Open banking in the U.S.

After more than a decade of debate, the U.S. has its first binding consumer-data-portability rule. Implementation is phased, contested, and still being clarified — the practical effect on consumer choice will take years to play out.

The United States was a relatively late mover on open banking — the broader policy framework under which consumers can authorize third parties to access their financial-account data through standardized, regulated interfaces. The U.K. launched its Open Banking regime in 2018; the EU's PSD2 framework, with its "access to accounts" data-sharing requirements, took effect across member states by 2019; many other jurisdictions followed. The U.S. equivalent, the CFPB's Personal Financial Data Rights rule under Section 1033 of Dodd-Frank, was finalized in October 2024 with implementation phased through 2030.

This article describes Section 1033 and the implementing rule, the U.K. and EU precedents that informed it, and the practical implications for consumers, fintechs, and incumbent banks. As of mid-2026 the rule has been subject to litigation and to ongoing CFPB rulemaking activity; readers should verify current status before relying on specific implementation timelines or substantive provisions.

Section 1033 and the 2024 rule

Section 1033 of the Dodd-Frank Act, codified at 12 U.S.C. §5533, gave the CFPB authority to require "covered persons" (financial institutions) to make available, in electronic form usable by consumers, information about the financial product or service the consumer obtains from the institution. The provision sat largely dormant for a decade as the CFPB worked through other rulemaking priorities and as the question of what the rule should require was debated.

The final rule, issued in October 2024, requires covered providers to:

Make consumer-authorized data available through a defined "developer interface" — a regulated API — to authorized third parties, free of charge.
Limit the scope of data covered to specified categories (transaction history, account balance, account terms, payment initiation data) for specified account types (deposit accounts, credit cards, prepaid cards, payment-products).
Comply with phased implementation deadlines based on institution size, with the largest institutions complying first and smaller institutions later — with the final tier (smallest covered institutions) compliant by 2030.
Authorize third-party access only with the consumer's affirmative consent, and require third parties to comply with defined consumer-protection conditions (data-minimization, security standards, dispute handling).

The rule's structural premise is that consumers own their financial data and should be able to authorize portable access to it for purposes like third-party budgeting tools, alternative-credit underwriting, account-aggregation services, and payment initiation by third parties. The pre-2024 status quo was that consumer data access was happening — through screen-scraping services that consumers' aggregators (Plaid, MX, Yodlee, others) used to log in to consumer accounts on their behalf — but without a regulatory framework, with frequent friction between banks and aggregators, and without clear consumer-protection rules.

Comparison with U.K. Open Banking and EU PSD2/PSD3

The U.K.'s Open Banking regime, implemented under the Competition and Markets Authority's 2017 retail-banking order and operationally through the Open Banking Implementation Entity, requires the nine largest U.K. banks to provide standardized API access to consumer accounts. The U.K. framework has produced substantial third-party innovation — open-banking-powered budgeting tools, alternative-credit applications, and account-to-account payment products — although adoption has been slower than initially projected.

The EU's PSD2 (the second Payment Services Directive, in force since 2018) extended similar requirements across member states, including a "strong customer authentication" requirement for electronic payments. The EU's anticipated PSD3 framework, with related Payment Services Regulation, is in process and is expected to refine the PSD2 framework — including addressing some of the operational pain points around fraud authentication and account-data access.

The U.S. rule differs from the U.K. and EU frameworks in several respects:

Coverage is broader by institution type (all covered providers, not just the largest banks).
Coverage is narrower by data type and account type than some EU implementations.
Implementation is more phased over a longer timeline.
The U.S. rule does not include strong-customer-authentication requirements equivalent to PSD2's.
The U.S. lacks the centralized open-banking governance entity that the U.K. operates.

What this means in practice for consumers

For most U.S. consumers, the practical effects of Section 1033 will play out gradually as the implementation phases. The principal expected effects:

More reliable third-party connections: where today's account aggregators rely on screen-scraping (a brittle process that breaks when banks change their login flows), regulated API access should be more reliable and less prone to interruption.
Easier account switching: a consumer changing banks could, in principle, authorize the new bank to pull recent transaction history and standing autopay arrangements from the old bank, easing the redirection work. The CFPB and industry observers have flagged this as a major potential benefit.
More third-party credit and underwriting products: alternative-credit lenders that today depend on consumer screen-scraping or on FICO credit-bureau data could use 1033 data to underwrite products based on a more complete view of the consumer's financial life.
Pay-by-bank growth: payment initiation by third parties through 1033 data access could grow as an alternative to card-network payments, particularly for high-value bill payments where the card-interchange cost is meaningful.
Stronger consumer-protection framework: the rule's third-party-access standards include data-minimization, security, and dispute requirements that the pre-rule screen-scraping environment did not.

The principal risks: data-sharing makes the financial system more interconnected, with security incidents at any one node potentially affecting consumers across many. The rule's third-party-protection requirements are intended to address this, but the operational maturity of the framework will be tested as adoption grows.

The practical point. Section 1033 is the U.S. framework for consumer-authorized financial-data sharing — the U.S. analogue to U.K. Open Banking. As of mid-2026, the rule is finalized but subject to litigation and to phased implementation; full effects will play out over the next several years. Consumers using account-aggregation services today (Mint, YNAB, Copilot, lending applications that pull bank data) are already participating in the pre-rule environment; the rule should make these services more reliable and more transparently regulated over time.

Limits and uncertainty

The 2024 final rule has been challenged in litigation; specific provisions have been the subject of stays and rulemaking activity. The implementation timeline may shift; the substantive coverage may be refined. The U.S. open-banking trajectory will likely converge over time with the U.K. and EU experience, but the convergence will take years. The basic policy direction — consumer-authorized data portability with regulated third-party-access standards — is durable, even as the specific rule continues to evolve.