The Consumer Financial Protection Bureau’s 1033 rule, which would have put security guardrails around movement of data, is likely to be scrapped, given the agency itself, under a new administration, has said the rule is unlawful and needs to be set aside. So, banks and fintechs need to continue to police themselves and use industry standards and general principles of security, privacy and reliability. For banks, this means not only building APIs and authentication systems, but also implementing strict security oversight, monitoring third-party connections, and keeping detailed records of data access requests and responses. There is no specific technology or protocol mandated for APIs — banks can choose the technical implementation — but there have been calls for standardized, machine-readable formats and reliable performance. To guide this, the CFPB had intended to recognize standard-setting bodies, or SSBs, that develop qualified industry standards, or QISs, for data sharing. Adhering to an SSB’s standards (for formatting, authentication, security and so on) would have served as a safe harbor “indicia of compliance for data providers” under the CFPB rule. One standard-setting body has been recognized by the CFPB: the Financial Data Exchange, or FDX. The CFPB has received one other application, from the Canada-based Digital Governance Standards Institute, or DGSI.