Trupocket
Get Started

Who Owns Your Financial Data?

Christopher Wilbanks5 min read
data-ownership
personal-finance
privacy
api

Open banking is one of those phrases that sounds technical and turns out to be simple. The idea is that the financial data sitting inside your bank account, your transactions, your balances, your payment history, belongs to you, and you should be able to hand a copy of it to any app you trust. Your budgeting tool, your tax software, a lender comparing rates, whatever you pick. For years that has been the promise. In the United States, the rule meant to make it a legal right is sitting frozen in a courtroom.

I want to walk through what that rule actually says, where it stands in the middle of 2026, and why I decided long ago that the answer to "who owns your financial data" should never hinge on a regulation that keeps slipping.

What open banking and Section 1033 promise

The Consumer Financial Protection Bureau, usually shortened to the CFPB, is the federal agency that writes consumer finance rules in the United States. In October 2024 it finalized a rule under Section 1033 of the Dodd-Frank Act, called the Personal Financial Data Rights rule.

The promise is straightforward. Your bank has to let you get your own financial data, and it has to share that data, at your direction, with the apps and services you choose, through a secure connection instead of the old habit of handing over your bank password. A neutral explainer from the Congressional Research Service frames it as the right to access your data and authorize sharing it with third parties. Your bank could no longer treat the records you generated as theirs to lock away.

If you have ever connected a budgeting app to your bank and watched the link break a month later, or felt uneasy typing your bank login into a screen you did not fully trust, this rule was written for that exact frustration.

Where the rule actually stands

Here is the part that matters right now, and where a lot of headlines get it wrong.

The rule was finalized, but it is not being enforced. A group of banks sued, and in late 2025 a federal court in Kentucky enjoined the CFPB from enforcing it while the agency reconsiders the whole thing. An injunction pauses enforcement. It does not erase the rule from the books, and it is not a final decision on whether the rule survives.

At the same time, the CFPB opened its own reconsideration process and has signaled that it plans to revise the rule substantially. So the rule exists, its enforcement is paused, and the text is being rewritten, all at once.

The compliance dates tell the same story. The first deadline, meant for the largest banks, fell on April 1, 2026. That date came and went under the injunction without taking effect. You may also see a "June 30, 2026" date mentioned in some coverage. No single day on the calendar marks when this rule "becomes law" right now, because the whole timeline is paused while the rewrite plays out. The honest summary is that the date keeps moving and nobody can hand you the real one.

I am laying this out as plainly and neutrally as I can. Agencies shift priorities across administrations, lawsuits run their course, and rules get rewritten. That is the ordinary machinery of how this works, and I am not taking a side on who is right in that fight.

Why I am not waiting on it

My point is about timing. If your right to get and move your own money data depends on a rule that has been finalized, paused, and reopened inside of about a year, then in practice you do not have a dependable right yet. You have a promise with an asterisk.

I built Trupocket on the opposite assumption. The data you enter is yours today, whatever any single regulation does next. I mean that literally. It is wired into how the product works.

Two things make it real right now. The first is the Trupocket API, a set of 60+ documented endpoints with full read and write access to your accounts, transactions, budgets, and reports. The same API the web app runs on is the one you can call from your own scripts. The second is a portable export. You can request a complete copy of everything you keep in Trupocket, in machine-readable JSON, and the privacy policy commits to delivering it: your transactions, accounts, budgets, categories, hashtags, payees, and settings, all of it, in a format you can carry anywhere.

Neither of those waits on a court date. They work the same whether Section 1033 is enforced next year, rewritten into something new, or never enforced at all.

The principle underneath

Open banking is a good idea. I hope the United States lands on a strong version of it, because most people deserve to move their financial data without jumping through hoops or trusting that a regulation will be enforced on schedule. The value of owning your data is too important to outsource entirely to whatever the final rule turns out to say.

So I treat data portability as something I owe the people who use Trupocket, rather than a box a regulator forces me to check. If you want to see what that looks like in practice, a free Trupocket account gives you the API and the export from the first day. The rule may keep slipping. Your ability to reach your own data should not have to.