The objection sounds reasonable on its surface: the CFPB‘s 1033 rulemaking is tied up in litigation, the current administration has reopened it for reconsideration, and nobody knows when – or in what form – a final federal rule will land. So why invest in open finance risk management infrastructure now?

Here is why that logic doesn’t hold.

The federal picture

In August 2025, the CFPB reopened its open banking rulemaking with an Advance Notice of Proposed Rulemaking, stating it would replace the Biden-era final rule with a new version “more suited to market realities.” A court has stayed further proceedings in the related litigation pending the new rulemaking, and the original Biden-era rule is scheduled to go into effect on June 30, 2026. The timetable is uncertain. The direction of travel is not. 

Section 1033 of the Dodd-Frank Act has been on the books since 2010. The statutory text is clear: financial institutions “shall make available” covered consumer data “upon request” – not contingent on a rulemaking, and not contingent on a particular administration’s policy preferences. Whatever form the revised rule takes, the underlying obligation exists. The question has always been implementation, not intent. 

But here is the more urgent point – the states aren’t waiting

Stepping into the breach created by federal uncertainty, New York lawmakers are advancing companion bills – A10640 in the Assembly and S9483 in the Senate – that would establish a state-level financial data access regime directly modelled on CFPB’s final 1033 rule from 2024. 

The New York Financial Data Rights Act is not a watered-down version of the federal rule. In several respects it goes further. It covers small businesses as well as consumers. It imposes a maximum civil penalty of $10,000 per violation – unlike the CFPB’s 2024 rulemaking, which did not specify penalty amounts.

Importantly, it applies not only to New York-chartered banks, but also to out-of-state banks that maintain a financial product or service for a New York resident, and any entity regulated by the New York Department of Financial Services that maintains a financial product or service for a New York resident. 

Read that again. Out-of-state banks serving New York residents are covered. Moreover, the NYDFS‘s reach is broad, covering insurance as well as banking. If this bill passes, it is not a New York problem for New York banks. It is a compliance requirement for a significant proportion of the US financial services industry.

California and New York have historically been the most active states in regulating financial data privacy and security. New York has moved first on financial data access. California has the infrastructure – and the political appetite – to follow. Governor Newsom’s appointment of Rohit Chopra – the former CFPB Director who oversaw the original Section 1033 rulemaking – to lead California’s new Business and Consumer Services Agency (launching July 1, 2026) is the clearest possible signal of that appetite. The official who wrote the federal rule is now running the state agency that oversees California’s financial services sector.

Where these New York and California lead, others typically follow, because the operational cost of maintaining different compliance postures across jurisdictions eventually drives convergence toward the higher standard.

The state leadership pattern is already established

This is not a new dynamic. It is exactly how data privacy regulation evolved in the US. California enacted the CCPA in 2018. Within four years, a majority of states had introduced or enacted comparable legislation. Federal privacy legislation is still a long way away, but that doesn’t matter, because the privacy compliance requirement arrived – state by state, with varying standards, creating exactly the patchwork that financial institutions find most operationally costly to manage.

Open finance data rights are following the same path.

What this means for risk management

The “wait for 1033” objection assumes that a federal rule is the only trigger for open finance activity, but that does not appear likely to be the case. Moreover, open finance data flows are already happening. Consumers are already authorizing third-party access to their accounts. Aggregators are already sitting in the chain between banks and fintechs. The risks of data sharing already exist today  – in the data that is moving through participants whose security posture banks cannot currently see in real time.

A federal rule doesn’t create the risk or the obligation to manage it. That obligation already exists for data sharing happening today, and state legislation – particularly in a market the size of New York – creates that obligation for even more data sharing on a shorter timeline than any federal rulemaking process can deliver.

The institutions that build the risk management infrastructure now are the ones that will be able to demonstrate adequate controls when their regulators ask. The ones that wait for federal certainty may find that state-level compliance deadlines arrive first.

Open finance risk management isn’t waiting for the CFPB. The question is whether financial institutions are.

Governor Newsom’s appointment of Rohit Chopra — the former CFPB Director who oversaw the original Section 1033 rulemaking — to lead California’s new Business and Consumer Services Agency (launching July 1, 2026) is the clearest possible signal of that appetite. The official who wrote the federal rule is now running the state agency that oversees California’s financial services sector.

Open finance, covered.