what’s known as “pay-by-bank” or account-to-account (A2A) payments, which means that customers can push funds directly from their bank account to yours via secure APIs.
This arrangement makes open banking a powerful alternative to traditional card payments. Instead of entering card details at checkout, open banking enables customers to authenticate purchases directly within their own banking app. Because the customer validates the transaction using their bank’s biometric or multi-factor authentication system, the payment is considered authorized at the source.
So, why should merchants care about all this? Well, the fact that A2A payments are not run like standard card network transactions offers a few clear benefits for merchants:
Rule changes mean uncertainty. Uncertainty means risk. Are you prepared?
Request a Demo
| Feature | Open Banking (Pay-by-Bank) | Traditional Card Payments |
| Chargeback Risk | None. No inherent chargeback mechanism exists; disputes are handled directly between merchant and buyer. | High. Subject to scheme rules; typical chargeback-to-transaction rates range from 0.5% to 1.9%. |
| Processing Fees | Low. Flat fees or low percentages (often capped), bypassing interchange fees. | High. Typically 1.5%–4% per-transaction fees (interchange + assessment + markup). |
| Settlement Speed | Instant to same-day. Improved cash flow with real-time settlement rails. | Slow. Typically 2–3 business days for funds to reach your account. |
| Fraud Protection | Strong. Bank-grade authentication via biometrics, MFA, or SCA. | Variable. Relies on issuer liability shifts and 3DS, which can add friction. |
| Consumer Protection | Merchant-led. Relies on the merchant’s refund policy; no automatic “money back” guarantee from a network. | Card network-led. Consumers have strong statutory rights to dispute charges. |
| Use Cases | High-value B2B transactions, recurring subscriptions, high-risk verticals, and digital goods. | Low-value B2C retail, impulse buys, and customers maximizing points/rewards. |
According to a report by Prommt, open banking APIs have the potential to reduce fraud by as much as 61% compared to traditional payment methods.
All that said, A2A payments come with a trade-off. Given the lack of chargeback protection for consumers, merchants must institute clear and robust return policies to maintain trust and prevent alternate forms of post-transaction abuse, like return fraud.
Using Open Banking Data for Fraud Prevention
Merchants can use open banking for real-time balance checks, evaluate fraud risk, and to validate buyers.
Even if you aren’t ready to accept A2A payments, you can still leverage open banking data to fortify your existing fraud defenses. For example, integrating with an AISP can allow you to gain real-time information about a customer’s financial information, which in turn gives you the data you need to distinguish genuine customers from fraudsters. Specifically, harnessing this data allows you to:
Perform Real-Time Balance Checks
One of the most common causes of payment failure and subsequent administrative disputes is insufficient funds (NSF). Open banking allows you to query a real-time balance and make sure that funds exist before submitting a transaction for processing. This can help you reduce failed payments for subscription services and minimize the operational hassle of chasing declined cards.
Score Fraud Risks
Access to up to two years of transaction history allows you to spot suspicious patterns immediately. Machine learning models can analyze this richer dataset to detect and score anomalies indicative of fraud, such as a sudden spike in spending or a change in geographic location that contradicts the customer’s established financial behavior.
Verify Buyer Identities
Fraud prevention is about stopping bad actors without preventing good customers from checking out. Open banking verifies identity by matching the bank account owner’s details against the order details, effectively automating AML/KYC compliance. This extra layer of confidence can help you reduce your false decline rate and prevent you from rejecting valid orders from legitimate customers.
How Merchants Access Customer Financial Data Through Open Banking
In practice, merchants and third-party providers who participate in open banking arrangements do not access sensitive customer financial data directly.
Instead, they partner with authorized account information service providers (also known as data aggregators or open banking platforms). These parties work to securely relay data between the customer’s bank and the merchant using APIs.
Before merchants or open banking platforms access any banking information, they must obtain explicit consent from the customer. When a customer opts in — for example, to verify income for a mortgage application or link a bank account for payments — they are redirected to their bank’s portal to authenticate and approve the specific data request. Unlike the legacy screen scraping approach, the merchant never sees the customer’s banking password.
Once authorized, the merchant can access specific, read-only data points essential for their operations. Common data types include:
- Transaction history & spending patterns: Used to build personalized offers or verify creditworthiness in real time, thereby enhancing the customer experience.
- Account balances: Used by “pay-by-bank” solutions to ensure that the customer has sufficient funds before a transaction is initiated, which can reduce NSF fees and reduce risk of ACH disputes.
- Account ownership information: Enables third parties and merchants to perform KYC (Know Your Customer) and Anti-Money Laundering (AML) checks and identity verification.
Privacy protections are central to this model. Under the principles established by the CFPB’s Personal Financial Data Rights Rule, data usage is strictly limited to the purpose for which the customer authorized use. For instance, data pulled for a one-time fraud check cannot be repurposed for targeted advertising or sold to third parties. Furthermore, customers retain the right to revoke this access at any time, which instantly severs the connection and stops data sharing.
What US Merchants Should Know About Open Banking Compliance
While the regulatory burden of Section 1033 falls primarily on banks (or “data providers”), merchants acting as “Authorized Third Parties” (or partnering with them) still face certain responsibilities.
Here are some key questions you may be asking about this:
Technically, no; the primary regulations target financial institutions and data providers. But, if you receive customer data, you become a participant in the regulated ecosystem. Most merchants will not connect directly; instead, you will partner with licensed intermediaries who will handle the heavy regulatory lifting on your behalf.
Not without express permission. A core tenet of the rule is purpose limitation: you may only use customer data for the specific product or service the customer authorized. For example, if a customer shares their bank history for an income verification check, you cannot legally repurpose that data to target them with ads for unrelated products, personalize their shopping experience, or sell their transaction history to brokers.
You must ensure your data partners use compliant authorization flows. Consent cannot be buried in generic terms of service; it must be explicit, informed, and granular. The customer must actively opt-in to share specific data fields (like “account balance” or “transaction history”) and understand exactly how long you will have access to it.
Even if you aren’t a bank, you are still responsible for the security of any financial data that lands on your servers. You must implement reasonable security standards to protect this sensitive information. Ideally, you should practice data minimization. For example, you can reduce your exposure to liability if you only “listen” to the data you absolutely need (e.g. a simple “yes/no” on sufficient funds) instead of storing the full transaction log.
You don’t have to. While the mandatory compliance deadlines are paused, open banking technology is fully operational via voluntary agreements between banks and fintechs. Early adopters who integrate open banking now can still experience benefits like lower payment fees and higher conversion rates.
The Future of Open Banking Rules in the US
The current legal injunction is far from the end for open banking in the US.
The exact timeline for the CFPB’s rewritten rule remains uncertain and will probably push mandatory compliance into late 2026 or beyond. Upcoming debates will likely focus on the mechanics of fair costs and liability standards. But, eventual implementation is highly likely. With bipartisan support for the concept of consumer data rights and a global landscape where 49 other countries have already adopted open banking frameworks, the US is inevitably moving toward a similar model.
Merchants should take advantage of this interim period. Market-driven adoption is accelerating regardless of the regulatory pause, and major banks and fintechs are continuing to sign voluntary data-access agreements as we speak.
The most prudent course of action is to stay informed and experiment. Consider running pilot programs with open banking payment providers now to test conversion rates and user experience. By the time new CFPB regulations inevitably standardize the ecosystem, forward-thinking merchants will already have the infrastructure and customer trust in place to capitalize on open banking payments immediately.
FAQs
Is open banking legal in the US?
Open banking could soon be legal in the US. However, a new Consumer Financial Protection Bureau (CFPB) rule, which would amend Section 1033 of the Dodd-Frank Act and legalize open banking in the country, has since been paused.
What are the downsides of open banking?
Downsides to open banking include data security risks, including the misuse of data by third parties and other new opportunities for fraud. Other downsides include high implementation costs and possible regulatory burdens.
Can I refuse to use open banking?
Absolutely. You can refuse to use open banking and are never automatically opted-in. A third-party service must obtain your explicit consent before accessing your data.
Do I need to comply with open banking rules as a merchant?
Merchants are not directly regulated by Section 1033. The rule applies to banks and financial institutions that hold customer data. However, if you want to access customer financial data or offer open banking payments, you'll need to work with licensed third-party providers who are compliant
Will open banking replace credit card payments?
No. Open banking payments will coexist with card payments, offering an alternative payment method. Many merchants will adopt a hybrid approach, offering both options and using open banking for specific use cases like high-value transactions or recurring payments where chargeback risk is a concern.
How can open banking reduce my chargebacks?
Open banking account-to-account payments bypass card networks entirely and don't have built-in chargeback rights like card payments do. Additionally, access to customer financial data enables better fraud detection and risk assessment, helping prevent fraudulent transactions before they occur.
What happened to the CFPB's open banking rule?
The rule was finalized in October 2024 but was immediately challenged in court. In October-November 2025, a federal judge issued an injunction pausing enforcement while the CFPB rewrites the rule. The Trump administration declared the original rule unlawful and is developing a revised version. Timeline for new rule is uncertain
Is open banking secure?
Yes. Open banking uses secure APIs with strong authentication requirements (typically multi-factor authentication). It's more secure than older "screen scraping" methods. All data sharing requires explicit customer consent, and regulations mandate strong security protocols.
What data can merchants access through open banking?
With customer consent, merchants can access transaction history (typically 24 months), account balances, account verification information, and payment initiation capabilities. However, data can only be used for purposes explicitly authorized by the customer—not for selling data or targeted advertising.
Should my business prepare for open banking now despite the regulatory uncertainty?
Yes. While specific compliance requirements are in flux, the fundamental principles of open banking are likely to persist. Consider evaluating payment partners that offer open banking capabilities, researching how competitors are using it, and understanding how it could benefit your fraud prevention strategy.
