Switching banks has always been a hassle, and Maria Torres knows it firsthand. The Chicago-based freelance graphic designer spent the better part of a weekend in early 2025 manually re-entering three years of transaction history after moving from a national bank to a local credit union. She had to hand her login credentials to a budgeting app so it could scrape data off her old bank’s website, then re-link every automatic payment one by one. “I almost gave up and stayed,” she said. A federal rule that officially took effect on April 1, 2026, was supposed to make stories like hers a thing of the past.
Under the Consumer Financial Protection Bureau’s Personal Financial Data Rights rule, the largest U.S. banks must now build standardized digital pipelines, essentially open APIs, that transmit a customer’s full account history to a competing bank or authorized fintech app at no charge. The regulation, codified at 12 CFR Part 1033, was finalized in late 2024 and published in the Federal Register on Nov. 18, 2024. The idea is simple: your financial data belongs to you, and you should be able to move it as easily as you port a phone number to a new carrier.
But there is a catch. A federal court order has frozen the compliance timeline, and as of June 2026, enforcement remains paused while the banking industry fights to kill or weaken the rule entirely.
What the rule actually requires
At its core, the regulation forces a technical overhaul of how banks share customer data. Today, most third-party financial apps gain access through screen scraping: you hand over your bank login credentials, and the app essentially impersonates you, logging in and copying data from the bank’s website. Some aggregators have moved to more secure token-based connections (OAuth), but screen scraping remains widespread. It works, but it is fragile, and if the third-party app is breached, your credentials can be exposed.
The CFPB’s rule replaces that patchwork with something standardized. Under Section 1033.311, covered banks must build developer interfaces that respond to authorized data requests. Transaction histories, account balances, payment details, and other personal financial information must flow through these pipelines when a customer directs it. The regulation requires delivery in a “commercially reasonable amount of time” and points to consensus technical standards as a benchmark, though it does not specify an exact number of seconds or minutes.
The rule also puts guardrails on the receiving end. Third parties that pull consumer data can only use it for the specific purposes the customer authorized. They face security requirements and deletion obligations. A budgeting app, for instance, could not quietly repurpose your transaction data for targeted advertising or sell it to data brokers.
A court order has frozen the timeline
The rule drew legal fire almost immediately. On the same day the CFPB finalized it, a lawsuit titled Forcht Bank v. CFPB was filed in the U.S. District Court for the Eastern District of Kentucky, according to a briefing from the Congressional Research Service. The plaintiffs challenged both the CFPB’s statutory authority to impose the data-sharing mandate and the cost burden it places on smaller institutions.
On Oct. 29, 2025, the court stayed the rule’s compliance dates, according to the CFPB’s own implementation guidance. That stay creates real ambiguity. April 1, 2026, still sits on the regulatory calendar as the first compliance deadline for the largest banks, but no institution faces enforcement consequences while the litigation plays out. The CFPB has not published a revised compliance calendar, leaving banks to decide on their own whether to keep building API infrastructure or slow down until the legal picture clears.
While the stay is in effect, existing screen-scraping connections continue to operate as they did before the rule was finalized. No bank is required to shut down credential-based access, and no bank is required to stand up the new standardized APIs on the original schedule. Consumers who already use apps that rely on screen scraping should see no immediate change, but they also do not yet benefit from the stronger security and privacy protections the rule was designed to provide.
Complicating matters further, the CFPB itself has faced pointed political opposition. In early 2025, acting director Russell Vought moved to pause much of the agency’s activity, and the current administration has expressed broad skepticism toward the bureau’s authority and mission. Those signals raise questions about how aggressively the CFPB will defend the rule in court. For banks weighing whether to invest millions in new infrastructure, that political uncertainty matters as much as the legal stay.
The industry is split along predictable lines
The Bank Policy Institute, a trade group representing the largest U.S. banks, has raised concerns about compliance costs, data security risks, and the scope of the CFPB’s authority. The organization has argued that the rule could expose banks to liability for breaches that occur after information leaves their systems and enters a third party’s servers.
On the other side, the Financial Technology Association, which represents major fintech companies, has broadly supported the regulation. Standardized data access, the group argues, levels the playing field and allows newer firms to compete on product quality rather than on exclusive control of customer information.
The Congressional Research Service briefing framed the Forcht Bank lawsuit as part of this broader fight between incumbent banks and fintech challengers over who controls consumer data and under what terms. The outcome will shape not just this rule but the trajectory of financial data regulation in the United States for years to come.
How open banking has played out abroad
The United States is not the first country to attempt this. The United Kingdom launched its Open Banking framework in 2018, requiring the country’s nine largest banks to share customer data through standardized APIs. By early 2025, more than 7 million UK consumers and businesses were using open-banking-enabled products, according to the Open Banking Implementation Entity. The European Union’s revised Payment Services Directive (PSD2) imposed similar requirements across the bloc starting in 2019.
Those international examples offer both encouragement and caution. In the UK, open banking did spur new competition: challenger banks and fintech lenders gained traction by offering faster onboarding and more personalized products. But consumer adoption was slower than regulators hoped in the early years, partly because many people simply did not know the option existed. The U.S. rule could face the same awareness gap, especially if the court stay delays the kind of public education campaign that would normally accompany a major consumer protection rollout.
Who wins and who loses
The competitive stakes are significant. Banks that already operate mature API systems, built to serve fintech partnerships or power their own mobile apps, can absorb the cost of building compliant developer interfaces more easily than institutions still running on legacy technology. If the stay lifts and the rule takes full effect, those technology-forward banks face a smaller adjustment. Smaller community banks and credit unions, which receive later compliance deadlines under the phased schedule, still face the prospect of building new infrastructure from scratch once their window arrives.
For consumers, the practical promise is straightforward. Someone unhappy with their checking account could authorize a new bank or fintech app to pull their full transaction history, recent balances, and account details through a secure, standardized connection. No more re-entering months of data by hand. No more sharing passwords with third-party apps.
If the litigation resolves in the CFPB’s favor and the rule proceeds largely intact, new entrants could compete more directly with incumbent banks on price, features, and service quality. Budgeting tools, lending platforms, and savings apps could offer more tailored products based on a person’s complete financial picture, not just the accounts held at one institution.
If the courts significantly delay or narrow the rule, incumbents retain their advantage as gatekeepers. The transition away from screen scraping stalls, and consumers remain stuck in a system where switching banks means starting over.
How to check whether your bank already supports API-based data sharing
As of June 2026, the right exists on paper, but its real-world availability depends on two things: how individual banks respond to the court stay, and how quickly the litigation resolves. Some large banks have continued building API infrastructure regardless of the legal uncertainty, anticipating that some version of the rule will eventually take effect. Others have paused investment.
Consumers who want to test whether their bank already supports standardized data sharing can check with their institution directly or look for third-party apps that advertise API-based connections rather than screen scraping. The CFPB’s compliance resource page tracks the rule’s status and any updates to the implementation timeline.
The outcome of Forcht Bank v. CFPB will determine whether the United States joins the UK and EU in building a functioning open banking system or whether consumer financial data remains locked behind proprietary walls that make switching providers costly and slow. For people like Maria Torres, who dread the thought of another weekend spent manually rebuilding their financial lives, the difference is not abstract. It is the difference between a system built around the bank’s convenience and one built around yours.
