April 1, 2026 marked a compliance milestone that almost no one is celebrating. Under CFPB Rule 1033, the largest U.S. data providers, those with $250 billion or more in assets, technically entered their first compliance window this week. They were supposed to arrive here with standardized APIs in place, giving consumers and businesses a regulated right to access and share their own financial data.
Instead, the rule is in legal limbo. The CFPB has signaled it will not enforce 1033 while a new rulemaking process plays out. Legal challenges have complicated its standing. The agency faces resource constraints that make active enforcement unlikely in the near term. The deadline arrived, and the regulator stepped aside.
For banks that spent the last two years waiting for enforcement clarity before committing to API infrastructure investment, this might feel like a reprieve. It is not. The market pressure that made 1033 necessary in the first place has not paused. If anything, it has accelerated.
What 1033 Was Built to Do
Rule 1033 was the CFPB’s attempt to codify something the market was already demanding: a consumer and business data-right. The rule required covered financial institutions to make account data available through standardized, machine-readable interfaces, on request, to authorized third parties.
The logic was straightforward. If a business or individual generates financial data through a bank relationship, they should be able to access it and move it. Not through screen-scraping workarounds. Not through PDF exports. Through real APIs, built to a defined standard, available without friction.
Like many new rules imposed by the CFPB, the compliance schedule was designed to phase in by institution size. The $250 billion threshold was first. Smaller institutions would follow on a staggered timeline. The framework was imperfect, and the industry knew it. But the direction was clear.
What Actually Happened
The rule cleared the CFPB’s rulemaking process in late 2024 and immediately ran into legal resistance. Banking trade groups challenged it in court. The CFPB, under new leadership and operating with reduced resources, signaled it would not prioritize enforcement while litigation and re-rulemaking proceeded.
The result is a rule that exists on paper but carries no enforcement weight in practice, at least for now.
This is not an unusual outcome in U.S. financial regulation. The pattern is familiar: a rule advances through notice-and-comment, gets finalized, triggers legal challenge, and enters a period of uncertainty where institutions are technically subject to the rule but practically unguided on what compliance actually requires. Dodd-Frank created years of similar ambiguity across multiple rulemaking areas. Open banking is not the first to land here, and it will not be the last.
The lesson commercial banks should be drawing is not that 1033 was a false alarm. It is that regulatory timelines are structurally unreliable as planning inputs for infrastructure investment.
The Banks That Built Anyway Are Already Ahead
Here is where the compliance posture diverges in ways that will matter over the next 24 months.
Some institutions, typically those with more sophisticated commercial banking practices and larger fintech partnership books, treated 1033 as a signal to accelerate infrastructure work they knew was coming regardless. They built or upgraded API layers and worked through the data governance questions. They got their internal teams aligned on what permissioned data access actually means operationally.
Those banks are not ahead because the regulator rewarded them. They are ahead because their commercial clients and platform partners were already demanding exactly what 1033 was trying to mandate. The regulation did not create that demand. It was a policy response to demand that already existed.
The banks that adopted a “wait and see” posture are not being penalized by the CFPB today. But they are behind on a build that is now more urgent, not less. Every quarter of delayed infrastructure investment is a quarter where the gap between their API capabilities and what their most sophisticated clients expect continues to widen.
The Regulation Was Following the Market, Not Leading It
It is worth stepping back and asking why 1033 existed in the first place.
The CFPB did not invent the demand for portable, API-accessible financial data. B2B platforms, treasury management teams, embedded finance providers, and fintech infrastructure companies had been pushing toward this model for years before the rulemaking began. Screen-scraping, the crude workaround that predates proper API access, became a multi-billion dollar industry specifically because the underlying data access banks were supposed to provide natively was not reliably available.
1033 was a regulatory attempt to standardize and enforce something the market had already decided it needed. The rule’s legal troubles do not change the underlying commercial reality. Enterprise clients expect API-native access to their financial data. B2B platforms are building workflows that depend on it. Treasury teams evaluating banking relationships are asking about it directly.
The regulation blinked. The market did not.
Three Posture Shifts Commercial Banks Should Make Now
The enforcement pause on 1033 does not change what commercial banks need to do. It removes a forcing function, which is actually a more dangerous situation than a hard deadline. Without external pressure, investment decisions get deferred. Infrastructure debt accumulates quietly.
Here is what the posture should look like:
Decouple infrastructure investment from enforcement timelines. If your institution’s API roadmap is gated on regulatory enforcement clarity, you are using the wrong input. The question is not when the CFPB will enforce. The question is what your commercial clients and platform partners will require in 18 to 24 months.
Treat data portability as a commercial capability, not a compliance checkbox. Banks that frame it as a competitive capability, one that deepens commercial client relationships and enables the platform integrations those clients are already demanding, will build it to a higher standard and see a return on it.
Audit your current infrastructure against where client expectations are heading. Most core banking systems were not designed for the payment and account management workflows that B2B platforms and embedded finance use cases require. The gap between legacy infrastructure and what modern commercial clients expect is not theoretical. It is showing up in RFPs, in client conversations, and in the partnerships that banks are losing to more API-capable competitors.
The Deadline Passed. The Work Didn’t.
The CFPB’s retreat on 1033 enforcement is not a reprieve. It is a signal that the regulatory framework cannot keep pace with what the market already demands. Banks that treated compliance as the reason to build API infrastructure missed the point. As a result, the ones who built anyway are ahead, and not because of the rule.
Open banking in the U.S. is not waiting for a regulator to enforce it into existence. It is being pulled into existence by the commercial clients, platform partners, and treasury teams who have already decided that API-native data access is a baseline expectation, not a premium feature.
The API infrastructure your commercial clients expect is not a compliance project. It is a competitive one. Talk to Qolo about building the payment foundation that modern B2B relationships require.
