US open banking arrived at a crossroads in 2026. A rule once billed as the foundation of a modern, consumer-controlled financial data market is now paused, contested in court, and being rewritten. For banks, fintechs and the data aggregators that connect them, the rules of the road have rarely been less certain.
What Section 1033 Was Supposed to Do
In October 2024, the Consumer Financial Protection Bureau (CFPB) finalized its Personal Financial Data Rights rule under Section 1033 of the Dodd-Frank Act. The premise was simple but far-reaching: consumers should be able to direct their bank or card issuer to share account data with authorized third parties through secure, standardized interfaces, with privacy and security protections built in.
In practice, that meant moving away from the screen-scraping and credential-sharing of the early fintech era toward documented APIs. April 1, 2026 was set as a key compliance milestone for the largest institutions.
Why 2026 Became a Year of Flux
That timeline did not hold. After banking trade groups sued the CFPB, a federal judge paused the compliance clock and enjoined the agency from enforcing the mandate while it formally reconsiders the regulation. The would-be deadline came and went with open banking, in the words of one industry outlet, "in flux."
The result is a planning vacuum. Institutions that had budgeted for an enforceable rule now face an environment where the timeline, scope and even the core obligations could shift. Observers expect the Bureau to open a fresh rulemaking process rather than simply restore the original text.
The Core Tensions
Security Versus Cost
Banks argue the rule underestimated the burden of building and maintaining secure data interfaces at scale, while limiting their ability to control downstream risk once data leaves their walls. Fintechs and consumer advocates counter that 1033 is a long-overdue codification of a consumer's right to their own financial data.
The Data-Toll Debate
One of the sharpest fault lines is money. Without a finalized federal rule, the industry is split over whether banks may charge "data tolls" for API access. Proposals under discussion reportedly include allowing fees for "premium" data and redefining which smaller institutions are exempt from the rules entirely.
Who Counts as a Small Bank
Exemption thresholds matter enormously. Where the line is drawn determines how many community banks and credit unions must build compliant infrastructure versus opt out, shaping both competition and consumer coverage.
The Role of Data Aggregators
Caught in the middle are the data aggregators that have long bridged banks and fintech apps. With the rule paused, several are publicly pushing secure, token-based access models rather than waiting for regulatory certainty. The message is that the market can move toward safer data sharing even as Washington deliberates, partly to pre-empt a future rule and partly to retire the riskier screen-scraping methods of the past.
What It Means for Each Player
- Banks: Continued investment in APIs is likely the safe bet, since a future rule of some kind appears probable. Many large institutions are still launching open banking partnerships despite the legal limbo.
- Fintechs: The pause introduces risk that access could become costlier or more restricted, raising the value of direct bank partnerships.
- Consumers: The headline promise of fee-free, portable financial data is now uncertain, with the prospect of fees a live question.
How the US Compares Globally
The American debate looks unusual against the international backdrop. The United Kingdom and the European Union have run mandated open banking regimes for years, with the EU now advancing from PSD2 toward the broader PSD3 and a payment services regulation. In much of the world the question is no longer whether consumers can share their financial data but how to widen that sharing into open finance, covering pensions, insurance and investments. The US, by contrast, is still litigating the foundational rule. That gap matters competitively, because a fragmented, fee-laden American framework could leave its fintech sector at a structural disadvantage relative to peers operating under clearer mandates.
The Road Ahead
The most likely path is a renewed CFPB rulemaking that produces a modified version of 1033 rather than its repeal. The direction of travel toward consumer data portability has strong momentum globally, mirrored by Europe's PSD2 framework and the proposed PSD3. The open question for 2026 is not whether US open banking happens, but on whose terms, at what cost, and on what timeline.
For now, the prudent strategy across the industry is to keep building secure infrastructure while watching the rulemaking docket closely. The institutions that treat the pause as a chance to get their data architecture right, rather than an excuse to stall, are the ones best positioned for whatever final rule emerges.