The Consumer Financial Protection Bureau issued a proposed rule on Wednesday that would require banks and credit unions with more than $10 billion in assets to provide customers with machine-readable exports of all transaction data — including account balances, payment history, and pending transactions — within twenty-four hours of a customer's written request. The rule, described as a "Section 1033 personal financial data rights implementation," would take effect in phases beginning March 2027, with smaller institutions given until March 2029. The CFPB frames it as a matter of consumer property rights: the transaction data generated by a customer's account belongs to that customer, and the customer must be able to exercise that right efficiently and without requiring a phone call to a bank branch.

Section 1033 of the Dodd-Frank Act, passed in 2010, granted the CFPB authority to require financial institutions to make consumer data available in "standardised, machine-readable format." It has taken nearly sixteen years for the Bureau to exercise that authority in a proposed rule — a delay that reflects the sustained lobbying effort from the banking sector and a series of political changes at the CFPB leadership level that repeatedly deferred action. The rule now proposed is substantively similar to the open banking frameworks implemented in the United Kingdom under the Competition and Markets Authority's 2017 order and in the European Union under PSD2. The US is, in this respect, arriving late to an infrastructure that the UK fintech sector has already built on for eight years and that has produced a market in account information services currently estimated at £2.6 billion annually.

The specific technical requirement — twenty-four hours for data delivery — is what the American Bankers Association characterises as "operationally unrealistic." Their objection is not implausible on its face: many US banks operate on core banking systems built in the 1980s that do not have application programming interfaces, and retrofitting API infrastructure to those systems to deliver standardised data exports within a regulatory deadline is a genuine engineering challenge. The CFPB's response, implicit in the rule's phased implementation, is that the largest banks — which have the resources to build the infrastructure — must move first, creating competitive pressure on the mid-size institutions to follow or risk customer attrition to banks that have complied. This is, in essence, the same mechanism the UK used, where Barclays and HSBC's early compliance created an API ecosystem that smaller institutions felt compelled to join.

The deeper significance of the rule is not the twenty-four-hour SLA but the standardised format requirement. The CFPB has proposed alignment with the Financial Data Exchange standard, which is already used voluntarily by several hundred US financial institutions and which provides the interoperability layer for the consumer fintech services that tens of millions of Americans use to aggregate financial data. Mandatory adoption of FDX would, for the first time, give those services reliable, standardised, and permission-based data access rather than the screen-scraping methods that currently power many aggregators and that carry cybersecurity risks the banks have long cited as justification for blocking third-party data access. The banks' opposition to the rule is therefore, at least in part, opposition to the elimination of a technical friction that has until now served as a moat. That moat is not going to survive much longer — and the ABA's invocation of operational complexity as the primary objection suggests that the industry itself knows this.