Open a brand-new fintech budgeting app in May 2026, paste your bank, click connect, and you almost never get the username-and-password screen anymore. Instead a branded bank consent page asks which accounts to share, for which scopes, for how long, and the data starts flowing through an actual API rather than a scraper pretending to be a browser. The change is not subtle: roughly five years of regulator pressure, vendor build-out, and bank capitulation have moved U.S. open banking infrastructure from a screen-scraping workaround to a defined, regulated permissioned data layer. The market that sits on top of this is now estimated by McKinsey at around $35 billion in annual revenue by the end of the decade, and the rail under it has a name: CFPB Rule 1033.
What CFPB 1033 actually changed
The Consumer Financial Protection Bureau finalised its Personal Financial Data Rights rule, often called Rule 1033, in October 2024. The rule does two things at once. It gives consumers the right to access and share their financial data, and it requires data providers, the banks and other depository institutions, to make that data available through a developer interface that meets specified standards. The rule explicitly contemplates and rewards the use of industry standards like those published by the Financial Data Exchange, a non-profit consortium that has spent six years writing the API specifications that 1033 implementations now align to. The combined effect is that screen scraping is on the way out as the default access method, replaced by token-based, scoped, revocable API access.
The rule’s compliance dates are tiered by institution size. The largest banks, those with more than $250 billion in assets, are on the earliest deadline, with implementation expected by April 1, 2026 for the largest banks ($250B+ assets) and April 1, 2027 for the next tier ($10B-$250B). Smaller institutions get progressively more time, with the smallest community banks not required to be live until 2030. There are roughly 5,000 covered depository institutions across the tiers, plus a long tail of non-bank data providers including payroll processors and brokerages. The reach is wide: every meaningful consumer-facing financial relationship in the U.S. is touched by the rule, even if implementation timing varies dramatically by tier.
The vendor layer that holds it together
Three vendors anchor the practical infrastructure. Plaid, the largest aggregator by connection volume, has been re-platforming away from screen scraping toward direct bank APIs since 2023. Akoya, founded as a joint venture between Fidelity and Tata Consultancy Services, was built from the start as an API-only network and is the bank-friendly alternative. MX, the third major aggregator, has positioned around data quality and enrichment. Each plays a slightly different role, but the architecture they all run on the bank side now looks the same: a 1033-compliant API gateway, an FDX-aligned schema, and a consent management layer that issues, refreshes, and revokes scoped tokens.
The FDX standard matters because Rule 1033 is technology-neutral on its face but practically requires interoperability. A bank could in theory build a bespoke API that meets the rule, but it would be talking only to itself. By aligning to FDX, the bank gets access to the entire installed base of aggregators and downstream fintechs without bespoke integration work. The same dynamic is true on the fintech side: writing to FDX once gets a developer access to every compliant data provider. The standard has done the work that the regulator could not do directly. For broader vendor context, the TechBullion piece on payments systems and infrastructure covers how this fits with the wider U.S. fintech rail set.
What the rule still does not solve
For all the architectural progress, several open issues persist. The first is liability allocation. The rule defines responsibilities at the data provider and data recipient level, but the practical question of who pays when something goes wrong, the bank that issued the token, the aggregator that held it, or the fintech that used it, is still being worked out through industry agreements. Standardised data access agreements, modeled on the FDX-published templates, are slowly becoming the norm, but enforcement of those terms in court has not yet been tested at scale and the first major data-breach lawsuit under the new framework is widely expected to set the practical interpretation.
The second issue is small-bank coverage. The compliance burden of standing up an FDX-aligned API is real for community banks, and the rule’s tiered deadlines acknowledge that. Vendors like Q2, Jack Henry, and Fiserv are bundling 1033 compliance into their core banking offerings, but the cost is non-trivial and the small-bank board conversation about whether to build, buy, or join a shared utility is happening in real time across thousands of institutions. Industry observers expect a wave of small-bank consolidation across 2026 and 2027 that will be partly driven by the cost of compliance with rules like 1033. The TechBullion piece on why banking infrastructure is becoming digital sets out the broader pattern of how community banks are absorbing this kind of cost.
What it means for fintechs and product teams
For founders and product teams building on this layer in 2026, the practical implications are concrete. The screen-scraped data set was always partial, brittle, and stripped of the structured fields that make compelling user experience possible. The 1033-API data set is richer: standardised account types, transaction categorisation hooks, balance history depth, and identity verification fields all become first-class inputs. Products that previously had to infer what an account was can now read it directly. Products that had to handle the brittleness of broken scrapes can now reason about scope tokens that either work or are explicitly revoked.
This shifts the source of differentiation. When everyone has access to the same clean data layer, the competitive moat moves to what is built on top: the analytics, the user experience, the personalised insight. Fintechs that built their advantage on having better scraping infrastructure are losing it. Fintechs that built it on what they do with the data are gaining. The economic value of an aggregator drops, the economic value of an applied-data product rises. The TechBullion piece on why banking innovation is accelerating worldwide situates this in the broader global open banking pattern, where the U.K. and EU went through this same shift several years earlier.
The next two years of build-out
Over 2026 and 2027 three areas will be worked on in parallel. The first is breadth: getting the long tail of community banks, credit unions, and non-bank data providers compliant. The second is depth: extending the 1033-style API approach beyond deposit and payment accounts into investments, mortgages, and insurance, where the data shape is more complicated and the supervisory framework is fragmented across the SEC, the CFPB, and state insurance regulators. The CFPB has signaled interest in this expansion. The third is quality: closing the last gaps in data quality between the API path and the legacy scraping path, particularly around historical depth and pending transaction visibility, areas where scraping still has marginal advantages and where banks have not always prioritised parity.
The most likely shape of U.S. open banking by the end of 2027 is a layered system where consumer permissioned API access is the dominant mechanism for everything except a few stubborn long-tail sources, where liability is allocated through standard industry agreements, and where the infrastructure cost is mostly borne by aggregators and core providers rather than individual banks. That is, broadly, where the U.K. landed by 2023. The U.S. is not following the same regulatory path, but the destination looks similar.
Open banking infrastructure in the U.S. is finally becoming infrastructure rather than a workaround. The rule is final, the standards are real, the vendors are aligned, and the consumer-facing experience has stopped looking like a hack. What remains is the unglamorous work of getting every bank onto the rail and every fintech designing for the data shape it now offers. The exciting part is over. The compounding part has begun.
