FDX API (Financial Data Exchange)

Financial Data Exchange (FDX), a non-profit consortium of banks, fintechs, data aggregators and consumer advocacy groups.

North America

• Data access is consumer-permissioned, with explicit user consent.

   

• Tokens reflect the rights granted by the consumer, and are validated on each API call.

   

• Consent flows include stages (consent → authentication → authorization) in line with OAuth2 practices. Use of FAPI is optional.

   

• The API specification is modular and extensible (e.g. support for payroll data was added).

   

• FDX aims for interoperability across institutions and common data standards.

Widely adopted in production usage. As of early 2026, the Financial Data Exchange reports that over 130 million consumer accounts are now connected via the FDX API, a significant increase from the 114 million reported in mid-2025.

Technically, the standard has matured to support a broad range of financial use cases. While v6.0 (December 2023) was a landmark release that introduced payroll endpoints and fraud notification capabilities, these features have been further refined in subsequent versions. Current releases (v6.4 and v6.5) have built upon this foundation by enhancing data clusters for tax reporting, insurance, and investment data, ensuring the API covers the full spectrum of ‘Open Finance’ beyond traditional banking.

• JSON (primary payload format)
  
• REST / HTTP APIs

As of January 2026, the current stable release of the FDX API is v6.5, which was launched in late 2025. This followed the release of v6.4 in the Spring of 2025, which focused on refining consumer consent management. Earlier, v6.0 served as a major foundational release in December 2023, establishing the core technical standards required for alignment with Section 1033 data rights.

• Participants (banks, data providers, data recipients) are encouraged to use FDX based on broad market adoption. Regulatory mandates are still pending in the United States and Canada (see above).
• Reciprocal access is supported (i.e. data recipients should also be able to accept requests) under FDX governance (and in Canada is identified as a core principle).
  
• Governance includes audit, logging, rate limiting, security controls.

To date, the standardization of the FDX API has been achieved primarily through voluntary industry participation and market-led adoption. While the Personal Financial Data Rights (PFDR) rule—finalized by the CFPB on October 22, 2024—aimed to codify these standards under Section 1033 of the Dodd-Frank Act, its implementation has been significantly disrupted. Meanwhile in Canada, the Consumer-Driven Banking Act is not yet in force.

Consequently, while the FDX API serves as the industry’s technical foundation, its transition from a voluntary standard to a federally mandated one remains in a state of legal and political limbo.

• Common API standard across multiple institutions
  
• Extensible domains (accounts, transactions, payments, payroll, etc.)
  
• Strong consent and security architecture (OAuth2, FAPI)
  
• Emphasis on interoperability, modularity, user experience, data privacy

• Banking / financial data (accounts, transactions)

   

• Payment initiation (as supported in FDX)

   

• Consent management

   

• Other domains being introduced, e.g. payroll data, identity data, etc.

• Authentication: OAuth2, OpenID Connect, FAPI profiles (optional)

   

• Authorization: via scopes, consent tokens

   

• Token format & expiry: JWT tokens (or similar) with expiration and claims

   

• Encryption / transport: TLS (latest versions) for API calls

   

• Message integrity: Signature, or token-based integrity checks

   

• Rate limiting / throttling: enforced by providers

   

• Global runtime policies (logging, monitoring, alerting)

• FDX provides developer portal, spec browser, certification guide, sample YAML / OpenAPI specs developer.financialdataexchange.org+2financialdataexchange.org+2

   

• Documentation, SDKs, community working groups

• Foundation and Launch (2018): * Financial Data Exchange (FDX) was officially launched in October 2018 as a non-profit consortium.

  • It was formed to unify the industry under a single standard, successfully merging the DDA (Durable Data API)—originally developed by FS-ISAC—and the Open Financial Exchange (OFX) heritage into one unified roadmap.

• Version Evolution (v5.x to v6.x):

  • The 5.x Era: Focused on the core “Open Banking” transition, moving the industry away from screen scraping toward stable API connections for checking, savings, and credit card accounts.

  • The 6.x Era (2023–2025): Landmark releases (v6.0 through v6.5) expanded the API into “Open Finance.” These versions introduced critical new domains like payroll (for income verification), tax data, insurance, and investment/wealth management.

• Security Advancements:

  • Over time, FDX phased out older security models in favor of the Financial-grade API (FAPI) security profile. By 2026, FAPI 1.0 became a requirement for certification, with the ecosystem currently migrating toward FAPI 2.0.

• Market Adoption in U.S. and Canada:

  • What began as a small group of founding members has grown to over 250 organizations by 2026.

  • While the U.S. market was the initial driver, FDX Canada has become a distinct and powerful branch, aligning the standard with the Canadian government’s move toward “Consumer-Directed Finance.”

• Regulatory Recognition (2024–2026):

  • In late 2024, FDX reached a historical milestone when it was positioned as the lead candidate for the CFPB’s official Standard-Setting Body (SSB) under Section 1033. Despite the 2025/2026 judicial stay on the Section 1033 rule, FDX remains the primary historical benchmark for legal data access in North America.

• FDX’s Board and working groups oversee versioning, certification, standards

   

• Compliance with audit, logging, liability frameworks

   

• Although not a government agency, FDX has been recognized by the CFPB as a standard-setting body.

• Providers must monitor infrastructure, API health, performance metrics

   

• Logging, alerting, error handling, rate metrics

   

• Incident response and recovery procedures

   

• SLAs (service level agreements) between API providers and consumers are typically expected

Participants must adhere to strict security standards, including FAPI 1.0/2.0 and OAuth2 protocols. While specific liability and escalation rules were traditionally governed by private bilateral contracts, they are now being standardized through the FDX Model Provider Agreement and are expected to align with the CFPB’s finalized (though currently stayed) liability protections for consumer data rights.

There is no standalone U.S. federal statute that explicitly mandates ‘open banking’ by name. Instead, the legal mandate is derived from Section 1033 of the Dodd-Frank Act, which the CFPB utilized to finalize the Personal Financial Data Rights rule in late 2024. However, as of early 2026, the implementation of this mandate is legally stalled; the rule is currently under a judicial stay pending a court decision on whether the CFPB exceeded its statutory authority. While the regulatory framework remains the primary path toward a mandatory system, the U.S. currently relies on a market-led transition to APIs—primarily through the FDX standard—while the legal future of the CFPB’s mandate remains uncertain.