Open Banking Explained: What It Means for Your Money and Privacy
Open banking is reshaping how your financial data moves between banks and apps. Here is what it actually is, how it differs from the old screen-scraping model, what consumer rights you gain, and why it still does not solve every privacy concern.
What Is Open Banking?
Open banking is a regulatory framework that requires banks to provide standardized APIs (application programming interfaces) so that consumers can securely share their financial data with third-party apps. The core idea is that your financial data belongs to you, not to your bank, and you should be able to share it with authorized services if you choose to.
This concept has been implemented differently around the world. In the European Union, it was mandated by the Second Payment Services Directive (PSD2) starting in 2018. In the United Kingdom, the Competition and Markets Authority ordered the nine largest banks to implement open banking APIs in 2018. In the United States, the CFPB finalized its Section 1033 rule in late 2024, with phased implementation beginning in 2025 and extending through 2030.
The common thread is the same: banks must let you share your data with apps through secure, standardized channels rather than forcing you to hand over your login credentials.
The Old World: How Screen Scraping Worked
Before open banking, there was screen scraping. This is the method that companies like Plaid, Yodlee, and others used to get your bank data. The process worked like this:
- You entered your bank username and password into the app's interface.
- The aggregator (like Plaid) stored those credentials on its servers.
- The aggregator used your credentials to log into your bank's website, pretending to be you.
- It navigated the bank's web pages and extracted (scraped) your transaction data, balances, and other information.
- This process repeated periodically (often daily) to keep the data current.
Screen scraping had several fundamental problems. The aggregator held your actual bank password. It logged into your account without the bank's knowledge or consent. If the bank changed its website layout, the scraper could break. If the aggregator was compromised, every stored credential was at risk. And there was no standardized way for you to revoke access: you had to change your bank password.
This is the model that led to Plaid's $58 million settlement in 2022, which alleged that Plaid's interfaces were designed to look like bank login pages, leading users to believe they were authenticating directly with their bank rather than sharing credentials with a third party.
The New World: API-Based Open Banking
Open banking replaces screen scraping with a fundamentally different architecture. Instead of giving a third party your bank password, you authenticate directly with your bank, and the bank issues a limited access token to the third-party app.
Here is how the process works under open banking:
- The app asks to connect to your bank account.
- You are redirected to your bank's own website or app (not the third party's interface).
- You log in directly with your bank and authorize specific data access (for example, transaction history only).
- Your bank issues a secure token to the app. This token grants limited access to the data you authorized, nothing more.
- The app uses the token to request data through the bank's official API.
- You can revoke the token at any time through your bank's portal.
This is a significant improvement. The third party never sees your password. The bank controls what data is shared and can enforce limits. You have a clear revocation mechanism. And the bank knows exactly which third parties are accessing your data.
Screen Scraping vs. Open Banking: Key Differences
| Factor | Screen Scraping | Open Banking API |
|---|---|---|
| Credentials | Third party stores your password | You authenticate with your bank; no password shared |
| Data scope | Aggregator can scrape everything visible on the bank site | Bank controls exactly what data the token grants access to |
| Revocation | Change your bank password | Revoke token through bank portal or app settings |
| Bank awareness | Bank often does not know a third party is accessing the account | Bank fully aware, can monitor and enforce limits |
| Standardization | Every bank is different; scrapers break frequently | Standardized API format mandated by regulation |
| Regulation | Legal gray area | Explicitly regulated (CFPB 1033, PSD2) |
CFPB Section 1033: The US Open Banking Rule
Section 1033 of the Dodd-Frank Act has been on the books since 2010, but it was never implemented until the CFPB finalized its rulemaking in late 2024. The rule establishes that financial institutions must make consumer financial data available in electronic form upon request, through standardized developer interfaces (APIs).
What the Rule Requires
- Consumer-authorized access. Third parties can only access your data with your explicit authorization.
- Standardized APIs. Banks must provide APIs that meet industry-standard specifications, eliminating the need for screen scraping.
- Purpose limitation. Third parties must limit data use to the specific purpose you authorized.
- No data monetization. Third parties cannot sell your data or use it for purposes you did not authorize.
- Easy revocation. You can revoke access at any time, and the third party must stop collecting your data.
- Reauthorization. Access must be reauthorized periodically, preventing indefinite data collection from forgotten connections.
Implementation Timeline
The rule uses a phased approach based on institution size. The largest banks (those holding more than $250 billion in assets) face the earliest compliance deadlines, beginning in 2025. Smaller institutions have until 2027-2030 to comply. As of February 2026, several of the largest US banks have begun offering compliant APIs, but the transition is far from complete.
PSD2 in Europe: The Pioneer
The European Union's Payment Services Directive 2 (PSD2), effective since 2018, was the first major open banking mandate. It required all EU banks to provide APIs for authorized third-party providers (TPPs) to access account data and initiate payments with customer consent.
PSD2 created two categories of authorized third parties: Account Information Service Providers (AISPs), which can read account data, and Payment Initiation Service Providers (PISPs), which can initiate payments. Both require regulatory licensing and must comply with Strong Customer Authentication (SCA) requirements.
The EU experience with PSD2 has been mixed. API quality varies significantly across banks. Some bank APIs are fast and reliable. Others are slow, frequently offline, or return incomplete data. Consumer adoption has been gradual rather than explosive. But the regulatory framework has been valuable as a template for other countries, including the US.
What Open Banking Means for Your Privacy
Open banking is unambiguously better than screen scraping for privacy and security. You do not share your password. You control what data is shared. You can revoke access. The bank monitors third- party activity. These are real, meaningful improvements.
However, open banking does not eliminate all privacy concerns. It standardizes and legitimizes data sharing, but it also makes it easier for more apps to request access to your financial data. As APIs become ubiquitous, the number of companies asking to connect to your bank account will increase, not decrease.
The More Apps Problem
When connecting to a bank was technically difficult (requiring screen-scraping infrastructure), only well-funded companies like Plaid could do it. Open banking lowers the barrier. Any developer who registers with a bank can potentially request access to consumer data. More access points mean more potential failure points, more companies holding your data, and more connections to manage.
The Ongoing Access Problem
Open banking connections, like Plaid connections, persist until revoked. Although the reauthorization requirement in Section 1033 addresses this partially, you are still granting ongoing access to your financial data. If you connect 10 apps over the course of a year and forget to revoke access to the ones you stop using, 10 companies continue to access your bank account.
The Data Retention Question
Open banking regulates how data is accessed, but the rules around how long third parties can retain data after accessing it are less clear. An app may pull your transaction history through a compliant API and then store that data on its own servers indefinitely. Revoking the API token stops future access, but it does not necessarily delete data that has already been collected.
A Different Approach: Sidestepping the Debate Entirely
Open banking vs. screen scraping is an important debate, but it only applies to apps that require ongoing, real-time access to your bank account. For budgeting and spending analysis, there is a third option that sidesteps the entire question: PDF statement upload.
With Spend & Invest, there is no bank connection at all, neither through an aggregator nor through an open banking API. You download your bank statement as a PDF (which every bank provides), upload it, and AI parses every transaction. The connection between you and your bank is never touched. No token, no API, no password, no ongoing access.
This approach trades real-time convenience for complete independence from the bank-connection ecosystem. For people who want spending analytics without participating in the open banking infrastructure at all, it is the cleanest option available.
What Comes Next for Open Banking
Open banking is still in its early stages in the United States. Over the next several years, expect to see:
- More banks offering compliant APIs. As Section 1033 deadlines roll through, progressively smaller banks will implement open banking interfaces.
- Screen scraping declining. Aggregators like Plaid will increasingly rely on bank APIs rather than credential-based scraping. This is already happening.
- More consumer control tools. Banks will build better dashboards for managing third-party access, similar to how you manage app permissions on your phone.
- Regulatory evolution. The CFPB rule may be challenged, modified, or strengthened depending on political dynamics. International frameworks will continue to mature.
- New privacy questions. As more data flows through standardized APIs, questions about data retention, secondary use, and aggregator liability will become more pressing.
The Bottom Line
Open banking is a genuine improvement over screen scraping. It eliminates credential sharing, gives banks visibility into third-party access, provides standardized consumer rights, and creates a regulated framework for financial data portability. If you are going to connect apps to your bank account, open banking is the safer way to do it.
But open banking also makes it easier for more companies to request your data, does not fully address data retention concerns, and still requires ongoing trust in third parties. For budgeting specifically, tools that work without any bank connection offer the maximum privacy guarantee that no regulatory framework can match.
Further Reading
- Is Plaid Safe? What You Need to Know About Sharing Bank Credentials — Plaid's security, its settlement, and how to evaluate the risks.
- Your Complete Guide to Financial Data Privacy in 2026 — A comprehensive guide to auditing and protecting your financial data.
- Plaid Alternatives for Budgeting — Every option for tracking spending without sharing bank credentials.
- How to Revoke Plaid Access to Your Bank Account — Step-by-step instructions for auditing and removing Plaid connections.