A new era in financial services is about to begin with the U.S. Consumer Financial Protection Bureau (CFPB) expected to finalize the Personal Financial Data Rights rule this fall, giving consumers greater access to their data. This rule will dramatically change the way consumers, financial institutions and fintechs interact with financial data. At Yodlee, we’ve been anticipating this rule for several years and look forward to helping our customers make the most of the data-driven opportunities that this rule brings. Our intuitive platform is built for open banking, offering reliable access to consumer-permissioned financial data to securely power your innovation needs.
What is the CFPB Section 1033 rule?
The upcoming Personal Financial Data Rights rule, or open banking rule, which is Section 1033 of the Dodd-Frank Act, requires financial institutions and certain payment facilitators to make financial data available to consumers and authorized third-party data recipients.
What is the Dodd-Frank Act?
The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly known as the Dodd-Frank Act, was signed into law in 2010 in response to the 2008 financial crisis. It introduced significant changes to financial regulation in the United States, aiming to prevent another major financial crisis and protect consumers.
What is the CFPB?
A specific part of the Dodd-Frank Act, the Consumer Financial Protection Act (CFPA) established the Consumer Financial Protection Bureau, an independent federal agency tasked with protecting consumers in the financial sector by regulating financial service companies.
The CFPB proposed to implement Section 1033 to establish uniform standards and regulations for data access and data sharing and enhance security and privacy by giving individuals the power to share their financial data with the third parties of their choosing. The final rule under Section 1033 is designed to foster innovation and facilitate the delivery of new individualized data-driven products and services.
Yodlee believes that once approved, Section 1033 will:
- Strengthen Consumer Rights: The rule will give consumers more control over their financial data and establish clearer rights on how it’s collected, used and stored
- Drive Standardization: The rule will require banks to share data via standardized, secure application programming interfaces (APIs). Participants looking to access and share consumer data will be required to subscribe to a CFPB approved Standard Setting Organization (SSO).
- Increase Choice: Consumers will be put back at the heart of financial services with access to more individualized products and services tailored to meet their needs
- Boost Innovation: Increased access to consumer data will encourage competition and innovation in financial services
- Increase Efficiency: The time users spend on connecting to their data drops by 50 seconds when connecting via open banking APIs vs the traditional method of connecting via credentials (like user name and password) 1
- Maximize Resiliency: Banking websites using open banking APIs demonstrate higher reliability, with uptime rates between 96% and 99%, compared to screen scraping methods which show more variable performance ranging from 87% to 98% uptime1
With efficient and reliable open banking connections, Section 1033 paves the way for a more transparent, competitive, and technologically advanced financial sector.
What types of data will be shared under 1033?
The proposed 1033 rule defines specific types of data that financial service providers, including card issuers and banks, must make accessible upon request. This data includes:
Transaction information, including historical data (at least 24 months)
- Account balances
- Terms and conditions such as fee schedules, rates, overdraft coverage, and rewards program terms
- Upcoming bill information
- Basic account verification information (limited to the name, address, email address, and phone number associated with the consumer financial product or service)
Exceptions to the rule
The Consumer Financial Protection Bureau (CFPB) proposed four exceptions to the 1033 rule:
- Confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors
- Information collected for preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct
- Information required to be kept confidential by other law provisions of law
- Information that a data provider cannot retrieve in the ordinary course of business
These exceptions are designed to protect sensitive information from being shared or compromised.
Who Does Section 1033 Impact?
Rule 1033 encompasses these financial industry participants:
- Consumers – those who benefit from increased access to financial products and services and greater control over their personal financial data
- Data providers – financial institutions, issuers of consumer credit cards, and some payment facilitators
- Third-party data recipients – fintechs and financial institutions acting on consumers’ behalf as data recipients, and data aggregators acting on consumers’ behalf
- Qualified industry standard setting organizations – CFPB-recognized issuers of fair, open, and inclusive industry standards
Hear how Section 1033 can build trust in the financial industry and improve consumer banking.
CFPB 1033 compliance: Leveraging open banking technology
Open banking is the collaborative model where financial data is shared and accessed through application programming interfaces (APIs). The proposed 1033 rule supports open banking by requiring data providers to make certain data available to authorized third parties via APIs. These APIs enable consumers to connect their bank accounts with payment apps, investment platforms, budgeting tools, and other apps and services of their choosing.
At the heart of this transformative landscape is the FDX (Financial Data Exchange), a non-profit industry body committed to ensuring that data sharing is easy, safe, and standardized. FDX has created a common API that will align with the 1033 rule for sharing financial data between financial institutions, data aggregators, and third-party applications.
How do I prepare for Rule 1033?
Achieving compliance with Section 1033 will take time. Financial institution data providers will have to decide whether to build APIs on their legacy infrastructure or outsource the task. They’ll have to address areas like consent management, information security, third-party risk management, and more. Third-party data recipients will also have a number of requirements to meet.
Implications of CFPB 1033 for Financial Institutions
Under Rule 1033, it’s expected that data providers will have to:
- Make data available upon request in electronic form with access to applicable interfaces
- Establish and maintain consumer and developer interfaces
- Respond to requests from consumers to make data available
- Prohibit fees or charges in connection with establishing or maintaining interfaces or data requests
- Make certain information and disclosures readily identifiable to the public
- Establish written policies and procedures designed to achieve the rule’s objectives
It’s expected that authorized third parties will have to:
- Capture authorization and permissions from consumers and provide authorization disclosures
- Establish, maintain, periodically review, and update policies and procedures to ensure that data is accurately transmitted
- Ensure that consumers can easily revoke access to their financial data at any time
- Apply an information security program that satisfies section 501 of the Gramm Leach Bliley Act for the collection, use, and retention of data
- Provide evidence that data usage is limited only to what Section 1033 permits and that consumer consent was received during authorization.
- Contractually require other third parties to comply with certain obligations
When will Rule 1033 take effect?
While the CFPB hasn’t given an exact date, it’s likely that Section 1033 will be finalized toward the end of 2024. The rule will become effective just 60 days after it’s finalized, which makes it critical for third parties to be prepared, A lack of compliance could mean losing access to data under the proposed rule.
Banks and other institutions will have between six months and four years to comply after the rule is finalized, based on their size and assets. Non-deposit institutions will have six or 12 months, depending on annual revenue.
Industry banking groups have indicated that they need more time to implement the rule and sent a letter to the CFPB asking for at least two years to comply. While we don’t know if the timeline will be revised, staying on top of changing legislation and timelines is key.
How can Envestnet | Yodlee help with 1033?
Fortunately, third parties don’t have to face 1033 requirements alone. Under the rule, you can work with a data aggregator like Envestnet | Yodlee to help meet upcoming requirements.
In addition to helping third party fintechs and other innovators, our open banking platform helps financial institutions deliver personalized digital experiences to their customers by providing secure access to consumer permissioned financial data and insights that our trusted and open ecosystem provides.
We have the open banking architecture and business practices already in place, and we’ve long supported open banking compliant data security, transparency, and privacy practices. We’re here to help you seamlessly connect to financial data, navigate the evolving regulatory landscape, and leverage all the benefits of the Personal Financial Data Rights Rule Section 1033.
Want to discuss how we can help with Rule 1033 and open banking? Contact us!
DISCLAIMER
All information and material on this website is provided for general informational purposes only. The information presented does not, and is not intended to, constitute legal advice and cannot substitute for the advice of counsel. You should not act or refrain from acting based on any information provided on this website. Information on this website may not constitute the most up-to-date information. Please contact your own legal counsel to obtain advice with respect to any particular legal matter or questions.
More Open Banking Resources
Watch the webinar: Opportunities and Challenges of Open Banking in Wealth Management
Read about banking policy developments around the world
Explore and join the Financial Data Exchange
[FOOTNOTE]
1 Source: Envestnet l Yodlee Open Banking Success Metrics Study July 2023