April 1, 2026, was supposed to mark the first compliance deadline under the Consumer Financial Protection Bureau’s (CFPB) Personal Financial Data Rights rule. Instead, it marks something very different: a regulatory regime in flux.

A federal court has enjoined the CFPB from enforcing the rule while the Bureau undertakes a reconsideration process. At the same time, the CFPB has initiated steps to reevaluate the rule and may revise or replace key aspects through further rulemaking.

For banks and other financial institutions, that creates a familiar dynamic: a rule that exists on paper, but not in practice.

What Happened

The CFPB finalized its Section 1033 rule in October 2024, establishing a phased compliance schedule beginning April 1, 2026, for the largest covered data providers — namely, large depository institutions and certain large nondepository data providers.

Since then, several developments have changed the landscape:

• A federal district court (Eastern District of Kentucky) issued an injunction preventing the CFPB from enforcing the rule.
• The CFPB initiated reconsideration through an Advance Notice of Proposed Rulemaking in August 2025.
• The Bureau has indicated it is reviewing whether the rule, in its current form, should be modified or withdrawn.

In other words, the April 1date arrived, but not as a binding enforcement trigger.

What This Means for Banks

Many institutions may be inclined to pause activity. That approach carries risk.

Even without active enforcement, Section 1033 is already shaping expectations across regulators, counterparties, and, eventually, plaintiffs’ lawyers.

Three points are worth focusing on now.

1. The architecture is already being built, and will matter later

Many institutions have invested heavily in data-sharing infrastructure and API development. Those systems are not going away. When enforcement resumes (or a revised rule is issued), those early design decisions will define what compliance looks like in practice.

2. Vendor reliance does not eliminate exposure

Even in a paused environment, the same principle applies: banks cannot outsource responsibility. If a future rule looks anything like the current framework, institutions will remain accountable for failures involving access, availability, or data deliver, regardless of who built or operates the system.

3. This is a preview of future litigation themes

Even absent enforcement, the concepts embedded in Section 1033 — consumer-directed data sharing, third-party access, and control over financial data — are likely to surface in private litigation and state-level scrutiny. Institutions that treat this as a dormant issue may find themselves defending practices shaped during this interim period.

What To Do Now

Rather than treating this as dead time, institutions should use the pause strategically:

• Pressure test data-sharing systems already implemented or in development.
• Revisit vendor agreements to ensure accountability aligns with actual risk.
• Formalize policies governing access decisions, restrictions, and security controls.
• Monitor CFPB rulemaking developments and related litigation closely.

Bottom Line

Section 1033 did not go live on April 1 in the way originally expected. But it also did not go away.

The better view is that the rule is paused, contested, and being rewritten, but the direction of travel remains clear. Institutions that treat this as a temporary reprieve risk falling behind when the next version emerges.