Open banking sounds like one thing. It is at least two, and the two diverge in ways that shape how you build, who you contract with, and what you can charge. The US route runs through a single consumer-rights statute enforced by one regulator. The EU route runs through a market-structure regulation that delegates the working detail to industry schemes. Same nominal right, the consumer's data, on two different load-bearing structures.
If you operate on both sides of the Atlantic, you cannot port one compliance posture to the other. The mechanics differ at the level that matters for engineering and commercial teams: who must share, what counts as covered data, how access is authorized, and whether anyone gets paid for the pipe.
The US: a right hung on one statute
Section 1033 of the Dodd-Frank Act gives a consumer the right to access their own financial data. The CFPB turned that statutory hook into operational rules with the Personal Financial Data Rights rule, finalized on October 22, 2024.
The rule obligates data providers (banks, credit unions, card issuers) to make covered data available in machine-readable form to the consumer and to authorized third parties. Covered data includes transaction history, account balance, terms and conditions, upcoming bill information, and basic account verification. The intended endpoint was the retirement of screen scraping in favor of authorized, tokenized API access.
Two design choices stand out for builders. First, the rule banned data providers from charging fees for fulfilling these requests, which is the opposite of the EU stance. Second, it set a phased compliance schedule by institution size, with the largest providers due to comply by April 1, 2026 and the smallest given until April 1, 2030.
The wrinkle: it is not currently being enforced
Here is the part you cannot skip in 2026. The rule is finalized but enjoined. A federal court in the Eastern District of Kentucky barred the CFPB from enforcing it while the Bureau reconsiders the substance. The April 1, 2026 date for large providers arrived without becoming a live enforcement trigger.
In August 2025 the CFPB issued an Advance Notice of Proposed Rulemaking signaling it would revisit core provisions, among them how to treat fees (the no-fee posture is squarely in question), who qualifies as a consumer's representative, and the data-security and privacy threat model. A rewrite, or a withdrawal, is on the table.
For a US-facing data program, that means you build to the finalized text as your reference architecture while treating the no-fee rule and the exact representative definition as unsettled. Plan tokenized access and consent revocation now. Do not hard-code commercial assumptions that depend on the rule surviving in its current form.
The EU: a right delegated to schemes
The EU's Financial Data Access framework, FIDA, takes a different shape. It is a regulation that sets the perimeter, then pushes the operating rules down to Financial Data Sharing Schemes (FDSS) that data holders and data users must join.
FIDA remains in trilogue, with the data-holder compensation mechanism the most contested open item. A political agreement is hoped for in 2026, but Official Journal publication could slip to 2027, after which application would phase in over the following years rather than switching on at once. Treat dates here as moving until the final text is published in the Official Journal.
Two structural features matter most.
Scope is broader than payment accounts
FIDA is "open finance," not just open banking. It reaches beyond the payment-account data that PSD2 already opened. The scope under negotiation covers savings and investment data, mortgage and loan data, certain pensions, and non-life insurance products. Notably, sickness, health, and life insurance products were carved out over data-security and exclusion-risk concerns. The negotiated scope has shifted through trilogue, so confirm the final categories against the adopted text before you scope a product.
Data holders can charge, and a dashboard is mandatory
Unlike Section 1033's no-fee posture, FIDA lets data holders seek reasonable compensation from data users for making data available. The maximum a holder can charge is set within the scheme, not by the firm unilaterally. That makes scheme membership a commercial negotiation, not just a technical onboarding.
FIDA also requires data holders to provide a permission dashboard, where the customer can see who holds their data, which data points were shared, and revoke access. That is an explicit product surface you must build, not an internal log.
A worked example: a SaaS lender wiring up account data
Imagine a lending platform that wants to read a borrower's transaction history to underwrite, operating in both the US and the EU.
In the US, the platform is a third party acting on the consumer's authorization. Under the finalized 1033 rule it would obtain tokenized, scoped access to covered data from each bank's developer interface, at no charge from the bank, with the consumer able to revoke. But because the rule is enjoined and under reconsideration, in practice the platform still leans on aggregator relationships and existing bilateral agreements, because there is no enforceable obligation compelling banks to stand up compliant interfaces right now.
In the EU, the same platform must join the relevant FDSS, accept the scheme's standardized interface specs and liability terms, and budget for compensation the data holder is entitled to charge under the scheme's cap. It must also respect the holder's permission dashboard as the consumer's control point. The technical integration is more prescribed, and the cost line is real rather than zero.
Same feature, two builds. In the US the constraint is regulatory uncertainty, so you hedge. In the EU the constraint is scheme governance and cost, so you negotiate and budget.
The takeaway
The two regimes answer the same question, who controls financial data, with opposite instincts. The US hangs a consumer right on one statute and one regulator, currently frozen mid-flight. The EU writes a market-structure regulation and delegates the operating rules to industry schemes that can charge for access and mandate a consumer dashboard.
For anyone shipping across both, the practical rule is simple. Do not assume reciprocity. Architect for tokenized, revocable, scoped access as the shared baseline, then split your assumptions: in the US, treat fees and enforcement as unsettled; in the EU, treat scheme membership and compensation as fixed costs you design around. The next module on stablecoins as regulated money picks up the same theme of one outcome reached through very different legal scaffolding.