The Essential Guide to CFPB Section 1033
The Consumer Financial Protection Bureau (CFPB) in the United States finalised the Personal Financial Data Rights rule on the 22nd October 2024. The rule is specifically targeted at open banking in the United States, and its mission is to allow consumers to access their financial data and share that data with third parties.
In this article, we explore the implications for financial consumers, fintech companies, and financial institutions, and what they now need to do.
Who is the CFPB?
The Consumer Financial Protection Bureau (CFPB) is a government agency created by the Dodd-Frank Act to protect people who use financial products and services, including bank accounts, loans and credit cards. The Dodd-Frank Act was passed by the US Congress in 2010 following the 2007-2008 financial crisis to ensure a safer financial system. The CFPB’s role is to ensure that banks follow these rules.
Section 1033 of the Dodd-Frank Act grants consumers the right to access their financial data, including account details, transactions, and balances. The CFPB has the authority to issue rules governing these data rights. Since 2016, the CFPB has been working on implementing Section 1033, including publishing consumer protection principles and holding panels on financial data access.
What is 1033 in Open Banking?
Section 1033 of the Dodd-Frank Act is specifically targeted at open banking in the United States. It allows consumers to access their financial data and share that data with third parties.
The CFPB’s rule obliges banks, third-parties and aggregators to protect personal financial data from unauthorised access and data breaches, both through the adoption of secure API protocols as well as via appropriate data governance processes.
The goal of Section 1033 is to make banking more transparent, in turn driving more competition and innovation in the financial ecosystem. It helps consumers find better financial products and services, make smarter financial decisions, and have more control over their financial information.
What does the Personal Financial Data Rights rule control?
The rule has established a framework for secure, standardised data sharing through APIs, empowering consumers to control their financial data. The rule requires financial institutions and certain payment facilitators to make data accessible to consumers and authorised third parties, promoting competition and innovation in financial services while enhancing consumer protections.
It also obliges banks, third-parties and aggregators to protect personal financial data from unauthorised access and data breaches, both through the adoption of secure API protocols as well as via appropriate data governance processes.
Under the CFPB’s 1033 open banking rule, data providers must make the following types of financial data available via API:
Types of Data Providers
A data provider is any institution that offers a deposit account (Reg E), a credit card (Reg Z), or can facilitate a payment from either of these two, such as a digital wallet.
Account Information & Balances
Account information, including account numbers and types, and respective balances. Account types in scope include credit, debit, prepaid and deposit accounts.
Transaction Histories
Records of all deposits, withdrawals, and purchases made through customers bank accounts for at least 24 months.
Payment Initiation Information
Information necessary to initiate a payment from an account using electronic fund transfers (EFTs), prepaid accounts and gift cards/certificates.
Bill Information
Details about bills, including those historically paid and those scheduled to be paid in the future, including payee information.
Account Verification Information
Basic account verification information associated with your financial accounts, such as name, address, and contact information (but not date of birth).
Terms and Conditions
Information about account types and products, Including applicable fee schemes, reward programmes and annual percentage rates.
These data types enable consumers to have a comprehensive view of their financial status and the sharing of this information with third-parties facilitates significant financial benefit and improved financial health for the economy as a whole.
How does the rule impact Banks, Financial Institutions, Fintech Companies and Data Aggregators?
The CFPB has defined distinct compliance requirements for Banks and Financial Institutions, Fintech Companies and Data Aggregators.
Banks and Financial Institutions
The Section 1033 open banking standard has changed how banks and financial institutions handle customer data. Banks must now allow their customers to use secure application programming interfaces (APIs), based on a qualified industry standard, to share data safely with third-party apps and services at no cost.
They are required to protect customer data from unauthorised access and data breaches. Before granting third party access to consumer data, banks must get clear consent from customers and explain what data they collect and how it is used, as well as validating the identity of the consumer and the third-party as part of the request. They must provide developer portals for their APIs, including documentation and support mechanisms. Banks must prepare for regular audits and reporting to the CFPB to demonstrate compliance with the 1033 open banking standards. This involves maintaining detailed records of data access and sharing activities.
Data Aggregators
Under CFPB’s proposed rule, Data Aggregators (companies that collect and organise financial data for third-party applications) must follow strict security measures to protect consumer data and ensure it is shared only with authorised third-party services. This introduces specific requirements for Third-Party Risk Management (TPRM) which will significantly impact both banks and aggregators, as well as third-parties, meaning all parties will need to work together to provide a seamless and secure data-sharing experience for consumers.
Fintech Companies
Fintech companies are able to access consumers’ financial data through secure, standards-based APIs; however, they are required to get clear consent from consumers before accessing their data, ensuring users are aware of what data is being shared and why.
There must be clear mechanisms to revoke that consent at any time, and the consent must be renewed every 12 months. When the status of a consent is changed, a notification must be broadcast to all affected data providers. Fintechs or other third-parties cannot collect any more data than is necessary, and cannot use that data to advertise, cross-sell or for any other secondary use. They are also required to follow strict security rules to protect data from unauthorised access and breaches, and must keep detailed records.
What are the compliance deadlines?
The CFPB has created a tiered timeline of compliance dates, varying depending on the type of company and its assets, ranging from X months to X years, making it extremely important companies stay well-informed of the most current information.
The below tier list is the finalised timeline for compliance from the date the rule was implemented:
Tier One
Depository Institutions: >$250B in total assets
Non Depository Institutions: >$10B in total receipts in either calendar year 2023 or calendar year 2024
Compliance deadline: by April 1 2026
Tier Two
Depository Institutions: >$10B & <$250B in total assets
Non Depository Institutions: <$10B in in total receipts in both calendar year 2023 and
calendar year 2024
Compliance deadline: by April 1 2027
Tier Three
Depository Institutions: >$3B & <$10B in total assets
Compliance deadline: by April 1 2028
Tier Four
Depository Institutions: >$1.5B & <$3B in total assets
Compliance deadline: 1 April 2029
Final Tier
Depository Institutions: >$850M & <$1.5B in total assets
Compliance deadline: 1 April 2030
Challenges Banks and Fintech Companies may face under section 1033
Managing Consent
Users may be concerned about their data being shared, providing clear information about what data is being shared, who it is being shared with, and what it is being used for will inevitably build trust with consumers. Offering easy-to-use controls and mechanisms for managing or revoking the consent to share their data will further improve adoption and drive consumer benefits.
Technical Integration
Banks need to create secure APIs for sharing data with third-parties, based on a consensus standard. Although the CFPB has not explicitly named a standard, it is very likely to be the FDX API from the Financial Data Exchange (FDX), coupled with security protocols from the OpenID Foundation (OIDF) as adopted in other regions. This requires a great deal of specialised technical skills and resources.
Cost and Resource Allocation
Setting up security measures, APIs, and compliance processes can be expensive. Companies need to budget ahead to be ready for CFPB’s final rule. Looking ahead, they must also recognize that adding developer interfaces such as APIs and portals is akin to adding a new channel, and will therefore require continuous improvement and investment. Rather than being perceived as a compliance exercise, firms must see this as a beginning.
How can Ozone API help?
Partnering with Ozone API is the easiest route for banks and financial institutions to achieve compliance with Section 1033, while laying the foundation for a future-ready open banking strategy.
As a first step, the Ozone API platform quickly and simply helps any bank implement high performing, standards-compliant APIs to ensure ongoing open banking compliance. We then help you go beyond compliance by providing industry leading security and value adding API sets to create new revenue streams and deliver an enhanced consumer data-sharing experience.
Our solutions are proven with banks globally and are designed to ensure fast and simple integration with your existing technology. With Ozone API, you can truly unlock the power of open finance.
Contact Information
If you’re confused about what this ruling means for you, or you want to remove the complexity of implementing an open banking API, we’re here to help. Speak to our General Manager in North America about how Ozone API can help: Book a call with Eyal Sivan here.
