The Section 1033 open banking rule is the CFPB regulation that would give Americans a legal right to share their bank account data with apps and services of their choosing, for free, through secure APIs. As of July 2026, that rule exists on paper but is blocked by a federal court injunction, and the CFPB is rewriting it from the ground up.

If that sounds confusing, you're not alone. The rule was finalized in October 2024, sued into limbo the same day, defended and then abandoned by its own agency, and finally frozen just months before its first compliance deadline. That deadline, April 1, 2026, arrived and passed without anything happening. Now states are starting to write their own versions while Washington starts over.

This guide untangles the whole story in plain English: what the rule required, why it's stuck, the four questions the CFPB is reconsidering, and what each possible outcome would mean for your money apps. If you first want the basics of how bank data sharing works, start with our pillar guide to what open banking is, then come back for the legal drama.

Key takeaways

  • The CFPB finalized the Section 1033 Personal Financial Data Rights rule on October 22, 2024, requiring banks to share consumer data with authorized apps at no charge.
  • Bank groups sued the same day, and on October 29, 2025 a Kentucky federal court issued a preliminary injunction blocking enforcement.
  • The CFPB published an advance notice on August 22, 2025 to rewrite the rule, reopening four issues: who counts as a consumer "representative," fees for data access, data security, and data privacy.
  • The first compliance date, April 1, 2026, passed with no effect, and nearly 14,000 public comments now shape the rewrite.
  • With federal rules stalled, states moved in 2026: New York introduced open banking bills in March that would ban data-access fees at the state level.

What Section 1033 actually is

Section 1033 isn't new. It's a provision of the Dodd-Frank Act, the sweeping financial reform law passed in July 2010 after the financial crisis. Buried in it is a simple idea: consumers have a right to access information about their own financial accounts, in a usable electronic form, according to the Congressional Research Service.

For over a decade, that right sat mostly dormant because Congress left the details to the Consumer Financial Protection Bureau, and the CFPB took years to write them. In the meantime, the market built its own version of open banking through private deals between banks and data aggregators like Plaid and MX. It worked, but nothing guaranteed it. A bank could cut off an aggregator, or start charging, and consumers had no legal recourse.

The Section 1033 rulemaking was supposed to change that by turning a market practice into an enforceable right. A proposed rule arrived in October 2023, and the final rule followed a year later.

What the 2024 rule required

The final rule, announced by the CFPB on October 22, 2024, applied to banks, credit unions, credit card issuers, and payment app providers, collectively called "data providers." Its core demands were straightforward.

  • Share the data. Providers had to make "covered data" available to consumers and authorized third parties: transaction history, balances, payment initiation details, account terms, upcoming bills, and basic verification information, per Cooley's analysis of the final rule.
  • No fees. Banks couldn't charge consumers or third parties for access.
  • Real interfaces. Providers needed developer APIs meeting performance standards, which pointed toward the industry's FDX standard. The CFPB formally recognized the Financial Data Exchange as a standard-setting body in January 2025.
  • Guardrails on apps. Third parties could only collect what they needed for the service the consumer requested, with limits on secondary use of data.
  • Phased deadlines. Compliance rolled out by size across five tiers, starting April 1, 2026 for depository institutions holding at least $250 billion in assets and stretching to 2030 for the smallest.

For consumers, the practical promises were bigger than the legal text: easier switching between banks, safer connections for the apps covered in our guide to linking your bank account to apps, and a formal end to screen scraping.

The lawsuit and the injunction

The ink was barely dry before the fight started. On the same day the rule was finalized, the Bank Policy Institute, the Kentucky Bankers Association, and a Kentucky bank sued in federal court, arguing the CFPB had exceeded its statutory authority. Banks objected to bearing the compliance costs while being barred from charging for access, and warned they'd be liable for data misuse they couldn't control.

Then came the twist. After the change in administration, the CFPB switched sides in its own case. In May 2025 the Bureau told the court the rule was unlawful and should be vacated, effectively agreeing with the banks, as documented in Open Banking Tracker's timeline of the litigation. Fintech trade groups intervened to defend the rule the government had abandoned.

In July 2025 the CFPB announced it would revise the rule through new rulemaking rather than defend it. And on October 29, 2025 the court granted a preliminary injunction blocking enforcement, finding the rule likely exceeded the Bureau's authority and was arbitrary and capricious, per Ballard Spahr's Consumer Finance Monitor. The rule still sits in the Code of Federal Regulations. It just can't be enforced.

The rewrite: four questions the CFPB reopened

On August 22, 2025 the CFPB published an advance notice of proposed rulemaking (ANPRM), the formal first step toward replacing the 2024 rule with one it called more suited to market realities. The notice asked for input on four issues, and nearly 14,000 comments poured in. Each question carries real stakes.

1. Who counts as a consumer's "representative"?

The 2024 rule let third parties like fintech apps and their aggregators request data on a consumer's behalf. The rewrite asks whether that goes too far, and whether only the consumer personally, or a narrower set of agents, should hold the right. A narrow answer could quietly gut the system, since almost nobody downloads their own transaction files by hand.

2. Can banks charge fees for data access?

This is the money question, literally. The 2024 rule banned fees outright. Banks argue they shouldn't have to build and run expensive APIs for free while aggregators profit from the data. Fintechs counter that per-access fees would strangle free budgeting apps and startups. Even modest charges, multiplied across billions of API calls, would reshape which apps can afford to exist.

3. Data security

The Bureau asked how to weigh the security threats and compliance costs of mandated sharing. Banks want authority to cut off connections they deem risky and clarity on who's liable after a breach at an app or aggregator. Consumer groups worry that broad "security" discretion becomes a pretext for blocking competitors. Our overview of cybersecurity threats in banking explains what both sides are afraid of.

4. Data privacy

Finally, the ANPRM revisits what apps may do with data once they have it: secondary uses, targeted marketing, sale to data brokers, retention periods. The 2024 rule limited use to what the consumer's chosen service required. The rewrite could tighten that further, or loosen it, depending on who wins the argument.

Where things stand in July 2026

Right now the federal picture is frozen. The injunction holds, no proposed replacement rule has been published, and the April 1, 2026 compliance date for the largest banks passed without legal effect. Data sharing continues anyway, running on the private bank-aggregator agreements and the FDX standard that predate the rule.

The action has shifted to the states. In March 2026, New York lawmakers introduced Assembly Bill 10640 and Senate Bill 9483, which would require financial institutions to offer developer interfaces for consumer-permissioned data and would prohibit fees for access, echoing the federal rule's core provisions, according to Consumer Finance Monitor. Both bills were still in committee as of late June 2026, but analysts see New York as a template other states could copy.

That raises the patchwork problem regulators and the industry both dread: fifty different data-sharing regimes instead of one. It's a familiar pattern in US fintech, and the same dynamic playing out in cryptocurrency regulation, where state and federal authority constantly collide.

The full timeline, 2010 to today

DateEvent
July 2010Dodd-Frank Act passes; Section 1033 creates a consumer right to financial data
October 2023CFPB issues the proposed Personal Financial Data Rights rule
October 22, 2024Final rule announced; bank groups sue in Kentucky federal court the same day
January 2025Rule takes legal effect; CFPB recognizes FDX as a standard-setting body
May 23, 2025CFPB reverses position, asks the court to vacate its own rule
July 29, 2025CFPB announces it will substantially revise the rule
August 22, 2025ANPRM published, reopening representatives, fees, security, and privacy
October 2025Comment period closes with nearly 14,000 submissions; court issues preliminary injunction on October 29
April 1, 2026First compliance deadline passes with no effect
March to June 2026New York introduces state open banking bills; other states watch
July 2026Injunction in place; rewrite pending; no proposed rule yet

What each outcome would mean for you

Consider Lena, a nurse who uses a budgeting app, a round-up savings app, and a payroll-advance app, all connected to her checking account. She's never heard of Section 1033, but every version of the endgame lands on her.

If the rewrite keeps free access with strong privacy limits, Lena's apps keep working and get safer, with clearer rules on what they can store and for how long. If the rewrite allows meaningful fees, some of her free apps likely fold or start charging, since their economics depend on cheap data access. Aggregator and bank fee negotiations were already underway in 2025 while the rule sat in limbo.

If the rule dies entirely and no replacement lands, the status quo continues: data sharing by private agreement, revocable at any time, uneven across banks. And if states fill the void, where Lena lives starts to matter. A New Yorker might get guaranteed free access while a Texan gets whatever her bank negotiates. For compliance teams, that patchwork is exactly the kind of problem regtech tools exist to manage.

The bottom line

The Section 1033 open banking rule was supposed to settle, once and for all, that your financial data belongs to you. Instead it became a case study in how fragile US financial rulemaking can be: finalized, sued, disowned, enjoined, and reopened inside twelve months, with the first compliance date passing as a non-event in April 2026.

The rewrite will decide the real questions: whether apps can act on your behalf, whether banks can charge for the pipes, and how far privacy and security obligations reach. Watch for the CFPB's proposed replacement rule and for New York's bills, either could reset the board. The infrastructure, meanwhile, keeps humming, because American open banking was built by the market before it was ever blessed by law.

For the mechanics behind all of this, see our plain-English guide to what open banking is, and if the headlines have you wondering about your own connected apps, our practical guide to whether it's safe to link your bank account has you covered.

Frequently Asked Questions

Is the Section 1033 rule in effect right now?

Technically the rule remains on the books, but a federal court's preliminary injunction from October 2025 blocks the CFPB from enforcing it. The first compliance deadline, April 1, 2026, passed without effect. The CFPB is drafting a replacement rule, so the 2024 version will likely never be enforced in its current form.

Why was the open banking rule blocked?

Bank trade groups sued the day the rule was finalized, arguing the CFPB exceeded the authority Congress gave it in Section 1033, in part by banning fees and extending data rights to third-party apps. The Kentucky federal court agreed the challenge was likely to succeed and blocked enforcement while the CFPB rewrites the rule.

Can banks charge for data access now?

With the fee ban unenforceable, there's no federal rule preventing charges, and several large banks began negotiating data-access fees with aggregators after the rule stalled. Whether fees survive is the central question in the CFPB's rewrite, and states like New York are proposing to ban them at the state level.

Do my budgeting and payment apps still work while the rule is in limbo?

Yes. Consumer data sharing in the US has always run mainly on private agreements between banks, aggregators, and apps using the FDX technical standard. The court fight changes your legal rights, not the plumbing. Your apps keep working, though the terms behind the scenes are being renegotiated.