Data Aggregators Push Secure Access as Rule 1033 Rewrite Looms

The Consumer Financial Protection Bureau (CFPB)’s final rule set out a clean idea: Consumers should be able to direct their bank or card issuer to share their account data with authorized third parties through secure interfaces, with privacy and security rules baked in. The timetable gave the industry a forcing function: the largest institutions were required to start complying by April 2026.

Today, that date still works as a hook for why boardrooms and product teams are paying attention. But it is no longer a safe planning assumption. Rule 1033 is final on the books, yet its near-term path now runs through litigation, agency reconsideration and the CFPB’s own resource constraints.

The starting point is straightforward. In October 2024, the CFPB finalized the Personal Financial Data Rights rule under Section 1033 of the Dodd-Frank Act. The bureau framed it as pro-competition and pro-consumer: give people more control over their financial data, reduce the need for credential sharing, and make it easier to switch services or use new tools. The design was a phased rollout with the biggest “data providers” going first.

Then came the legal and political gravity. Banking groups challenged the rule, and a federal judge in Kentucky temporarily blocked enforcement while the CFPB reconsidered key elements. At the same time, the bureau began laying the groundwork for revisions, launching a reconsideration process and asking for fresh comment on implementation and policy choices.

The signal to the market was clear: this is no longer just “prepare to comply.” It is “prepare for change.”

That shift has scrambled the coalition map in a way that is familiar in Washington but jarring for operators. The basic divide is not whether consumers should be protected. It is over who should control access, who carries liability when something goes wrong, and who pays for the pipes.

The Issues at Hand

On one side sit many banks and banking trade groups. Their argument is rooted in security and accountability. Banks say they are the ones consumers blame when data gets misused and the ones regulators supervise most closely, yet open banking expands the set of entities touching sensitive information.

Banks also stress cost. Building and maintaining secure interfaces at scale is expensive, and banks contend the rule underestimates that burden while limiting their ability to control downstream risk. The Bank Policy Institute, for instance, has argued the rule jeopardizes privacy and security and is vulnerable on legal authority grounds.

On the other side are many FinTechs, consumer advocates and “open banking” proponents who see 1033 as a long-overdue consumer data right. Their core claim is that consumers already share their data every day, often by handing over credentials to third parties. Standardized, permissioned access through secure application programming interfaces (APIs) is supposed to be safer than screen scraping and better than a system where data moves only through bilateral agreements. Reuters’ coverage of the rule’s release captured that framing: the CFPB presented the rule as a way to give consumers more choice and spur competition.

The most interesting voices, though, may be in the middle: the aggregators. They are the connective tissue between banks and FinTech apps. For years, their business was built on making data portable in a world where banks did not always offer easy ways to do it. That often meant credential-based access and screen scraping, which banks hate and regulators tolerate grudgingly.

Aggregator messaging today is essentially: “We agree with the direction. Now make it workable.”

Plaid has described the CFPB’s move as a step toward an open finance system based on consumer permission and safer access methods. Financial data analysis platform MX has similarly told clients that the rule reinforces consumer control, even as the details of implementation will determine how smooth the transition is. Standards groups like the Financial Data Exchange have argued that common API frameworks are essential to making this secure and scalable rather than bespoke.

What’s at Stake

But aggregators are also dealing with the industry’s other unresolved question: economics. If banks can charge for access, the cost of “open banking” shifts from a compliance burden to a commercial negotiation. And that negotiation is already happening. Reuters reported that JPMorgan struck agreements with FinTech data aggregators involving fees for access to customer data. That is the market trying to set terms before the regulator does.

Law firms, meanwhile, are advising clients to plan on two tracks at once: build the capability but treat the dates as provisional. Orrick’s analysis of the final rule emphasized that the CFPB’s framework is meaningful and operationally demanding, and that institutions should be thinking early about governance, technical build and third-party relationships. Yet the same legal community has also been the first to highlight how unstable the process has become.

The CFPB has linked its near-term rulemaking approach to funding constraints. In litigation status reports, the bureau said it was working on interim final rules for both Section 1071 and Section 1033 after a DOJ Office of Legal Counsel opinion concluded the CFPB could not lawfully draw funds from the Federal Reserve at that time, and the bureau stated it expected to have enough funds to operate normally only through at least the end of 2025. That is an unusual posture for a regulator in the middle of implementing one of the most consequential data rules in U.S. finance.

Moving Forward

So what happens next? The realistic answer is that there are a few plausible scenarios, and the industry needs to be ready for more than one.

• Scenario one: the rule largely survives, but with a revised schedule and clearer guardrails. The CFPB completes a new notice-and-comment process, keeps the core consumer data right intact, but tweaks deadlines and tightens implementation language. In this case, April may remain a headline, but the real work becomes building compliant, secure interfaces and a repeatable process for handling third-party authorization.
• Scenario two: a rewrite that leans toward bank concerns reshapes how open banking works in practice. A revised rule could expand constraints on third parties, raise qualification requirements or clarify cost recovery mechanisms. That could reduce bank opposition, but it may also increase friction for FinTechs and make data access more uneven across use cases.
• Scenario three: If the rule remains stuck, open banking will keep advancing through private deals, with the biggest banks and platforms effectively setting the terms. If injunctions linger or the rule is vacated, the ecosystem will not revert to zero. Banks will keep negotiating access deals. Aggregators will keep building connections where they can. Standards bodies will keep pushing APIs. The result could be an “open banking” reality where consumers get new tools, but protections and access terms vary widely depending on which institution holds the account.

In the near term, the most useful way to think about Rule 1033 is not as a single deadline but as a strategic capability build. The April compliance date was meant to force the biggest players to move first.

Whether that specific date holds or slips, the direction of travel is hard to miss. Data portability is becoming part of the competitive landscape in banking and payments, and the fight is now about the rules of engagement.