America's Open Banking Deadline Arrives to an Empty Room as Courts and the Trump Administration Leave Section 1033 in Limbo
The CFPB's April 1 compliance deadline for its landmark Personal Financial Data Rights rule passed without enforcement after a federal judge enjoined the regulation and the agency itself declared it unlawful, leaving the future of U.S. open banking to a market moving faster than its regulators.
A Deadline Without a Rule
April 1, 2026, was supposed to be a landmark date in American consumer finance. The Consumer Financial Protection Bureau’s Personal Financial Data Rights rule — built on Section 1033 of the Dodd-Frank Act — required the nation’s largest banks, those holding at least $250 billion in assets, to begin sharing customer financial data with authorized third parties through standardized APIs at no charge to consumers. Nonbank institutions with at least $10 billion in revenue faced the same deadline. Instead, the day passed in regulatory silence.
A federal judge in the Eastern District of Kentucky had already enjoined the CFPB from enforcing the rule while the agency undertakes a wholesale reconsideration of the regulation it finalized just eighteen months earlier. The plaintiffs — the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank — argued that the CFPB exceeded its statutory authority and that the rule was arbitrary and capricious under the Administrative Procedure Act. The court agreed they were likely to prevail.
What makes this injunction unusual is that the defendant largely concurred with the plaintiffs. CFPB Chief Legal Officer Mark Paoletta filed a motion to withdraw the rule, stating that the agency under its new leadership considered the regulation “unlawful and should be set aside.” The Biden-era CFPB had finalized the rule in October 2024 as a pro-competition measure designed to let consumers port their financial data freely between institutions. The Trump administration’s CFPB has effectively abandoned that framing.
What the Rule Would Have Required
The original regulation mandated that covered entities — depository institutions with $850 million or more in total assets and certain nonbank financial companies — make specific consumer data available electronically upon request. That data encompassed transaction histories spanning the prior 24 months, account terms and conditions, and personal account information.
The CFPB designed the rule as a phased rollout. The largest institutions faced the April 1, 2026 deadline, while progressively smaller institutions would follow through April 1, 2030. The regulation also barred data providers from charging consumers for access and imposed limits on how third-party applications could collect, retain, and use the information — a direct response to years of unregulated screen scraping by fintech data aggregators.
Section 1033 of Dodd-Frank had sat dormant since its enactment in 2010. The CFPB’s rulemaking represented the first serious attempt to operationalize a provision that Congress wrote but never defined in detail, leaving questions about implementation, cost allocation, and liability largely unanswered for over a decade.
The Four Questions Driving the Rewrite
On August 22, 2025, the CFPB published an Advance Notice of Proposed Rulemaking (ANPRM) signaling that it intends to substantially revise, rather than simply rescind, the rule. The notice identifies four areas under review.
The first concerns representative authority: who qualifies to request data on a consumer’s behalf. The original rule allowed authorized third-party applications to pull data directly, a framework that banks argued exposed them to liability for downstream breaches they could not control.
The second is fee assessment. The Biden-era rule prohibited data providers from charging for access. Banks have pushed back forcefully, with the American Bankers Association arguing that institutions “incur substantial costs to develop, maintain and safeguard the data pipelines.” JPMorgan Chase has already established a precedent by negotiating fee-based API access agreements with data aggregator Plaid, effectively creating the market-driven pricing model that banks want codified into law.
The third area is data security. The CFPB is evaluating the threat landscape and cost-benefit calculus of requiring institutions to build and maintain open API infrastructure. Banks point to the risk of creating new attack surfaces; fintechs counter that standardized APIs are inherently safer than the screen-scraping practices they would replace. Wells Fargo and PNC have sent cease-and-desist letters to aggregator Trustly demanding it halt screen scraping of their platforms, underscoring that banks view the status quo as untenable regardless of the regulatory outcome.
The fourth concerns data privacy: how to prevent the misuse, resale, or unauthorized retention of consumer financial information once it leaves the originating institution.
A Market That Will Not Wait
The regulatory vacuum has not frozen the industry. Major banks have moved ahead with bilateral data-sharing agreements driven by consumer demand and competitive pressure rather than compliance obligations. Truist Financial announced a data-access agreement with Plaid to transition customers from screen scraping to secure, tokenized APIs. JPMorgan Chase, Wells Fargo, and Citigroup have signed similar arrangements with data aggregators.
The embedded finance market provides context for the urgency. Bain estimates that U.S. embedded finance transaction value will exceed $7 trillion in 2026. Data aggregators including Plaid, MX, and the Financial Data Exchange standards consortium are building infrastructure that presumes open banking will arrive in some form, with or without federal mandate.
Fintech trade groups have been vocal in their opposition to the delay. Penny Lee, president and CEO of the Financial Technology Association, stated that her organization “respectfully disagrees” with the injunction and is exploring all options, including an appeal. She emphasized that “Section 1033 gives consumers the right to securely control and share their personal financial data with the authorized representatives they choose and without having to pay a fee” and that “most Americans today rely on open banking connectivity to access apps and services and manage their financial lives.”
The Data Toll Question
The most contentious issue in the rewrite may be whether banks can charge fintechs for API access — what critics call “data tolls.” The Biden-era rule explicitly prohibited such fees, reasoning that consumers own their data and should not bear costs for accessing it. Banks argue that building secure, real-time API infrastructure is expensive and that the prohibition effectively forces them to subsidize their competitors.
JPMorgan’s existing fee arrangement with Plaid suggests the market is already answering this question on its own terms. If the revised rule permits cost recovery, it could entrench large banks’ advantage by pricing smaller fintechs out of the data ecosystem. If it maintains the prohibition, banks warn they will face unfunded mandates that could slow adoption.
What Comes Next
Industry observers expect the CFPB to issue a Notice of Proposed Rulemaking in the coming months, though the timeline remains uncertain. The comment period for the ANPRM closed in October 2025 and drew nearly 14,000 submissions, indicating the intensity of stakeholder interest. A final revised rule is unlikely before late 2026 at the earliest, and any new compliance deadlines would reset the clock for the institutions that had been preparing for the April 1 date.
The paradox of America’s open banking moment is that the market is moving decisively toward data portability while the regulatory framework that was supposed to ensure it happens securely and equitably has been pulled apart by the same political forces that created it. Whether the revised rule strengthens consumer protections or loosens them in favor of incumbent institutions will depend on choices the CFPB has yet to make — and on whether the courts allow whatever emerges to stand.