§1033 is enjoined and stayed — so engineer consumer-permissioned data access as a commercial and operational risk, not a regulatory guarantee.

What happened

The CFPB's §1033 open-banking rule — the one that was supposed to standardize permissioned access to consumer financial data and end screen-scraping — is on hold. On October 29, 2025, in Forcht Bank, N.A. v. CFPB (E.D. Ky.), Judge Danny Reeves enjoined the Bureau from enforcing the rule and stayed its compliance deadlines pending new rulemaking. The plaintiffs — Forcht Bank, the Kentucky Bankers Association, and the Bank Policy Institute — were found “likely to succeed on all four claims.”

Read the court's preliminary findings closely, because they tell you how deep the rewrite could go: the rule likely exceeds §1033's statutory authority (the statute contemplates data sharing with consumers and fiduciary-like agents, not commercial third parties); is likely arbitrary and capricious under the APA; likely lacked authority to bar interface-access fees; and set deadlines that likely rely on consensus standards that don't yet exist.

This is a preliminary injunction, not a final vacatur — enjoined and stayed, not struck down. The rule could survive in modified form.

On the dates: the rule text sets the first compliance date at April 1, 2026 for the largest providers (≥$250B assets / ≥$10B receipts), tiering down to April 1, 2030 for the smallest (§1033.121). You may have seen “June 30, 2026” cited as the first deadline — that's a reported extended date (tied to a March 27, 2025 joint stay), not something I can confirm against a primary court order. It's also moot: the deadline is stayed.

The backdrop keeps shifting. The CFPB published an ANPR, “Personal Financial Data Rights Reconsideration,” on August 22, 2025 (comments closed October 21, 2025), and has signaled — not confirmed issuing — an interim or proposed rule to extend compliance dates; funding constraints may slow that work. A May 19, 2026 Executive Order, “Integrating Financial Technology Innovation into Regulatory Frameworks,” adds further directional uncertainty.

Why it matters for credit risk practitioners

If your roadmap assumed §1033 would hand you standardized, permissioned, no-screen-scrape access on a fixed date, that assumption is now a liability. Three dependencies just got shaky: the standard (consensus specs the court flagged as not-yet-existing), the mandate (enjoined), and the price (the court questioned the Bureau's authority to bar interface-access fees — so “free” access was never guaranteed).

The practical risk isn't that data access vanishes. It's that teams plan around a phantom deadline, defer fallback engineering, and discover coverage gaps or fee changes mid-quarter. A cash-flow underwriting model that silently degrades when one institution's coverage drops is an operational-risk problem wearing a data-science costume.

What to watch / what to do

The plumbing you actually depend on is commercial, and it keeps running. Aggregators (Plaid, FDX) say they'll keep building secure permissioned connections regardless of the rule; banks keep negotiating access deals; cash-flow underwriting works today without waiting on 1033. So build for the contract, not the rule:

• Treat data-access continuity as an operational-risk line item, not an IT afterthought. Put coverage, fee exposure, and connection method (API vs. screen-scraping) on the same register as model and vendor risk.
• Model pipeline performance under partial data loss. Know what your underwriting decision looks like when per-institution coverage drops, a connection breaks, or a fee tier changes. Design for graceful degradation, not a binary on/off.
• Map per-institution coverage gaps and screen-scraping deprecation. Even without a mandate, scraping is being retired commercially; thinner connections at smaller institutions stay an open question.
• Watch the rulemaking, but don't bet the roadmap on it. Track whether the CFPB issues (not just signals) a date extension, and how the ANPR and the May 19 EO reshape any API mandate.

The honest hedge: don't bury §1033 either. It could revive in modified form, and the EO/ANPR path could re-mandate API access and accelerate the death of screen-scraping — which would change your build calculus again. Smaller-institution access economics remain genuinely unsettled. None of this is legal advice; confirm regulatory status with counsel before you commit.

The deadline you shouldn't build around is the one that isn't there. Build around the connections that feed your pipeline today.