April 1, 2026 was supposed to be a turning point for anyone who uses a budgeting app. The CFPB’s Section 1033 rule—officially called the Personal Financial Data Rights rule—would have required the largest banks to give you secure, API-based access to your own financial data. No more handing your bank username and password to a third party. No more screen scraping.

That deadline is here. And the rule is effectively dead in the water.

If you use Monarch Money, YNAB, Copilot, Rocket Money, or any app that connects to your bank accounts, this matters to you right now. Here’s what happened, what it means for the apps you rely on, and what you should actually do about it.

What Section 1033 was supposed to do

The short version: Section 1033 of the Dodd-Frank Act says you own your financial data and have the right to share it with whoever you want. The CFPB finalized a rule in October 2024 that would make banks build secure APIs so third-party apps could access your data without needing your login credentials.

Think of it like this. Right now, when you connect Monarch Money to your Chase account, what often happens behind the scenes is a data aggregator (usually Plaid) logs into Chase as you, using your username and password. It reads the screen, pulls your transactions, and passes them to Monarch. This is screen scraping. It’s the same technique a phisher would use. Your bank can’t tell the difference between you logging in and Plaid logging in on your behalf.

Section 1033 would have replaced this with proper APIs. Your bank would provide a secure data feed. Apps would connect through OAuth, the same “Sign in with Google” flow you use everywhere else. You’d grant specific, limited permissions. Revoke access anytime. No credentials shared.

The largest banks (over $250 billion in assets) had until April 1, 2026 to comply. Smaller institutions would follow on a longer timeline through 2030.

What actually happened

Several forces converged at once:

The banking industry sued. The Bank Policy Institute and Kentucky Bankers Association filed suit in late 2024, arguing the CFPB overstepped its authority. The case landed in the Fifth Circuit, which isn’t exactly known for siding with federal regulators.

The CFPB changed leadership. The new CFPB director took a different posture on the rule. In early 2025, the bureau signaled it would not defend the rule aggressively in court. By February 2025, the CFPB effectively told the court it would reconsider the rule rather than enforce the April deadline.

Nobody built the APIs. With the legal challenge pending and enforcement uncertain, most large banks paused their API development work. Why spend hundreds of millions building infrastructure for a rule that might never take effect?

So here we are in March 2026. The April 1 compliance deadline exists on paper. In practice, no major bank is racing to meet it, the CFPB isn’t enforcing it, and the court case is still unresolved.

What this means if you use a budgeting app

If you use any app that links to your bank accounts, the practical impact is simple: nothing changes. Which is the problem.

You’re still sharing your bank credentials

When you connected Monarch Money or Copilot to your bank, you almost certainly handed over your actual banking username and password to a data aggregator. Plaid, MX, Finicity (now part of Mastercard), or Yodlee handles the connection for most apps.

Some banks have started offering OAuth-based connections through these aggregators voluntarily. Chase, for instance, has a data-sharing agreement with Plaid. Capital One has its own developer portal. But coverage is spotty. If you bank with a regional institution or credit union, screen scraping is probably still how your data gets pulled.

Your connections will keep breaking

Screen scraping is fragile. Every time your bank updates its website, changes a login flow, or adds a new security prompt, your app connection breaks. You get the dreaded “reconnect your account” notification. You re-enter your credentials. Again.

With proper APIs, this wouldn’t happen. The data feed would be stable, versioned, and maintained. But that’s the world Section 1033 was building toward, and it’s the world we’re not getting anytime soon.

Security risks are real and ongoing

Let’s be blunt about what screen scraping means for your security:

• Your credentials are stored by third parties. Plaid and similar aggregators store (or at minimum process) your bank login credentials. They encrypt them, sure. But they’re a target. A breach at a data aggregator would be catastrophic.
• Your bank can’t protect you properly. Banks use login patterns, device fingerprinting, and behavioral signals to detect fraud. When an aggregator logs in from a server farm, those signals are useless. Your bank literally cannot tell a legitimate aggregator login from a stolen-credential login.
• Multi-factor authentication gets weird. Some aggregators handle MFA prompts by relaying them to you in the app. Others store your MFA answers. Neither approach is great from a security standpoint.
• You may be violating your bank’s terms of service. Many banks prohibit sharing login credentials with third parties. If something goes wrong, your liability protection could be murky.

Which apps are affected (and how they handle it)

Every budgeting app that connects to bank accounts is affected by this delay. But they’re not all in the same position.

Monarch Money uses Plaid for most connections. Where banks offer OAuth through Plaid, Monarch gets the benefit. For the rest, it’s screen scraping. Monarch’s recent AI and Goals 3.0 updates are impressive, but the underlying data connection hasn’t changed.

YNAB also relies on Plaid. YNAB has long offered manual transaction entry as an alternative, which sidesteps the security issue entirely, at the cost of convenience.

Copilot Money uses Plaid on iOS. Same situation. The app itself is polished, but it inherits whatever connection method Plaid negotiates with your bank.

Rocket Money (formerly Truebill) uses MX Technologies alongside Plaid for its connections. MX has been more aggressive about building direct bank integrations, but the coverage gaps remain.

Quicken Simplifi uses its own aggregation through Quicken’s legacy bank connections plus newer integrations. Results are mixed depending on your bank.

The common thread: every app is waiting for banks to build open APIs. Until that happens, they’re all working around the same broken system.

What you should do right now

You don’t have to stop using budgeting apps. But you should take some steps to reduce your exposure while we wait for the regulatory picture to clarify.

1. Check which connections use OAuth vs. screen scraping

In most apps, you can tell the difference by how you connected. If you were redirected to your bank’s own website to log in (like the familiar “Sign in with Google” flow), that’s OAuth. Your credentials stayed with your bank. If you typed your bank username and password directly into the app or a Plaid popup, that’s credential sharing.

Some banks have migrated to OAuth quietly. Disconnect and reconnect your accounts, and you might get an OAuth flow now where you didn’t before. Chase, Wells Fargo, and Capital One are the most likely to offer this.

2. Use a unique password for linked accounts

If you’re sharing credentials with an aggregator, at minimum make sure your bank password is unique. Not reused from any other service. Use a password manager. If the aggregator is breached, you don’t want that password unlocking anything else.

3. Enable all available MFA on your bank accounts

Turn on every multi-factor authentication option your bank offers. Hardware keys if supported. Authenticator apps over SMS. This doesn’t fully protect against aggregator-based access, but it adds friction for attackers who might obtain your credentials through a different path.

4. Consider manual entry for sensitive accounts

YNAB has always supported manual transaction entry. Monarch and Copilot do too. For your most sensitive accounts (primary checking, savings with large balances), consider entering transactions manually and only linking less critical accounts.

Yes, it’s more work. But it completely eliminates the credential-sharing risk for those accounts.

5. Monitor your linked accounts more closely

Set up transaction alerts directly through your bank (not through the budgeting app). Get notified of every transaction over a threshold you set. If an aggregator connection is compromised, you’ll spot unauthorized activity faster through your bank’s own alerts.

6. Review and revoke old connections

Log into Plaid’s portal at my.plaid.com. You can see every app that has access to your financial data through Plaid and revoke connections you no longer use. Old trial apps, services you canceled, things you forgot about. They may still have active access to your accounts.

What happens next with the rule

Honestly? Nobody knows. There are a few possible paths:

The CFPB reproposing a weaker rule. The bureau could issue a revised rule with longer timelines, narrower scope, or more bank-friendly terms. This could take another 1-2 years of rulemaking.

Congress stepping in. There’s bipartisan interest in open banking. It’s one of the rare financial regulation topics where both sides see benefits. A legislative fix could bypass the rulemaking process entirely, but Congress moves slowly on financial regulation.

Market forces doing the work. Plaid’s $8 billion valuation shows there’s serious money in data aggregation. Banks may build APIs voluntarily to reduce their own screen-scraping liability and improve customer experience. This is already happening at the largest banks, just unevenly.

Continued limbo. The most likely near-term outcome. The rule sits in legal uncertainty. Banks build APIs at their own pace. Some connections improve. Many don’t. Budgeting app users keep dealing with broken connections and credential sharing for years.

The bigger picture for your money

Here’s what frustrates me about this situation. The technology to fix this exists. OAuth and secure APIs are solved problems. Your bank already uses them for internal services. The UK implemented open banking years ago through its Open Banking Standard, and it works. Consumers there connect apps to their banks without sharing passwords.

The delay isn’t technical. It’s political and legal. Banks don’t want to be forced to share data with competitors. Fintechs want access on favorable terms. And consumers are stuck in the middle, handing over their most sensitive credentials because there’s no alternative.

If you’re managing your money with apps—and you should be, because the data shows that tracking spending changes behavior—just be smart about the risks. Use OAuth connections where available and keep your credentials unique and protected. Monitor your accounts through your bank’s own alerts. And hope that open banking eventually arrives in the US, even if it’s years behind schedule.

Your financial data belongs to you. It shouldn’t take a federal regulation to make that real. But apparently, it does. And that regulation isn’t coming as fast as anyone promised.

---

This post reflects the regulatory situation as of March 2026. The Section 1033 rule’s status may change as court proceedings and CFPB rulemaking develop. Verify current bank connection methods with your specific app and financial institution.