CFPB SECTION 1033 — PERSONAL FINANCIAL DATA RIGHTS RULE  |  LARGE BANK COMPLIANCE DEADLINE: APRIL 1, 2026  ·  MID-SIZE BANKS: OCTOBER 1, 2026
Authoritative Industry Reference · Est. 2025

The US Open Banking
Framework

A comprehensive architecture, regulatory compliance, and governance blueprint for financial institutions navigating the CFPB Section 1033 era — aligned with FDX, FAPI 2.0, and global best practices.

Explore the Framework CFPB 1033 Compliance Guide
◈ Live Compliance Dashboard
CFPB 1033 Status ACTIVE RULE
FDX Standard v6.0 CURRENT
FAPI Profile 2.0 BASELINE
Large Banks Deadline APR 1, 2026
Mid-Size Deadline OCT 1, 2026
FDX Members 200+ ORGS
Framework Coverage 13 SECTIONS
1033
Dodd-Frank Section — Consumer Data Rights
5
Architecture Layers — End-to-End Blueprint
13
Framework Sections — Comprehensive Coverage
24mo
Phased Roadmap — Foundation to Excellence
Framework Overview

The Dawn of Structured Open Banking in America

The United States financial services industry stands at a historic inflection point. The CFPB's finalization of the Personal Financial Data Rights Rule under Section 1033 of the Dodd-Frank Act signals the end of the screen-scraping era and the beginning of structured, consent-based Open Banking.

Unlike the UK and EU — which implemented Open Banking through prescriptive mandates — the US has relied on bilateral data-sharing agreements and credential-based aggregation. That model is being systematically replaced by a consumer-rights framework backed with legal enforcement.

"Open Banking is not about banks giving data away. It is about consumers exercising their legal right to authorize data sharing — with full transparency, consent controls, and the ability to revoke at any time."

— Open Banking Framework, Foundational Principle

This framework provides the definitive reference for US financial institutions: from community banks to tier-1 money center institutions. It covers the full spectrum — regulatory compliance, technical architecture, API design, security, consent management, data governance, ecosystem participation, and operational governance.

Three Core Pillars
  • 01
    Consumer Data Sovereignty

    Individuals own their financial data and have the unambiguous legal right to share it on their own terms — with any authorized third party they choose, for any authorized purpose, revocable at any time.

  • 02
    Standardized API Access

    The Financial Data Exchange (FDX) API standard provides a secure, machine-readable, and interoperable interface to financial data — replacing fragile screen-scraping with a durable technical contract.

  • 03
    Third-Party Innovation

    Licensed, certified third-party providers build consumer-consented value-added services — budgeting apps, lending platforms, tax tools, wealth managers — atop shared financial data, creating an open ecosystem.

  • 04
    Security by Design

    FAPI 2.0, Mutual TLS, Zero Trust networking, and end-to-end encryption are not optional enhancements — they are baseline requirements embedded at every architectural layer from day one.

Regulatory Landscape

The Compliance Framework

US Open Banking compliance operates across an interconnected web of federal regulations. Financial institutions must simultaneously satisfy consumer data rights, privacy, security, and prudential standards.

Primary Regulation
CFPB Section 1033 — Personal Financial Data Rights
The centerpiece of US Open Banking regulation. Creates legally enforceable consumer rights to access and share financial data. Establishes obligations for data providers (banks) and data recipients (TPPs) including developer portal requirements, authorization programs, and data deletion mandates.
Finalized Oct 22, 2024
Privacy & Security
Gramm-Leach-Bliley Act (GLBA) — Safeguards Rule 2023
Updated 2023 Safeguards Rule mandates AES-256 encryption at rest, mandatory MFA for customer data access, incident response plans, and 30-day breach notification. Privacy notices must reflect Open Banking data-sharing capabilities. Opt-out rights must be operationalized.
Safeguards Rule: Jun 2023
State Privacy
CCPA / CPRA — California Consumer Privacy Act
For institutions serving California residents: Right to Know, Right to Delete, Right to Correct, and Right to Opt-Out of data sale. Financial data sharing with TPPs for commercial purposes may constitute a "sale" under CCPA. Sensitive Personal Information limits apply to financial data.
CPRA Effective: Jan 2023
Payments
Electronic Fund Transfer Act (EFTA) — Regulation E
Governs error resolution for payment-related data in Open Banking contexts. Payment initiation via third-party APIs (PISP model) must comply with Reg E error resolution timelines. Consumer liability limits apply to unauthorized electronic fund transfers.
Ongoing Compliance
Credit Data
Fair Credit Reporting Act (FCRA)
Credit data sharing carries specific consent requirements separate from CFPB 1033. Separate, standalone authorization required for any access to credit report data. Permissible purpose must be documented and demonstrable. Significant penalties for unauthorized access.
Separate Authorization Required
Safety & Soundness
OCC Third-Party Risk Guidance
OCC Bulletin 2023-17 establishes comprehensive third-party risk management expectations. Annual TPP inventories, due diligence documentation, ongoing monitoring, and significant event reporting. Enhanced scrutiny for critical third parties with access to sensitive consumer data.
OCC Bulletin 2023-17
◈ CFPB 1033 Compliance Timeline — US Banking Industry
OCT 22, 2024
Rule Finalized
CFPB publishes Final Rule in Federal Register. Compliance clock begins.
APR 1, 2026
Large Banks Deadline
Banks > $250B assets must achieve full CFPB 1033 compliance.
OCT 1, 2026
Mid-Size Banks
$10B–$250B asset institutions must achieve full compliance.
OCT 1, 2028
Community Banks
Institutions < $3B assets — full industry compliance achieved.
Technical Architecture

Five-Layer Architecture Model

The Open Banking platform is structured across five distinct layers — each with defined responsibilities, components, and interfaces — providing separation of concerns, independent scalability, and clear accountability boundaries.

Layer
01
Consumer & Channel Layer
All touchpoints through which consumers interact with Open Banking: consent capture, management UI, and transparency dashboards.
Mobile Banking App Consent Dashboard Online Banking Portal Notification Engine Revocation UI
Layer
02
API Gateway & Security Layer
Front door for all TPP access. Enforces authentication, authorization, rate limiting, and policy before any request reaches backend systems.
Kong Enterprise / AWS API GW FAPI 2.0 Auth Server mTLS Termination Rate Limiting Engine WAF / DDoS Protection Developer Portal
Layer
03
Open Banking Platform Layer
Orchestrates core Open Banking business logic: consent lifecycle, data access orchestration, and the third-party relationship registry.
Consent Engine Data Orchestration Service TPP Registry Kafka Event Bus Token Service Notification Service
Layer
04
Data Access & Translation Layer
Bridges the Open Banking platform with core banking systems, transforming legacy data formats into FDX-compliant API responses.
Core Banking Adapter (Fiserv / FIS / Jack Henry) FDX Schema Transformer Redis Cache Data Quality Service Legacy API Bridge
Layer
05
Infrastructure & Observability Layer
Cloud-native infrastructure with comprehensive observability, secrets management, and immutable audit logging for regulatory compliance.
AWS Multi-Region (us-east-1 + us-west-2) Kubernetes (EKS) + Istio HashiCorp Vault Datadog APM S3 Object Lock (Immutable Audit)
Security Architecture

FAPI 2.0 — Financial-Grade API Security

🔐
Pushed Authorization Requests (PAR)
Authorization parameters submitted directly to the Authorization Server — never via browser redirect. Prevents parameter tampering and injection attacks at the authorization initiation stage.
RFC 9126 · MANDATORY
🛡️
Mutual TLS (mTLS) Client Authentication
Certificate-based client authentication for all TPP connections — no shared secrets. TPP certificates registered in the TPP Registry and validated in real-time on every API request.
RFC 8705 · MANDATORY
🔑
DPoP — Demonstrating Proof of Possession
Access tokens cryptographically bound to the specific client that requested them. Stolen tokens cannot be replayed from a different client — eliminating the most common OAuth attack vector.
RFC 9449 · MANDATORY
✍️
HTTP Message Signing (Request Non-Repudiation)
All API requests signed by the TPP using their registered private key. Signed messages provide legally admissible evidence of data access — critical for dispute resolution and regulatory audit.
RFC 9421 · FAPI 2.0 MSG SIGNING
🌐
Zero Trust Network Architecture
No implicit trust based on network location. Every service-to-service call authenticated via mTLS + SPIFFE/SPIRE identity. Micro-segmentation enforced at pod level via Istio service mesh.
NIST SP 800-207 · BASELINE
🔒
End-to-End Encryption
TLS 1.3 minimum in transit. AES-256 at rest with AWS KMS customer-managed keys. Field-level encryption for PII in databases. HSM-backed signing keys for production authorization servers.
GLBA SAFEGUARDS · MANDATORY
FDX API Specification

Core API Endpoint Reference

The Financial Data Exchange API specification defines the data models, endpoints, HTTP methods, and response schemas that US banks must implement to achieve CFPB 1033 compliance.

Endpoint Function Required Scope
GET/accountsList all consumer accounts — type, status, masked account numberACCOUNT_BASIC
GET/accounts/{id}Full account detail — balance, product type, rates, datesACCOUNT_DETAILED
GET/accounts/{id}/transactionsTransaction history with pagination — 90-day minimum requiredTRANSACTIONS
GET/accounts/{id}/statementsStatement metadata list — dates, periods, download URLsSTATEMENTS
GET/accounts/{id}/statements/{id}Statement document — PDF or structured JSON formatSTATEMENTS
GET/customers/currentConsumer profile — name, contact information on fileCUSTOMER_CONTACT
GET/payment-networksPayment capabilities — network types, daily limits, supported railsACCOUNT_PAYMENTS
POST/payment-support/transfersInitiate payment transfer — requires enhanced consent + annual re-authPAYMENT_SUPPORT
GET/tax-documentsTax document inventory — W-2, 1099-INT, 1099-DIV, 1098TAX_DOCUMENTS
GET/productsAvailable financial products — rates, terms, eligibility criteriaPRODUCTS
Operating Model

Governance Structure

Open Banking governance requires a federated model — strong central standards and oversight combined with domain-level autonomy. Lightweight enough to not impede velocity, rigorous enough to maintain compliance and consumer trust.

Strategic Body
Executive Steering Committee
⟳ Quarterly Cadence
C-suite and board-level accountability for regulatory compliance, strategic direction, and Open Banking investment decisions. Members: CEO, CRO, CTO, CCO, CISO, Legal Counsel.
Central Coordination
Open Banking Program Office
⟳ Weekly Cadence
Central coordination and standards function managing framework evolution, TPP relationships, and policy development. Led by Chief Open Banking Officer with Architecture, Compliance, and Security leads.
Technical Governance
Architecture Review Board
⟳ Proposal-Driven
Reviews significant architectural changes, approves new API capabilities, and adjudicates major security changes. Architecture Decision Records (ADRs) stored in Git — not SharePoint.
Domain Execution
Domain Working Groups
⟳ Bi-Weekly Cadence
Business domain-specific implementation groups for checking, savings, lending, cards, payments. Each domain team owns their API implementation, data quality, and SLA within central guardrails.
Ecosystem Voice
TPP Advisory Council
⟳ Quarterly Cadence
External stakeholder forum representing the TPP ecosystem community. Provides input on product roadmap, API design, and developer experience. Invited from Tier 3/4 TPPs and FDX representatives.
Data Accountability
Data Governance Council
⟳ Monthly Cadence
FDX schema compliance, data retention policy enforcement, Privacy Impact Assessments, and data lineage oversight. Members: CDO, Domain Data Stewards, Privacy Counsel, Compliance.
Implementation Roadmap

24-Month Phased Implementation

Four phases delivering standalone value at each stage — from regulatory compliance baseline through ecosystem leadership and operational excellence.

Phase 1 · Months 1–6
Foundation
Compliance Baseline
  • Developer Portal launch
  • FDX API v5 core endpoints
  • OAuth 2.0 + FAPI 1.0
  • Consent Management v1
  • Sandbox environment
  • Immutable audit logging
  • 15–20 TPPs onboarded
  • GLBA Safeguards compliance
CFPB 1033 Compliance
Phase 2 · Months 7–12
Enhancement
Security & Scale
  • FAPI 2.0 full implementation
  • Payment Initiation APIs
  • Automated TPP onboarding
  • Consent Management v2
  • ML-based abuse detection
  • Zero Trust / Istio mesh
  • FDX v6 readiness
  • FAPI conformance cert
Security Excellence
Phase 3 · Months 13–18
Expansion
Market Leadership
  • Reciprocal data access
  • Premium API marketplace
  • Banking-as-a-Service foundation
  • AI consent intelligence
  • Open Finance expansion
  • International interoperability
  • TPP Innovation Program
  • Revenue-generating tiers
Revenue Generation
Phase 4 · Months 19–24
Optimization
Operational Excellence
  • FinOps cost optimization
  • AI-driven observability
  • Consent analytics platform
  • API monetization engine
  • Center of Excellence
  • Regulatory automation
  • Continuous compliance
  • Full industry maturity
Industry Leadership
Performance Standards

Operational KPI Targets

The Open Banking platform must meet rigorous performance and compliance SLAs. These targets are non-negotiable for consumer trust and regulatory compliance.

99.9%
AVAILABILITY SLA
Monthly API uptime target
≤ 8.7 hrs downtime/year
<500ms
P99 LATENCY
Account data API response time
Under normal load conditions
<60s
REVOCATION TIME
Consent revocation to access suspension
Consumer-initiated real-time revocation
3 days
DATA DELETION
TPP data deleted post-revocation
CFPB 1033 mandatory requirement
30 days
TPP ONBOARDING
Standard tier end-to-end
60 days for payment scope TPPs
365 days
MAX CONSENT DURATION
Annual re-authorization required
CFPB 1033 §1033.421 requirement
<4h
P1 RESOLUTION
Critical incident resolution target
15 min detection SLA
36h
BREACH NOTIFICATION
OCC notification requirement
For large bank notification incidents
Global Context

Open Banking Around the World

Understanding the US position relative to international markets calibrates ambition and enables learning from established implementations. The US transition from market-driven to regulated Open Banking mirrors the trajectory of every mature market.

Market Regulatory Model Technical Standard Security Profile Maturity
🇬🇧 United Kingdom CMA Mandate (2018) OBIE API Standard FAPI 1.0 Advanced
Mature — 11M+ users
🇪🇺 European Union PSD2 / PSD3 Mandate Berlin Group / STET FAPI 1.0 / eIDAS
Mature — 50M+ users
🇧🇷 Brazil BCB Mandate (5 Phases) BCB Open Finance API FAPI 2.0
Advanced — Scaling
🇦🇺 Australia CDR — Consumer Data Right ACCC/DSB Standards FAPI 1.0 Advanced
Growing — Phase-based
🇮🇳 India RBI Account Aggregator AA Framework (ReBIT) FAPI-aligned
Scaling Rapidly
🇺🇸 United States ★ CFPB 1033 + Market-Driven FDX API (Industry Standard) FAPI 2.0 (Target)
Transitioning — 2026
🇸🇬 Singapore MAS-Guided (Voluntary) SGFinDex OAuth 2.0 / OIDC
Functional
🇨🇦 Canada OSFI Consultation Phase Market + Government TBD
Early Stage
Framework Author & Principal Architect
Badar Majeed — Enterprise Architect
https://www.linkedin.com/in/badarmajeed/
Open Banking Specialist · TOGAF Practitioner · Financial Services Architecture

With over 18 years of enterprise architecture experience spanning regulated financial services, Open Banking infrastructure, and digital transformation, this framework synthesizes first-hand implementation knowledge across multiple major financial institutions.

The Open Banking Framework for the US is built on deep expertise in the UK Open Banking implementation (one of the most mature globally), US regulatory architecture under Dodd-Frank, and the technical standards that underpin modern financial data ecosystems — OAuth 2.0, FAPI, FDX, and BIAN.

🏗️
Enterprise Architecture — TOGAF-anchored architecture across regulated financial institutions including Open Banking platform design, API strategy, and core banking modernization.
🏦
Open Banking Specialization — Deep expertise in UK Open Banking (OBIE standard), US CFPB Section 1033 compliance architecture, FDX API implementation, and FAPI 2.0 security profiles.
⚖️
Regulatory Architecture — Architected compliance frameworks across GLBA, PSD2, GDPR, SOX, and Basel III — translating regulatory requirements into technical design patterns.
🌐
US Financial Services — Specialized focus on the US financial regulatory ecosystem with expertise in the technical architecture of CFPB 1033 compliance for US financial institutions.
◈ Core Expertise Areas
Open Banking CFPB 1033 FDX API FAPI 2.0 TOGAF BIAN OAuth 2.0 / OIDC Zero Trust API Architecture Data Governance Consent Management AWS Cloud Microservices PSD2 / PSD3 GLBA Compliance Core Banking Modernization TPP Risk Management Financial Data Exchange
18+
Years Enterprise Architecture Experience
13
Framework Sections Published
5
Architecture Layers Designed
US
Jurisdiction Focus — Financial Services
Standards & References

Regulatory & Technical References

This framework is grounded in authoritative regulatory instruments, industry standards, and technical specifications from recognized standards bodies.

Primary Regulation
CFPB Personal Financial Data Rights Rule (12 CFR Part 1033)
Consumer Financial Protection Bureau · Oct 2024
Industry Standard
Financial Data Exchange (FDX) API Specification v6.0
financialdataexchange.org · 2024
Security Profile
FAPI 2.0 Security Profile — Baseline & Message Signing
OpenID Foundation (OIDF) · 2024
OAuth Standard
Pushed Authorization Requests (RFC 9126) + DPoP (RFC 9449)
IETF · 2021–2023
Privacy Regulation
GLBA Safeguards Rule (Updated 2023) — FTC 16 CFR Part 314
Federal Trade Commission · June 2023
Security Framework
NIST Cybersecurity Framework 2.0 + Zero Trust (SP 800-207)
National Institute of Standards & Technology · 2024
Banking Standard
BIAN Service Landscape — Banking Industry Architecture
Banking Industry Architecture Network · 2024
EA Methodology
TOGAF ADM — Architecture Development Method
The Open Group · TOGAF 10
Risk Guidance
OCC Bulletin 2023-17 — Third-Party Risk Management
Office of the Comptroller of the Currency · 2023