US Open Banking Enters Regulatory Limbo as April Deadline Passes Without Enforcement
The CFPB's landmark open banking rule missed its April 1 compliance deadline after a court injunction and agency reconsideration, but major banks are forging private data-sharing deals that may shape the market before regulators act.
Overview
April 1, 2026, was supposed to mark a watershed moment for American financial services. On that date, the largest US banks were required to begin sharing consumer financial data with authorized third-party apps through secure APIs under the Consumer Financial Protection Bureau’s Section 1033 rule. Instead, the rule—finalized in October 2024—sits in legal and political limbo, blocked by a federal court injunction and under formal reconsideration by the agency’s new leadership.
The regulatory vacuum has not stopped the industry from moving. Major banks are striking private data-sharing agreements with fintech aggregators, establishing commercial terms that could define open banking in America for years regardless of what Washington eventually decides.
What We Know
The CFPB finalized its Personal Financial Data Rights rule under Section 1033 of the Dodd-Frank Act in October 2024. The rule required banks, credit card issuers, and digital wallet providers to make consumer transaction data, account balances, and payment information available to authorized third parties at no cost. The largest institutions—those holding over $250 billion in assets—faced an April 1, 2026, compliance deadline, with mid-sized and smaller institutions given until 2028 and 2030 respectively, as documented by the Congressional Research Service.
The rule never took effect on schedule. Banking trade groups filed suit challenging the regulation, and a federal judge issued an injunction pausing enforcement. The CFPB’s own leadership under the Trump administration signaled skepticism, with the agency’s chief legal officer filing a motion arguing the rule was “unlawful and should be set aside,” according to the Congressional Research Service.
In August 2025, the CFPB published an Advance Notice of Proposed Rulemaking, effectively restarting the process. The agency identified four areas for reconsideration: the definition of who qualifies as a consumer’s “representative,” whether banks can charge fees for data access, data security requirements, and data privacy protections.
The Market Moves Without Regulators
While Washington debates, the private sector has begun building its own open banking framework through bilateral agreements.
JPMorgan Chase set the precedent in mid-2025 by negotiating fee-based data access contracts with aggregators including Plaid, Yodlee, and Akoya. The bank receives approximately 1.89 billion data requests per month, and the fee structure it imposed could generate as much as $300 million annually, as reported by CNBC. The deals cover more than 95 percent of data pulls on JPMorgan’s systems.
Other major banks have followed suit. On March 12, 2026, Truist Financial—a top-10 US commercial bank with $548 billion in assets—announced a data-access partnership with Plaid built on Financial Data Exchange-aligned APIs. The agreement replaces credential-based screen scraping with a secure API framework and includes shared fraud-detection intelligence, according to Truist’s announcement. Sherry Graziano, Truist’s head of digital, client experience, and marketing, said the partnership provides “a secure, personalized banking experience that digitally empowers clients,” as stated in the press release.
JPMorgan Chase, Wells Fargo, and Citigroup have all signed similar API-based data-sharing agreements with aggregators. At the same time, some banks have taken a harder line against legacy screen-scraping practices, sending cease-and-desist letters to aggregators that still use credential-based access.
What We Don’t Know
The central unresolved question is whether banks will be allowed to charge for consumer data access. The original CFPB rule explicitly banned data access fees, a position supported by fintech trade groups who argue that fees would be passed to consumers and stifle competition. Banks counter that building and maintaining secure API infrastructure imposes real costs. JPMorgan’s successful imposition of fees—covering more than 95 percent of its data traffic, as reported by CNBC—has created a market precedent, but whether a revised rule will codify or prohibit such charges remains unclear.
The timeline for a replacement rule is also uncertain. The CFPB has indicated it will decline to enforce the existing rule while it develops a revised version, but has not committed to a publication date. Observers expect the agency to issue a new proposed rule later in 2026, though the rulemaking process could extend well into 2027.
There is also the question of fragmentation. Without a uniform federal standard, data access terms vary bank by bank. Smaller fintechs that lack the negotiating leverage of a Plaid or Yodlee may find themselves locked out of data that larger aggregators can access, potentially creating a two-tier open banking ecosystem.
Analysis
The bilateral deals between banks and aggregators are creating a de facto standard governed by market power rather than consumer protection mandates. JPMorgan’s ability to impose fees on aggregators representing 95 percent of its data traffic demonstrates that the largest banks can effectively set the terms for how consumer financial data moves through the system.
This market-driven approach has clear benefits: API-based access is more secure than screen scraping, fraud detection is improving through shared intelligence, and the transition is happening without waiting for regulatory certainty. But it also raises concerns. The original Section 1033 rule was designed to put consumers in control of their data and prevent banks from using their gatekeeper position to extract rents. The emerging private framework inverts that logic—banks are monetizing data access, and the cost ultimately flows downstream.
The United Kingdom, often cited as a model for open banking, built its framework through a regulator-led mandate that standardized free API access. Whether the US will converge toward a similar model or formalize the bank-led approach now taking shape may depend on how aggressively the CFPB acts in the months ahead.