What Section 1033 actually requires
Section 1033 of the Dodd-Frank Act (12 USC 5533) gave consumers a right to access their financial data. The text was on the books for over a decade; the implementing rule sat in proposed-rule status for years. The CFPB finalized the Personal Financial Data Rights rule in October 2024. The rule turned an abstract statutory right into operational requirements: APIs, standards, consumer consent, dispute resolution, all on a phased deployment schedule.
The covered institutions are banks, credit unions, and certain other financial-services providers. The covered data is consumer financial data the institution holds. The covered persons are consumers and the authorized third parties they designate (aggregators, fintech apps, payment apps, accounting software). The rule mediates the relationship between all three.
The phased compliance timeline
- April 2026. Depository institutions with USD 250 billion or more in total assets and non-depository institutions covered by the rule.
- April 2027. Depository institutions with USD 10 billion to USD 250 billion in total assets.
- April 2028. Depository institutions with USD 3 billion to USD 10 billion in total assets.
- April 2029. Depository institutions with USD 1.5 billion to USD 3 billion in total assets.
- April 2030. Depository institutions with USD 850 million to USD 1.5 billion in total assets.
- Below USD 850 million. Currently exempt from the rule's API requirements.
The dates above reflect the October 2024 final rule. Subsequent rulemaking, litigation, or congressional action could adjust them; verify current status at consumerfinance.gov.
The six data types
- Transaction information. 24 months of consumer transaction data from each covered account.
- Account balance. Current and available balance.
- Terms and conditions. Account agreements, fee schedules, rate sheets.
- Upcoming bill information. Scheduled payments, payees, recurring obligations.
- Account verification information. Account number, routing number, identifier sufficient to verify the consumer's account.
- Basic account verification information for payment initiation. Information needed to initiate a payment from the account.
The rule prohibits fees on consumers or authorized third parties for accessing the covered data. The data must be available in machine-readable format meeting a qualifying standard. FDX 6.0 and later are the dominant choice; the rule allows alternatives that meet the criteria.
Section 1033 turns consumer-permissioned data access from a bilateral agreement into a regulated commodity. Banks lose veto power; consumers gain portability.
How aggregators fit (Plaid, Yodlee, Akoya, MX)
For years, aggregators connected applications to bank accounts under bilateral data-sharing agreements where they existed, and screen scraping with stored credentials where they did not. Section 1033 formalizes the access into a regulated framework. Aggregators become authorized third parties under the rule, with explicit obligations:
- Obtain informed consumer consent naming the specific data, purposes, and duration of access.
- Limit data use to the authorized purposes. Use for targeted advertising, cross-selling, or sale to third parties requires further consent.
- Allow consumers to revoke authorization at any time, and reflect the revocation upstream to the bank.
- Maintain data security at standards consistent with the data sensitivity.
- Provide dispute resolution and clear consumer information about data use.
The screen-scraping era is winding down. By 2030 most consumer-permissioned data flow in the US will be API-based, with credential-based scraping reserved for institutions below the size threshold or for cases where the standard does not apply. For the working state of aggregator-mediated verification today, see our bank verification guide.
What fintechs and aggregators should be doing in 2026
- Audit existing data-access dependencies. Which banks are you connected to? Which sit at the April 2026 tier, April 2027 tier, etc.? When does each transition from bilateral to rule-driven access?
- Align consent flows to the rule's standards. The naming of data, purposes, and duration must meet the rule's explicitness requirements. Revocation must be operationally functional.
- Implement FDX 6.0 or later as the integration spec. The rule allows alternatives; FDX is the de facto US choice.
- Document data-use limits. Internal policies must enforce that authorized-purpose data is not repurposed without further consent.
- Prepare for examinations. The CFPB has supervisory authority over large nonbanks (the Larger Participant rule for aggregators is part of the framework). Aggregators above the threshold face direct CFPB exam.
Frequently asked questions
Is Section 1033 the same as PSD2?
Conceptually similar, operationally different. Both establish consumer-permissioned open banking. PSD2 mandates bank API access in the EU via Regulatory Technical Standards; Section 1033 mandates equivalent access in the US with FDX as the de facto standard. The data scope and consumer-protection details differ in specifics.
Will the rule survive legal challenges?
Multiple challenges have been filed since October 2024; some are still pending. The CFPB's funding mechanism survived Supreme Court review in CFPB v. CFSA (2024). The 1033 rule itself faces challenges on specific provisions rather than constitutional ones. The most likely outcome is partial adjustment rather than wholesale invalidation.
What about non-bank financial institutions?
The rule covers depository institutions and certain non-depository providers. Specific scope is in the rule text. The trajectory is to extend covered data to additional financial-services contexts (BNPL, payroll, insurance) through subsequent rulemaking.
How does FDX 6.0 differ from earlier versions?
FDX 6.0 (2024 release) added taxonomy alignment with the 1033 data categories, refined consent and revocation flows, and tightened security requirements. FDX 6.1 and 6.2 are iterating on implementation feedback. Most US banks are aligning to FDX 6.0 or later for 1033 compliance.
Where does forensic AI fit in 1033 compliance?
Indirectly. 1033 governs data flow rather than document authenticity. Where forensic AI matters: at consumer onboarding to authorized third-party fintechs, where the customer's identity documents still need verification. See our KYC primer.