The federal regulation of open banking in the United States has been in an extraordinary state of limbo. The Consumer Financial Protection Bureau’s final rules implementing Section 1033 of the Dodd-Frank Act, the product of a long rulemaking journey that began in 2016, remain codified in the Code of Federal Regulations but are effectively unenforceable. A federal court in Kentucky enjoined the CFPB from enforcing the rules, finding that they likely exceeded the Bureau’s statutory authority and were arbitrary and capricious. That decision has been appealed to the Sixth Circuit but the case has been stayed while the CFPB is undertaking an effort to revise the existing rules.
Rumors are circulating in Washington, DC that the CFPB’s Acting Director is eager to make progress on revisions to its Section 1033 open banking rules before his term ends and that revised rules could be published in early July, but the agency’s ability to write rules that will satisfy the varied constituencies and end protracted litigation is uncertain. Against this backdrop of federal regulatory limbo, states are beginning to consider whether they should step in to fill the void. Below we provide an update on the status of open banking regulation today and highlight key issues for practitioners to watch in the months ahead.
What is Open Banking Today?
At its core, “open banking” is comprised of two key components: data access rights and payments. Data access rights are invoked when an account holder authorizes a third party to access account data, typically on a read-only basis. Third parties can then use data obtained through open banking to initiate payments. Section 1033 of the Dodd-Frank Act gives consumers the right to request and receive electronic information about their financial products. While the law only addresses consumer data access rights, the CFPB’s final implementing rule includes a requirement that data providers share information sufficient for authorized third parties to initiate payments. It does not address the downstream implications from payments made using that data, instead deferring to separate existing rules governing payment initiation and processing.
While Section 1033 covers all consumer financial products and services, the CFPB’s final rule narrowed financial institutions’ data sharing obligation to cover only consumer credit cards and Regulation E accounts, reasoning that these accounts are where most consumer spending flows and would serve as a reasonable starting point, with potential expansion to other products later.
The Current Federal Impasse & Prospect for Revised Rules
The CFPB finalized complex data sharing rules implementing Section 1033 in October of 2024, but they were immediately challenged in court. Sparing readers the drama behind the twists and turns of this litigation, the CFPB was enjoined by a federal court in Kentucky from enforcing its rules and an appeal of that ruling is currently stayed in the Sixth Circuit as the CFPB undertakes modifications to the rules in a way that would nullify the dispute. (Read more about the final rules here.)
The CFPB issued an Advance Notice of Proposed Rulemaking in August 2025 seeking comments on the scope of consumer representatives that should be permitted to access data, whether data providers should be permitted to charge fees for access, and whether security and privacy issues are adequately addressed. A revised rule could address other controversial issues as well, including changing the definitions of “consumer” and “representative” to limit who may access data on behalf of individual consumers, lightening secondary data use restrictions, and extending compliance deadlines.
The latest news indicates that the CFPB intends to propose rules that would eliminate the total ban on data provider fees and instead permit fees after a certain number of requests for data have been fulfilled for free. Zooming out, fees are a small component of the overarching open banking data sharing regulatory infrastructure, and this news implies that the bulk of the regulatory obligations established in the initial rules would remain. We’ll update readers here as additional rulemaking activities occur.
New York’s Proposed Mini-1033: States Step into the Breach
While the fate of federal open banking rules is uncertain, potentially more consequential developments are happening at the state level. Although currently still in committee, New York Assembly Bill 10640, introduced on March 13, 2026, and its companion, New York Senate Bill 9483, introduced on March 17, 2026, and also still in committee, specifically focus on open banking data sharing rights. If enacted, it could provide a template for similar legislation across the country.
The New York legislation is, in many ways, consistent with the core components of Section 1033. Like the federal rule, it would require financial institutions to create a “developer interface” to receive and respond to requests for access to electronic and machine-readable financial data, prohibit financial institutions from charging fees for data access, and limit when access requests may be denied to situations where a specific, known risk is identified. It would also require third party authorized representatives to obtain express consent to access data, limit their data access, use and retention to what is reasonably necessary to deliver the requested product or service, and require their adherence to GLBA and FTC safeguard standards.
However, the proposal goes further than the Section 1033 rules in significant respects:
- More products: The legislation does not include the same narrowing language that limits the CFPB’s rule to credit cards and Regulation E accounts. Instead, it would grant consumers and their authorized representatives access to data for all consumer financial products and services.
- Small business accounts: The legislation would extend data access rights to small business account data, whereas the federal rule applies only to consumer accounts.
- Enforcement penalties: The legislation would impose a maximum penalty of $10,000 per violation, enforced by the Superintendent of Financial Services. Where thousands of data access requests can be submitted in a matter of minutes, violations could add up quickly.
At the same time, the New York legislation is significantly truncated compared to the regulatory record associated with the CFPB’s final 1033 rules. For example, it lacks specifics on many issues discussed in depth across the CFPB’s rulemaking history, including the precise scope of data elements required to be shared, potential exceptions, the basis for denials, and detailed API technical requirements. These gaps may ultimately be addressed through implementing regulations, or they may become sources of ambiguity and litigation.
Broader State Considerations
Several broader considerations apply to states evaluating whether and how to regulate open banking and preemption is an increasingly relevant threshold question. Any state law that seeks to limit banks’ ability to charge fees for data access could conflict with federal banking powers and face preemption challenges. (See our recent post on the Illinois Interchange Fee Prohibition Act for more details on preemption of state laws governing bank fees, along with several other posts on the topic here.)
State attorneys general are also evaluating their enforcement powers and limitations in the context of evolving consumer privacy expectations, including the use of their UDAP authority to prohibit unfair or deceptive acts or practices. For example, California’s Attorney General has brough several enforcement actions against companies for failing to fulfill consumers’ requests to “know” or access data under the California Consumer Privacy Act. These legal theories may naturally be extended to first-party and third-party data access requests. Enhanced scrutiny of the way consumer data is used and disclosed in financial services is evolving, and state enforcers want to ensure that a less active CFPB does not result in diminished enforcement of consumer finance laws. It should also be noted that the CFPB’s current 1033 rules are effective and the injunction preventing enforcement only applies to the CFPB, meaning that state attorneys general and consumer finance regulators might argue that they can use their independent enforcement powers under Dodd-Frank to enforce the existing rules.
Other Federal Developments: The GUARD Financial Data Act and Screen Scraping
Beyond Section 1033, the broader data-sharing landscape continues to shift. The GUARD Financial Data Act would modernize the Gramm-Leach-Bliley Act, applying data minimization principles that limit the collection and disclosure of nonpublic personal information to what is “adequate, relevant, and reasonably necessary” for each stated purpose. Notably, the legislation would codify (rather than prohibit) credential-based access and screen scraping as a viable data access channel, where customers provide their online banking username and password to a third party that then uses that information to login as the customer and extract data. While the banking industry is actively migrating from screen scraping to OAuth-based API access, where customers login directly with their bank to establish a more secure data sharing connection, credential-based scraping remains prevalent. The GUARD Act would require aggregators to disclose the risks of screen scraping, to offer consumers an opt-out, and to prohibit financial institutions from denying access where consumers do not opt out, effectively codifying screen scraping as a parallel track to API-based open banking.
The GUARD Act would create new consumer rights over shared data and expand notice obligations related to AI usage and data retention. It would also preempt state consumer data privacy and security laws for GLBA-covered institutions to establish a single national framework. Read more about the GUARD Financial Data Act in our blog post here.
Data Sharing Arrangements Continue to Evolve
Notwithstanding the federal regulatory impasse and prospect for state involvement, market solutions are not waiting for regulatory clarity and continue to evolve. Banks, non-bank lenders, payments providers, payroll data companies, and fintechs of all stripes are continuing to enter bilateral data access agreements, directly and with data aggregators, to access financial data. These agreements are and will continue to be essential tools to address the variety of issues that arise from these relationships: legal issues with liability allocation when things go wrong, insurance requirements, indemnities, and audit rights; and business issues derived from customer experiences, data security requirements, technical implementation and service levels; the use of trademarks and other intellectual property; provision of value-added services; and (gasp) fees.
Conclusion
The state of open banking regulation in the United States in 2026 is defined by uncertainty. Federal rules exist but cannot be enforced by the CFPB. A revised rulemaking is anticipated but has no firm timeline. States like New York are moving to fill the gap with legislation that is broadly consistent with the federal framework but goes further in scope and penalty structure. If New York enacts legislation, it could catalyze a patchwork of state-level open banking laws. And federal legislation to revise the long-standing GLBA framework, and alter open banking in unanticipated ways, is being considered in Congress. For financial institutions, fintechs, and data aggregators, the practical imperatives are to continue building API infrastructure and transparent customer experiences, developing bilateral agreements that address evolving risks, and monitoring a rapidly evolving regulatory environment at both the state and federal levels.