A Deadline That Was Both Reached and Suspended
April 1, 2026, came and went as the originally planned compliance deadline for the largest banks under the Consumer Financial Protection Bureau’s Personal Financial Data Rights rule, finalised under Section 1033 of the Dodd-Frank Act in October 2024. The rule’s design was straightforward: covered financial institutions must let consumers — and any third party authorised by the consumer — access transaction history, balances, and account terms via standardised APIs at no cost, with revocable consent. A phased compliance schedule put the largest banks at April 1, 2026, and the smallest covered institutions at April 1, 2030.
The arrival of April 1, 2026, however, did not produce a binding enforcement event. As Cozen O’Connor’s analysis noted, “the April 1 date arrived, but not as a binding enforcement trigger.” A federal district court in the Eastern District of Kentucky enjoined the CFPB from enforcing the rule during the agency’s reconsideration. The CFPB itself, under new leadership, filed a motion to withdraw the rule entirely, with chief legal officer Mark Paoletta describing the rule as “unlawful and should be set aside.” On August 22, 2025, the CFPB published an Advance Notice of Proposed Rulemaking (ANPRM) signalling a replacement effort.
The result is a regulation that exists on the books, is paused by court order, and is being rewritten by the agency that finalised it sixteen months earlier.
What the Rule Actually Required
Even with the rewrite under way, the substantive obligations of the original 1033 rule remain the most likely template for whatever replaces it — and remain a useful baseline for banks and fintechs that have already invested in compliance work. The original rule required covered institutions to:
- Share consumer-authorised financial data — transaction histories, balances, account terms — at no charge to the consumer.
- Provide access only with explicit, revocable consent from the consumer.
- Implement standardised APIs aligned with the Financial Data Exchange (FDX) consortium’s technical and consent standards.
- Honour third-party access by aggregators and fintechs without imposing punitive technical or contractual barriers.
The Financial Data Exchange standards are the practical scaffolding most affected institutions have built against. As Digital API’s analysis points out, gaps remain in the broader open-banking framework — notably the absence of a unified accreditation system for third-party providers and lingering technical-standard fragmentation — but the FDX layer is real and operational.
Advertisement
The Industry Response Splits Three Ways
The pause has divided market participants into three camps, each acting differently:
Banks that already built. Large institutions that invested heavily in 1033 compliance through 2024–2025 are largely keeping the infrastructure live. The cost of building was sunk; the operational cost of running it is modest; and any rewritten rule will almost certainly assume some version of the same data-access obligations. As JD Supra’s Cozen O’Connor analysis observed, this is “interim period requiring strategic action rather than inaction” — pressure-testing existing data systems, revisiting vendor agreements, formalising access policies.
Banks that hadn’t built yet. Smaller institutions and slower movers are mostly waiting. With enforcement on hold and a new rulemaking in flight, it is rational to defer capital expenditure until the replacement rule clarifies obligations — particularly around cost recovery from third parties, which the original rule prohibited.
Data aggregators and fintechs. As PYMNTS coverage of the data-aggregator response notes, aggregators are pushing publicly for “secure access” frameworks during the rewrite. Their commercial model depends on consumer-authorised access to bank data, and any rewrite that re-introduces gating fees or restricts third-party access threatens their unit economics. They have an active lobbying interest in shaping the replacement rule.
What April 2026 Means in Practice
For banks and fintechs operating in the United States, the practical state in April 2026 is:
- No active enforcement of the October 2024 rule pending litigation and rewrite.
- Clear regulatory direction that open banking obligations are coming in some form — the question is the rule’s shape, not its existence.
- Active investment by major banks and aggregators in FDX-aligned infrastructure, on the assumption that the replacement rule will use similar plumbing.
- Uncertainty on cost-recovery — whether the replacement rule will allow banks to charge third parties for data access is a central open question that materially affects fintech business models.
- Smallest covered institutions still on a notional April 1, 2030 timeline, but with no real visibility into what the rule will require by then.
Why Global Watchers Should Care
The US 1033 conversation matters internationally because it sets the template — for better or worse — that other jurisdictions will read. Algeria’s draft framework for open banking, the EU’s PSD3/PSR proposals, the UK’s continuing Open Banking evolution, and Gulf jurisdictions designing their own data-rights regimes are all watching to see whether Section 1033 lands as a workable national-scale open-banking framework or as a cautionary tale about regulatory durability.
For institutions with exposure to multiple jurisdictions — global banks, fintechs operating across regions, vendors selling data-aggregation infrastructure — the safe bet in 2026 is: invest in FDX-aligned plumbing, treat consumer consent as a first-class engineering primitive, and assume that some form of mandatory data portability is a 2027–2030 reality even if the specific US rule keeps shifting. The direction of travel is clear; the precise vehicle is not.
The 1033 saga is also a lesson for regulators. A finalised rule with a published compliance date is not a finished rule until it survives both political transitions and judicial review. Banks, fintechs, and the consumers they serve are the ones who absorb the cost of regulatory whiplash — which is itself an argument for slower, more durable rulemaking processes.
Frequently Asked Questions
Did the CFPB’s 1033 April 2026 deadline take effect?
Technically no. The April 1, 2026, compliance deadline for the largest US banks arrived as scheduled, but it did not become a binding enforcement trigger. A federal court enjoined the rule during agency reconsideration, the CFPB moved to withdraw it, and an Advance Notice of Proposed Rulemaking (August 2025) opened a replacement rewrite.
What does Section 1033 require?
The October 2024 final rule required covered financial institutions to share consumer-authorised financial data — transaction histories, balances, account terms — with the consumer and authorised third parties via standardised APIs aligned with FDX standards, at no charge to the consumer, with explicit and revocable consent. The rewrite is expected to keep the broad shape but may change cost-recovery and third-party access terms.
Should banks outside the US care about 1033?
Yes. The 1033 trajectory is a reference template for open-banking regimes globally — the EU’s PSD3/PSR work, the UK’s Open Banking evolution, and emerging frameworks in Algeria, the Gulf, and parts of Africa all watch the US case. Even if the specific US rule keeps shifting, the direction toward consumer financial data portability is durable across jurisdictions.
Sources & Further Reading
- CFPB Finalizes Personal Financial Data Rights Rule — Consumer Financial Protection Bureau
- Section 1033 Compliance Date: Open Banking Rule Enjoined and Under Reconsideration — Cozen O’Connor via JD Supra
- CFPB Finalizes Open Banking Rule, Compliance Begins April 2026 — Moody’s
- Data Aggregators Push Secure Access as Rule 1033 Rewrite Looms — PYMNTS
- Open Banking Trends — Digital API
