Your Rights Under the CFPB’s Open Banking Rule: Plain-English Guide
Section 1033 of the Dodd-Frank Act gives you the right to access and share your financial data. The CFPB wrote rules to implement this right. Those rules are currently being revised. But the underlying statutory right exists regardless of the regulatory uncertainty — and understanding what you’re entitled to helps you navigate a financial system that hasn’t always made data sharing easy.
Here’s what the law says, what the (current) rule requires, and what practical rights you can exercise today.
Important context: The CFPB’s 2024 final rule implementing Section 1033 is under active reconsideration. The agency issued an Advance Notice of Proposed Rulemaking in August 2025, signalling it intends to replace the existing rule with a revised version. Compliance dates (originally April 2026 for the largest institutions) have been delayed and may be pushed to 2027 or later. The rights described below reflect the statutory law (which remains in effect) and the 2024 rule (which may be modified). For the broader context, see our open banking guide.
Your Core Rights Under Section 1033
The Right to Access Your Data
Your bank must make your financial data available to you in electronic form upon request. This includes transaction data from the past 24 months, account terms and conditions, fees charged, and basic account information (balances, account numbers).
This right exists under the statute — not just the implementing rule. Even during the regulatory reconsideration, you can request your financial data from your bank. The practical mechanism for that request (standardised API, manual export, paper statement) depends on what your institution currently supports.
The Right to Share Your Data with Third Parties
You can authorise a third party — a budgeting app, a competing bank, a financial advisor, a lending platform — to access your financial data. Your bank is required to provide this data to the authorised third party.
Under the 2024 rule, this sharing was to happen through standardised developer interfaces (APIs) that provide data in a machine-readable format. The revised rule may adjust the technical requirements, but the underlying right to share your data with authorised parties is statutory.
The Right to Free Access
The 2024 rule prohibited banks from charging consumers or authorised third parties for data access. This provision is under reconsideration — the CFPB’s August 2025 notice specifically asks whether banks should be allowed to charge fees to cover costs.
If fee-charging is permitted in the revised rule, it would most likely be charged to data aggregators (companies like Plaid that connect your apps to your bank), not directly to you. But those costs could be passed through in the form of higher subscription fees for the apps you use.
The Right to Control and Revoke Access
You choose which third parties can access your data. You can revoke that access at any time. Third parties are required to stop accessing your data once you revoke authorisation and must delete previously collected data (with limited exceptions for legal obligations).
The 2024 rule also limited third parties to using your data only for the specific purposes you authorised — they couldn’t collect your transaction history for budgeting and then sell it for marketing. This limitation remains a core element of the framework, regardless of revisions.
The Right to Data Without Credential Sharing
Perhaps the most practically significant right: your bank must provide data access through secure channels that don’t require you to share your login credentials with third parties.
Currently, many financial apps access your bank data through screen scraping — they log into your bank’s website using your username and password. This works, but it means you’re sharing your banking credentials with a third party, creating security risks. The open banking rule requires banks to provide API-based access that eliminates this credential-sharing requirement.
This provision has broad industry support (even banks that oppose other parts of the rule generally agree that screen scraping should be replaced with APIs) and is likely to survive the rule revision.
What You Can Do Right Now
Even with the rule in flux, you have practical steps available.
Request your data directly. Contact your bank and request a download of your transaction history. Most banks provide CSV or OFX exports through their online banking platforms. This is your statutory right under Section 1033, independent of the implementing rule.
Check which apps access your data. Review your connected apps and services. Most banks now show you which third-party services have been granted data access. Revoke access for any you no longer use.
Use Plaid or similar aggregators’ privacy tools. If you’ve connected financial apps through Plaid, visit my.plaid.com to see which connections are active and revoke any you don’t need.
Understand your bank’s data-sharing capabilities. Some major banks (JPMorgan Chase, Wells Fargo, Capital One) have already built API connections for data sharing. Others still rely on screen scraping through aggregators. If secure data sharing is important to you, consider this when choosing a bank. The neobanks we recommend generally have stronger API connectivity than traditional banks.
US vs UK: Where Open Banking Is Already Working
UK consumers have exercised open banking rights since 2018 under regulations mandated by the Competition and Markets Authority. Over 7 million UK consumers and businesses use open banking services. The rights UK consumers have today offer a preview of where US consumers are headed:
UK consumers can connect bank accounts to any authorised app through secure APIs, switch banks with full data portability, see all accounts from multiple banks in a single app, and revoke third-party access at any time through their bank.
UK consumers cannot yet share data from all financial products (investment accounts and insurance are still excluded), get consistent quality across all banks (some APIs are better than others), or completely avoid credential-based access for some smaller institutions.
The UK experience suggests that the core consumer benefits — easier switching, reliable app connectivity, more competition — are real and valuable. The implementation is imperfect but improving. The US should expect a similar trajectory: meaningful benefits with ongoing rough edges.
Frequently Asked Questions
Does Section 1033 apply right now?
The statutory right (your right to access your data) exists. The implementing rule that specifies how banks must provide that data is under revision. In practice, this means your rights are established in law but the enforcement mechanisms are in flux. You can request your data from your bank today; the standardised, API-based access the rule envisions is not yet mandatory.
Will my bank charge me for open banking?
Under the 2024 rule, no. Under a revised rule, possibly — but any fees would likely be charged to aggregators and fintechs, not to you directly. The CFPB is currently collecting input on this question.
Is it safe to connect my bank to financial apps?
Generally yes, when using established apps and aggregators (Plaid, Yodlee, MX). Open banking through APIs is more secure than the screen scraping it replaces. The risk isn’t zero — any data connection creates potential vulnerability — but API-based sharing with explicit consent and limited data access is the safest model available.
What happens to my data if I stop using a connected app?
Under the 2024 rule, the app must stop collecting new data once you revoke access and must delete previously collected data (with narrow exceptions). Even without the rule in force, you should revoke connected-app access when you stop using a service — this is good data hygiene regardless of regulation.
When will open banking be fully live in the US?
Realistically, 2027-2028 for the largest institutions, with smaller banks following through 2030+. The timeline depends on the revised rule’s finalisation and compliance deadlines, neither of which is settled as of April 2026.
FinTech Essential does not earn commissions from products mentioned in this article. Our coverage is editorially independent and funded by advertising, not affiliate relationships.
Regulatory information accurate as of April 2026. The CFPB’s implementing rule for Section 1033 is under active reconsideration; check consumerfinance.gov for the most current status. This article is for informational purposes only and does not constitute legal or financial advice.