Skip to main content
Beancount.io LogoBeancount.io

Open Banking in Limbo: What the CFPB Section 1033 Rollback Means for Small Business Bank Feeds

9 min readMike ThriftMike Thrift
Open Banking in Limbo: What the CFPB Section 1033 Rollback Means for Small Business Bank Feeds

If you run a small business and your accounting software automatically pulls in your bank transactions every morning, you have open banking to thank for it. That quiet convenience — no more manually downloading CSVs, no more typing in a login and password for a budgeting app to "borrow" your bank credentials — was supposed to get a permanent legal foundation this year. Instead, the rule that was meant to lock it in has been frozen by a federal court, and nobody quite knows what happens next.

For small business owners who rely on bank-data-powered tools — accounting software with live bank feeds, cash flow forecasting apps, expense management platforms, lending marketplaces that verify your revenue by connecting to your bank account — this isn't an abstract regulatory footnote. It's a real question about whether the tools you depend on will keep working the same way, whether they'll start charging more, and whether your financial data is as protected as you assumed.

What Section 1033 Was Supposed to Do

Section 1033 refers to a provision buried in the 2010 Dodd-Frank Act that gave consumers (and, by extension, small businesses using consumer-type deposit accounts) the right to access their own financial data in a usable, electronic form. For over a decade, that right existed on paper but had no real teeth or standard behind it.

2026-07-09-open-banking-cfpb-section-1033-rollback-small-business

In October 2024, the Consumer Financial Protection Bureau (CFPB) finally finalized a rule to make that right concrete. The Personal Financial Data Rights rule required "data providers" — mainly banks and credit unions — to make a customer's account and transaction data available electronically, on request, to the customer or to a third-party app the customer has authorized. Third parties like budgeting apps, lenders, and accounting platforms would have to go through a certification process and follow strict rules about how they collect, use, and retain that data.

The rule set up a phased compliance schedule, with the biggest banks and data providers required to comply starting April 1, 2026, and smaller institutions getting more time. In plain terms: it was meant to replace the old, insecure way that fintech apps connected to your bank — asking you to type your online banking username and password directly into a third-party app, a practice called "screen scraping" — with a safer, standardized, API-based handoff that didn't require handing over your actual login credentials.

Why It's Now in Limbo

That's not how 2026 has gone. Bank trade groups sued to block the rule, arguing the CFPB overstepped its authority, and a federal court in Kentucky issued an injunction preventing the agency from enforcing it. At the same time, leadership at the CFPB itself changed direction: the bureau's chief legal officer told the court the agency now views the rule as unlawful and asked to have it set aside rather than defended.

Rather than disappearing, the rule went into a kind of regulatory purgatory. In August 2025, the CFPB opened a fresh public comment period — an Advance Notice of Proposed Rulemaking — signaling it intends to rewrite significant parts of the framework rather than scrap the underlying idea entirely. So when April 1, 2026 arrived, the first wave of "you must comply by this date" deadlines came and went without becoming a binding enforcement trigger. The rule is, as one law firm alert put it, "paused, contested, and being rewritten."

Three specific questions are back on the table as part of that rewrite:

  • Who counts as an authorized "representative" allowed to request your data on your behalf — a question that affects everything from budgeting apps to bookkeeping platforms to lending marketplaces.
  • Whether banks can charge fees for providing data access, rather than the original rule's expectation that this data sharing would be free to the consumer and the requesting app.
  • How data security and privacy risks should be assessed and managed as more of your financial life flows through third-party pipes.

The Fee Question Is Already Playing Out

That second question — fees — isn't just theoretical. While the rule sat in legal limbo, at least one major bank moved ahead on its own terms: JPMorgan Chase signed a commercial data-access agreement with Plaid, one of the largest data aggregators that powers bank-feed connections for countless fintech and accounting apps, in September 2025. The terms weren't fully public, but the arrangement signals that large banks are positioning to charge for the data pipes that fintech companies — and by extension, the small businesses using those fintech tools — have gotten used to treating as free infrastructure.

If that model spreads, the economics of open banking shift meaningfully. A budgeting app, a bank-feed-driven bookkeeping tool, or a cash-flow forecasting platform that currently pays little or nothing to connect to your bank could face new access costs. Those costs tend not to stay with the vendor — they show up eventually as new subscription tiers, transaction fees, or reduced free-tier functionality for the business owner on the other end.

What This Means for the Tools You Actually Use

Most small business owners don't think about Section 1033 directly. What you experience is much more concrete:

  • Live bank feeds in accounting software. Whether transactions sync automatically into your books.
  • Lending and credit applications that verify your revenue and cash position by linking your bank account instead of asking you to upload PDF statements.
  • Cash flow forecasting and spend management tools that need continuous, reliable access to transaction data to work at all.
  • Payment and payroll platforms that confirm account ownership before moving money.

All of these depend on the same underlying plumbing that Section 1033 was meant to standardize and secure. With the rule enjoined, that plumbing hasn't disappeared — banks and aggregators like Plaid, MX, and Finicity still maintain data connections — but the legal guarantee that it has to exist, has to be free, and has to meet a consistent security bar is no longer settled law. Access today runs on a patchwork of private commercial agreements between banks and aggregators rather than a uniform federal requirement.

The practical risk for a small business is less "your bank feed stops working tomorrow" and more "the terms, cost, and reliability of that connection could shift with little warning, and you may not find out until your bookkeeping software throws an error or your accounting bill goes up."

What Small Business Owners Should Actually Do

You don't have to become a banking-regulation expert to protect yourself here. A few practical steps go a long way:

1. Know which of your tools depend on bank-data connections

Make a short list: your accounting software's bank feed, any lending or line-of-credit application you've connected to your bank, any budgeting or forecasting app, and any payment platform that verifies your account. If you don't know how a tool gets its data, ask — or check whether it uses a recognized aggregator (Plaid, MX, Finicity) versus asking for your bank password directly.

2. Avoid tools that still rely on screen scraping

If a financial app asks you to type your actual online banking username and password into its own login screen — rather than redirecting you to your bank's site to authorize access — that's the older, less secure screen-scraping approach the 2024 rule was designed to phase out. It's riskier from a security standpoint and more likely to break when banks change their sites. Favor tools built on the API-based Financial Data Exchange (FDX) standard, which is where the market is converging regardless of what the CFPB ultimately decides.

3. Don't treat your bank feed as infallible

Whatever happens with the rule, connections between banks and third-party apps can and do break — a login change, a bank security update, or a shift in commercial terms can all interrupt a feed without warning. Reconcile your books against your actual bank statement on a regular cadence rather than assuming an automated feed caught everything. This is good practice regardless of the regulatory backdrop, and it catches sync errors, duplicate transactions, and missed entries before they compound into a bigger mess at tax time.

4. Budget for the possibility of new fees

If you're shopping for accounting software, a lending platform, or a spend-management tool, ask directly whether bank-data access costs are passed on to customers, and whether that could change. It's a reasonable question to put to a sales rep in 2026, given where the industry is heading.

The Bigger Lesson: Own Your Financial Data

Underneath the regulatory back-and-forth is a simple point worth internalizing: the more your bookkeeping depends on a live, proprietary pipe into your bank — one controlled by a bank's commercial terms, an aggregator's business model, and a federal rule that can be enjoined by a single court decision — the less control you actually have over your own records.

That's one reason plain-text, file-based bookkeeping has appeal beyond just developers and technical users. When your ledger is a set of files you own — not a proprietary database locked behind someone else's API access — a disruption in a bank-data pipeline is an inconvenience, not an existential threat to your financial records. You can still import a downloaded statement, reconcile it by hand if you need to, and keep a complete, portable, version-controlled history that isn't dependent on any single vendor's continued goodwill or commercial arrangement with your bank.

Keep Your Books Portable, No Matter What Regulators Decide

Open banking rules will keep shifting as courts, the CFPB, and Congress sort out who controls access to your financial data and who pays for it. You can't control that timeline, but you can control how dependent your bookkeeping is on any single data pipeline. Beancount.io offers plain-text accounting that's transparent, portable, and entirely under your control — no proprietary lock-in, no dependency on a fintech aggregator's commercial terms. Get started for free and see why developers and finance-savvy business owners are moving to a ledger they truly own.