Section 1033 of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act establishes rules requiring financial institutions to provide consumers with access to their financial data. The regulation aims to improve transparency, foster competition, and give customers greater control over their banking information.

The Consumer Financial Protection Bureau (CFPB) finalized the Section 1033 rule in October 2024, setting requirements for banks, credit unions, fintech firms, and third-party data aggregators to provide standardized, machine-readable access to transaction data, account details, and related financial information. The rule also prohibits institutions from charging customers for accessing their own data, reinforcing the shift toward open banking in the U.S.

This article outlines the key provisions of Section 1033, its impact on financial institutions and fintech firms, practical compliance steps, and challenges businesses will face under the new regulations.

Overview of Section 1033 and CFPB’s final rule

What Section 1033 requires

The rule states that banks, credit unions, and financial service providers must give customers electronic access to their financial data. This includes:

• Account balances
• Transaction history
• Charges and fees
• Other relevant financial information

The regulation also prohibits institutions from charging consumers for accessing their own data. Companies must provide the information in a structured and machine-readable format to allow easy data portability. More details can be found in the official CFPB Final Rule on Personal Financial Data Rights.

Timeline and compliance deadlines

The rule is set to be implemented in phases, with deadlines based on institution size:

• Large financial institutions (over $500 billion in assets) must comply by late 2025.
• Mid-sized institutions have until 2026.
• Smaller firms (below the reporting threshold) will have final deadlines in 2027.

Regulatory timelines and adjustments will be tracked by the CFPB’s Open Banking Rulemaking Page.

How financial institutions must adapt

To comply with Section 1033, banks and financial institutions must overhaul their data management and sharing practices. Unlike the current fragmented system—where data is often siloed and accessible only through proprietary banking portals—this rule requires a standardized, API-driven approach.

Key steps to achieve compliance

1. Modernizing API infrastructure and updating data structure
2. • Develop secure, standardized APIs for real-time data access.
   • Transform your data and implement machine-readable formats that allow smooth integration with third-party providers (AI-powered data transformations and ETL tools significantly speed up the process).
   • Adopt Financial Data Exchange (FDX) API standards, which many U.S. banks are already moving toward.
3. Enhancing data security and privacy measures
4. • Strengthen encryption and authentication protocols.
   • Implement multi-factor authentication (MFA) and tokenized access controls for third-party data requests.
   • Conduct regular security audits to identify vulnerabilities.
5. Updating data consent and governance models
6. • Establish clear user consent mechanisms to control which third parties access consumer data.
   • Provide real-time opt-in and opt-out capabilities for customers.
   • Ensure compliance with existing U.S. data privacy laws (e.g., GLBA, state-level consumer data protection laws).
7. Preparing for continuous reporting and audits
8. • Set up automated monitoring for API performance and security logs.
   • Be ready for CFPB compliance audits, which may require institutions to prove their adherence to data-sharing regulations.
   • Implement customer support protocols to handle disputes related to data access.
9. Transitioning away from screen scraping
10. • Screen scraping, where fintech firms collect data using customer-provided login credentials, will be phased out in favor of API-based access.
    • Banks must collaborate with fintech firms and third-party providers to migrate integrations toward API-based solutions.

By acting early, financial institutions can avoid last-minute compliance bottlenecks and position themselves competitively within the open banking ecosystem.

Impact on financial institutions and fintech companies

Banks and credit unions

Traditional financial institutions will need to invest in new API infrastructure and ETL services to meet the technical standards outlined by the CFPB. Compliance requires:

• Developing secure and standardized API access for third parties.
• Automating customer data delivery to meet format and reporting requirements.
• Strengthening cybersecurity to prevent data breaches when sharing customer information.

While these changes introduce costs, banks may also find opportunities to offer enhanced financial tools through partnerships with fintech companies.

Fintech companies and third-party providers

Fintech firms that rely on screen scraping—where users manually share their banking credentials—will need to transition to direct API connections. This will affect business models that depend on aggregating user data for budgeting apps, investment platforms, or lending decisions.

Fintechs will need to:

• Adjust integration models to use APIs approved by regulated institutions.
• Verify user consent management systems to meet CFPB requirements.
• Implement stricter data security measures to avoid compliance risks.

Companies that successfully adapt could expand their offerings in the open banking space, improving financial planning and automation tools for consumers.

How data transformation consultants like Blocshop can help

Many financial institutions and fintech firms lack the technical expertise and resources to implement these complex changes alone. Blocshop provides IT consultancy and data transformation services to help companies meet Section 1033 compliance efficiently and securely.

Key services Blocshop offers:

• API development & integration: Blocshop designs and deploys secure, CFPB-compliant APIs, ensuring seamless connections between banks, fintech firms, and third-party service providers.
• AI-powered data transformation: Using AI-driven automation, Blocshop helps financial institutions format, process, and validate data for regulatory reporting and consumer access.
• Security audits & compliance assessments: Banks and fintech firms must safeguard sensitive consumer data. Blocshop provides risk assessments, penetration testing, and compliance gap analysis to address security vulnerabilities.

By working with Blocshop, financial institutions can avoid regulatory penalties, reduce integration costs, and future-proof their data-sharing capabilities—all while delivering a better experience for consumers.

Get technical guidance

The finalization of the Section 1033 rule marks a major shift toward open banking in the United States. Banks, fintech companies, and data aggregators must adopt API-based financial data sharing, reinforce cybersecurity protections, and develop user-friendly consent processes to stay compliant.

While the rule introduces technical and regulatory challenges, it also creates opportunities for financial innovation. Organizations that act early can strengthen customer relationships, expand their service offerings, and gain an advantage in the evolving financial services landscape.

For companies that need technical guidance, security enhancements, or API development, Blocshop offers consultations to assess compliance gaps and provide a tailored strategy for Section 1033 implementation.

Contact Blocshop today for an initial assessment and learn how AI-powered data transformation and expert IT consultation can help you navigate the future of open banking.