Understanding the CFPB Section 1033 Rule: A Comprehensive Guide A new era in financial services is about to begin with the U.S. Consumer Financial Protection Bureau (CFPB) expected to finalize the Personal Financial Data Rights rule this fall, giving consumers greater access to their data. This rule will dramatically change the way consumers, financial institutions and fintechs interact with financial data. At Yodlee, we’ve been anticipating this rule for several years and look forward to helping our customers make the most of the data-driven opportunities that this rule brings. Our intuitive platform is built for open banking, offering reliable access to consumer-permissioned financial data to securely power your innovation needs.What is the CFPB Section 1033 rule?The upcoming Personal Financial Data Rights rule, or open banking rule, which is Section 1033 of the Dodd-Frank Act, requires financial institutions and certain payment facilitators to make financial data available to consumers and authorized third-party data recipients.What is the Dodd-Frank Act?The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly known as the Dodd-Frank Act, was signed into law in 2010 in response to the 2008 financial crisis. It introduced significant changes to financial regulation in the United States, aiming to prevent another major financial crisis and protect consumers.What is the CFPB?A specific part of the Dodd-Frank Act, the Consumer Financial Protection Act (CFPA) established the Consumer Financial Protection Bureau, an independent federal agency tasked with protecting consumers in the financial sector by regulating financial service companies.The CFPB proposed to implement Section 1033 to establish uniform standards and regulations for data access and data sharing and enhance security and privacy by giving individuals the power to share their financial data with the third parties of their choosing. The final rule under Section 1033 is designed to foster innovation and facilitate the delivery of new individualized data-driven products and services.Yodlee believes that once approved, Section 1033 will:Strengthen Consumer Rights: The rule will give consumers more control over their financial data and establish clearer rights on how it’s collected, used and storedDrive Standardization: The rule will require banks to share data via standardized, secure application programming interfaces (APIs). Participants looking to access and share consumer data will be required to subscribe to a CFPB approved Standard Setting Organization (SSO).Increase Choice: Consumers will be put back at the heart of financial services with access to more individualized products and services tailored to meet their needsBoost Innovation: Increased access to consumer data will encourage competition and innovation in financial servicesIncrease Efficiency: The time users spend on connecting to their data drops by 50 seconds when connecting via open banking APIs vs the traditional method of connecting via credentials (like user name and password) 1Maximize Resiliency: Banking websites using open banking APIs demonstrate higher reliability, with uptime rates between 96% and 99%, compared to screen scraping methods which show more variable performance ranging from 87% to 98% uptime1With efficient and reliable open banking connections, Section 1033 paves the way for a more transparent, competitive, and technologically advanced financial sector.What types of data will be shared under 1033?The proposed 1033 rule defines specific types of data that financial service providers, including card issuers and banks, must make accessible upon request. This data includes:Transaction information, including historical data (at least 24 months)Account balancesTerms and conditions such as fee schedules, rates, overdraft coverage, and rewards program termsUpcoming bill informationBasic account verification information (limited to the name, address, email address, and phone number associated with the consumer financial product or service)Exceptions to the ruleThe Consumer Financial Protection Bureau (CFPB) proposed four exceptions to the 1033 rule:Confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictorsInformation collected for preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conductInformation required to be kept confidential by other law provisions of lawInformation that a data provider cannot retrieve in the ordinary course of businessThese exceptions are designed to protect sensitive information from being shared or compromised.Who Does Section 1033 Impact?Rule 1033 encompasses these financial industry participants:Consumers – those who benefit from increased access to financial products and services and greater control over their personal financial dataData providers – financial institutions, issuers of consumer credit cards, and some payment facilitatorsThird-party data recipients – fintechs and financial institutions acting on consumers’ behalf as data recipients, and data aggregators acting on consumers’ behalfQualified industry standard setting organizations – CFPB-recognized issuers of fair, open, and inclusive industry standardsHear how Section 1033 can build trust in the financial industry and improve consumer banking. Watch Video.CFPB 1033 compliance: Leveraging open banking technologyOpen banking is the collaborative model where financial data is shared and accessed through application programming interfaces (APIs). The proposed 1033 rule supports open banking by requiring data providers to make certain data available to authorized third parties via APIs. These APIs enable consumers to connect their bank accounts with payment apps, investment platforms, budgeting tools, and other apps and services of their choosing.At the heart of this transformative landscape is the FDX (Financial Data Exchange), a non-profit industry body committed to ensuring that data sharing is easy, safe, and standardized. FDX has created a common API that will align with the 1033 rule for sharing financial data between financial institutions, data aggregators, and third-party applications.How do I prepare for Rule 1033?Achieving compliance with Section 1033 will take time. Financial institution data providers will have to decide whether to build APIs on their legacy infrastructure or outsource the task. They’ll have to address areas like consent management, information security, third-party risk management, and more. Third-party data recipients will also have a number of requirements to meet.Implications of CFPB 1033 for Financial InstitutionsUnder Rule 1033, it’s expected that data providers will have to:Make data available upon request in electronic form with access to applicable interfacesEstablish and maintain consumer and developer interfacesRespond to requests from consumers to make data availableProhibit fees or charges in connection with establishing or maintaining interfaces or data requestsMake certain information and disclosures readily identifiable to the publicEstablish written policies and procedures designed to achieve the rule’s objectivesIt’s expected that authorized third parties will have to: Capture authorization and permissions from consumers and provide authorization disclosuresEstablish, maintain, periodically review, and update policies and procedures to ensure that data is accurately transmitted Ensure that consumers can easily revoke access to their financial data at any timeApply an information security program that satisfies section 501 of the Gramm Leach Bliley Act for the collection, use, and retention of dataProvide evidence that data usage is limited only to what Section 1033 permits and that consumer consent was received during authorization.Contractually require other third parties to comply with certain obligationsWhen will Rule 1033 take effect?While the CFPB hasn’t given an exact date, it’s likely that Section 1033 will be finalized toward the end of 2024. The rule will become effective just 60 days after it’s finalized, which makes it critical for third parties to be prepared, A lack of compliance could mean losing access to data under the proposed rule.Banks and other institutions will have between six months and four years to comply after the rule is finalized, based on their size and assets. Non-deposit institutions will have six or 12 months, depending on annual revenue.Industry banking groups have indicated that they need more time to implement the rule and sent a letter to the CFPB asking for at least two years to comply. While we don’t know if the timeline will be revised, staying on top of changing legislation and timelines is key.How can Yodlee help with 1033?Fortunately, third parties don’t have to face 1033 requirements alone. Under the rule, you can work with a data aggregator like Yodlee to help meet upcoming requirements.In addition to helping third party fintechs and other innovators, our open banking platform helps financial institutions deliver personalized digital experiences to their customers by providing secure access to consumer permissioned financial data and insights that our trusted and open ecosystem provides.We have the open banking architecture and business practices already in place, and we’ve long supported open banking compliant data security, transparency, and privacy practices. We’re here to help you seamlessly connect to financial data, navigate the evolving regulatory landscape, and leverage all the benefits of the Personal Financial Data Rights Rule Section 1033.Want to discuss how we can help with Rule 1033 and open banking? Contact us! DISCLAIMERAll information and material on this website is provided for general informational purposes only. The information presented does not, and is not intended to, constitute legal advice and cannot substitute for the advice of counsel. You should not act or refrain from acting based on any information provided on this website. Information on this website may not constitute the most up-to-date information. Please contact your own legal counsel to obtain advice with respect to any particular legal matter or questions.More Open Banking ResourcesWatch the webinar: Opportunities and Challenges of Open Banking in Wealth ManagementExplore and join the Financial Data Exchange[FOOTNOTE] 1 Source: Yodlee Open Banking Success Metrics Study July 2023
Understanding the CFPB Section 1033 Rule: A Comprehensive Guide A new era in financial services is about to begin with the U.S. Consumer Financial Protection Bureau (CFPB) expected to finalize the Personal Financial Data Rights rule this fall, giving consumers greater access to their data. This rule will dramatically change the way consumers, financial institutions and fintechs interact with financial data. At Yodlee, we’ve been anticipating this rule for several years and look forward to helping our customers make the most of the data-driven opportunities that this rule brings. Our intuitive platform is built for open banking, offering reliable access to consumer-permissioned financial data to securely power your innovation needs.What is the CFPB Section 1033 rule?The upcoming Personal Financial Data Rights rule, or open banking rule, which is Section 1033 of the Dodd-Frank Act, requires financial institutions and certain payment facilitators to make financial data available to consumers and authorized third-party data recipients.What is the Dodd-Frank Act?The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly known as the Dodd-Frank Act, was signed into law in 2010 in response to the 2008 financial crisis. It introduced significant changes to financial regulation in the United States, aiming to prevent another major financial crisis and protect consumers.What is the CFPB?A specific part of the Dodd-Frank Act, the Consumer Financial Protection Act (CFPA) established the Consumer Financial Protection Bureau, an independent federal agency tasked with protecting consumers in the financial sector by regulating financial service companies.The CFPB proposed to implement Section 1033 to establish uniform standards and regulations for data access and data sharing and enhance security and privacy by giving individuals the power to share their financial data with the third parties of their choosing. The final rule under Section 1033 is designed to foster innovation and facilitate the delivery of new individualized data-driven products and services.Yodlee believes that once approved, Section 1033 will:Strengthen Consumer Rights: The rule will give consumers more control over their financial data and establish clearer rights on how it’s collected, used and storedDrive Standardization: The rule will require banks to share data via standardized, secure application programming interfaces (APIs). Participants looking to access and share consumer data will be required to subscribe to a CFPB approved Standard Setting Organization (SSO).Increase Choice: Consumers will be put back at the heart of financial services with access to more individualized products and services tailored to meet their needsBoost Innovation: Increased access to consumer data will encourage competition and innovation in financial servicesIncrease Efficiency: The time users spend on connecting to their data drops by 50 seconds when connecting via open banking APIs vs the traditional method of connecting via credentials (like user name and password) 1Maximize Resiliency: Banking websites using open banking APIs demonstrate higher reliability, with uptime rates between 96% and 99%, compared to screen scraping methods which show more variable performance ranging from 87% to 98% uptime1With efficient and reliable open banking connections, Section 1033 paves the way for a more transparent, competitive, and technologically advanced financial sector.What types of data will be shared under 1033?The proposed 1033 rule defines specific types of data that financial service providers, including card issuers and banks, must make accessible upon request. This data includes:Transaction information, including historical data (at least 24 months)Account balancesTerms and conditions such as fee schedules, rates, overdraft coverage, and rewards program termsUpcoming bill informationBasic account verification information (limited to the name, address, email address, and phone number associated with the consumer financial product or service)Exceptions to the ruleThe Consumer Financial Protection Bureau (CFPB) proposed four exceptions to the 1033 rule:Confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictorsInformation collected for preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conductInformation required to be kept confidential by other law provisions of lawInformation that a data provider cannot retrieve in the ordinary course of businessThese exceptions are designed to protect sensitive information from being shared or compromised.Who Does Section 1033 Impact?Rule 1033 encompasses these financial industry participants:Consumers – those who benefit from increased access to financial products and services and greater control over their personal financial dataData providers – financial institutions, issuers of consumer credit cards, and some payment facilitatorsThird-party data recipients – fintechs and financial institutions acting on consumers’ behalf as data recipients, and data aggregators acting on consumers’ behalfQualified industry standard setting organizations – CFPB-recognized issuers of fair, open, and inclusive industry standardsHear how Section 1033 can build trust in the financial industry and improve consumer banking. Watch Video.CFPB 1033 compliance: Leveraging open banking technologyOpen banking is the collaborative model where financial data is shared and accessed through application programming interfaces (APIs). The proposed 1033 rule supports open banking by requiring data providers to make certain data available to authorized third parties via APIs. These APIs enable consumers to connect their bank accounts with payment apps, investment platforms, budgeting tools, and other apps and services of their choosing.At the heart of this transformative landscape is the FDX (Financial Data Exchange), a non-profit industry body committed to ensuring that data sharing is easy, safe, and standardized. FDX has created a common API that will align with the 1033 rule for sharing financial data between financial institutions, data aggregators, and third-party applications.How do I prepare for Rule 1033?Achieving compliance with Section 1033 will take time. Financial institution data providers will have to decide whether to build APIs on their legacy infrastructure or outsource the task. They’ll have to address areas like consent management, information security, third-party risk management, and more. Third-party data recipients will also have a number of requirements to meet.Implications of CFPB 1033 for Financial InstitutionsUnder Rule 1033, it’s expected that data providers will have to:Make data available upon request in electronic form with access to applicable interfacesEstablish and maintain consumer and developer interfacesRespond to requests from consumers to make data availableProhibit fees or charges in connection with establishing or maintaining interfaces or data requestsMake certain information and disclosures readily identifiable to the publicEstablish written policies and procedures designed to achieve the rule’s objectivesIt’s expected that authorized third parties will have to: Capture authorization and permissions from consumers and provide authorization disclosuresEstablish, maintain, periodically review, and update policies and procedures to ensure that data is accurately transmitted Ensure that consumers can easily revoke access to their financial data at any timeApply an information security program that satisfies section 501 of the Gramm Leach Bliley Act for the collection, use, and retention of dataProvide evidence that data usage is limited only to what Section 1033 permits and that consumer consent was received during authorization.Contractually require other third parties to comply with certain obligationsWhen will Rule 1033 take effect?While the CFPB hasn’t given an exact date, it’s likely that Section 1033 will be finalized toward the end of 2024. The rule will become effective just 60 days after it’s finalized, which makes it critical for third parties to be prepared, A lack of compliance could mean losing access to data under the proposed rule.Banks and other institutions will have between six months and four years to comply after the rule is finalized, based on their size and assets. Non-deposit institutions will have six or 12 months, depending on annual revenue.Industry banking groups have indicated that they need more time to implement the rule and sent a letter to the CFPB asking for at least two years to comply. While we don’t know if the timeline will be revised, staying on top of changing legislation and timelines is key.How can Yodlee help with 1033?Fortunately, third parties don’t have to face 1033 requirements alone. Under the rule, you can work with a data aggregator like Yodlee to help meet upcoming requirements.In addition to helping third party fintechs and other innovators, our open banking platform helps financial institutions deliver personalized digital experiences to their customers by providing secure access to consumer permissioned financial data and insights that our trusted and open ecosystem provides.We have the open banking architecture and business practices already in place, and we’ve long supported open banking compliant data security, transparency, and privacy practices. We’re here to help you seamlessly connect to financial data, navigate the evolving regulatory landscape, and leverage all the benefits of the Personal Financial Data Rights Rule Section 1033.Want to discuss how we can help with Rule 1033 and open banking? Contact us! DISCLAIMERAll information and material on this website is provided for general informational purposes only. The information presented does not, and is not intended to, constitute legal advice and cannot substitute for the advice of counsel. You should not act or refrain from acting based on any information provided on this website. Information on this website may not constitute the most up-to-date information. Please contact your own legal counsel to obtain advice with respect to any particular legal matter or questions.More Open Banking ResourcesWatch the webinar: Opportunities and Challenges of Open Banking in Wealth ManagementExplore and join the Financial Data Exchange[FOOTNOTE] 1 Source: Yodlee Open Banking Success Metrics Study July 2023
