Back to the main site
Back to the Standards Library

FDX API (Financial Data Exchange)

Owned by:

Financial Data Exchange (FDX)

The FDX API is an industry-led open finance / open banking standard in the U.S. and Canada, stewarded by the Financial Data Exchange (FDX), a private non-profit organization with over 150 members. It enables consumer-permissioned access to financial data (accounts, transactions, product information) via a common API specification. 

In 2024, FDX was recognized by the U.S. Consumer Financial Protection Bureau (CFPB) as a standard-setting body, as part of their efforts to regulate open banking under the Personal Financial Data Rights rule, known as Section 1033. Although the Section 1033 rule was finalized and is currently law, it is being challenged in court and faces an uncertain future.

Financial Data Exchange (FDX), a non-profit consortium of banks, fintechs, data aggregators and consumer advocacy groups.

United States (with adoption in Canada via region-specific FDX working groups)

  • Data access is consumer-permissioned, with explicit user consent.

     

  • Tokens reflect the rights granted by the consumer, and are validated on each API call.

     

  • Consent flows include stages (consent → authentication → authorization) in line with OAuth2 practices. Use of FAPI is optional.

     

  • The API specification is modular and extensible (e.g. support for payroll data was added).

     

  • FDX aims for interoperability across institutions and common data standards.

Widely adopted in production usage. As of mid-2025, over 114 million customer connections are reported using FDX API.

Also, earlier versions (e.g. v6.0) introduced payroll endpoints, fraud notification, etc.

JSON

REST

  • JSON (primary payload format)
  • REST / HTTP APIs

Active API

Latest known release is FDX API v6.4, released Spring 2025.  Earlier, v6.0 was released in December 2023.

  • Participants (banks, data providers, data recipients) must register with FDX and comply with FDX certification.
  • Reciprocal access is supported (i.e. data recipients should also be able to accept requests) under FDX governance (and in Canada is identified as a core principle).
  • Governance includes audit, logging, rate limiting, security controls.

Market Driven

To date, the FDX API has achieved standardisation via voluntary industry participation.
Technically it does through section 1033 of the Dodd Frank Act, but there is an ongoing review. But it is written into law

Since Oct 22nd, 2024, U.S. open banking has been written into law as the Personal Financial Data Rights (PFDR) rule, based on Section 1033 of the Dodd Frank Act. However, the law has faced legal challenges since its release and other significant headwinds based on significant restructuring efforts at the CFPB.

  • Common API standard across multiple institutions
  • Extensible domains (accounts, transactions, payments, payroll, etc.)
  • Strong consent and security architecture (OAuth2, FAPI)
  • Emphasis on interoperability, modularity, user experience, data privacy
  • Formal certification process currently under development

Banking

Finance

  • Banking / financial data (accounts, transactions)

     

  • Payment initiation (as supported in FDX)

     

  • Consent management

     

  • Other domains being introduced, e.g. payroll data, identity data, etc.

FAPI 1

FAPI 2

OAuth

FAPI 1.0 Advanced Final

FAPI 2.0

FAPI1

FAPI2

OAuth

  • Authentication: OAuth2, OpenID Connect, FAPI profiles (optional)

     

  • Authorization: via scopes, consent tokens

     

  • Token format & expiry: JWT tokens (or similar) with expiration and claims

     

  • Encryption / transport: TLS (latest versions) for API calls

     

  • Message integrity: Signature, or token-based integrity checks

     

  • Rate limiting / throttling: enforced by providers

     

  • Global runtime policies (logging, monitoring, alerting)
  • FDX (formerly DDA – Durable Data API) was publicly launched in 2018.

     

  • It evolved over versions (5.x, 6.x) to incorporate additional domains (e.g. payroll) and security enhancements.

     

  • It gained adoption over time across U.S. and Canadian banks and fintechs
  • FDX’s Board and working groups oversee versioning, certification, standards

     

  • Compliance with audit, logging, liability frameworks

     

  • Although not a government agency, FDX has been recognized by the CFPB as a standard-setting body.
  • Providers must monitor infrastructure, API health, performance metrics

     

  • Logging, alerting, error handling, rate metrics

     

  • Incident response and recovery procedures

     

  • SLAs (service level agreements) between API providers and consumers are typically expected
  • Participants must comply with FDX certification and security requirements
  • Audits, logging, monitoring, incident management
  • Liability and escalation rules (though not legally mandated)

There is no U.S. federal statute that mandates open banking; rather, regulatory frameworks like the CFPB Personal Financial Data Rights (PFDR) rule, also known as Section 1033, provide a basis for consumer finance data access.

Ozone API in partnership with Smart Data Foundry

We use cookies to personalize your experience. By using our website, you agree to the use of cookies as described in our cookie policy.

Accept all