top of page
Heading 6

Section 1033 and US Open Banking Regulation

Navigating CFPB's Section 1033

As a senior leader at a US-based financial institution, you've likely heard of CFPB's Section 1033 ruling. This regulation, also called Personal Financial Data Rights, promises to provide consumers with the ability to export their financial data from their financial institutions, and requires financial institutions to provide Appication Programming Interfaces (APIs) for data sharing.

You may be asking yourself, is your financial institution required to comply? What are the timelines and requirements? What are the options to meet these requirements? This is your comprehensive guide to get started.

What is the CFPB?

The Consumer Financial Protection Bureau (CFPB) is a regulatory agency established in 2010 as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Its primary mission is to protect consumers in the financial sector by ensuring that financial institutions operate fairly and transparently. The CFPB oversees a wide range of financial products and services, including mortgages, credit cards, and student loans.

The CFPB plays a crucial role in maintaining the integrity of the financial system by enforcing laws and regulations that safeguard consumers. It provides a platform for consumers to voice complaints and ensures that financial institutions adhere to ethical practices.

Origins of Section 1033

Section 1033 of the Dodd-Frank Act was established to empower consumers by granting them greater access to their financial data. This section mandates that financial institutions provide consumers with their account information in a usable electronic machine-readable format (APIs), enabling consumers to share their data with third-party financial service providers in a secure, permissioned way.

Compliance Dates

Financial institutions required to comply with Section 1033 are segmented into four tiers. The lagest financial institutions will be required to meet requirements within 6 months of ruling from the expected ruling date of October 2024. 

Financial institutions that hold covered consumer accounts but have not established a consumer interface are exempt from providing APIs under Section 1033. CFPB estimates that only 0.64% of financial institutions in the US meet this exemption. Data providers that stopped providing a consumer interface will not be exempt.

Section 1033 Requirements

The highlights of CFPB's Section 1033 requirements are summarized below.

Account Types

Regulation E: Checking and Savings.

Regulation Z: Credit cards. Additional accounts that may be covered under Regulation Z are prepaid cards, government benefits, payment services.

Scope of Data

Two (2) years of historical data must be provided. Data scope includes:​

  • Account balances

  • Transactions

  • Payments

  • Terms & Conditions (including interest rates, annual percentage rates, fee schedule)

  • Bill Payments

  • Verification Info

Consumer Consent

Explicit consumer consent must be obtained before sharing data with third parties. Consumers must be informed of the data being shared, the third party the data is shared with, the purpose of sharing the data, and how long the third party will have access to the data.

Developer Interfaces (APIs)

APIs conforming to an industry standard that is officially recognized by the CFPB must be provided by financial institutions. API SLAs must include 99.5% availability and a response time under 3.5 seconds.

Security and Privacy

Third parties requesting access to consumer data must go through a rigorous onboarding process. Agreements must be maintained with third party recipients and security reviews must be conducted. This is also known as Third Party Risk Management (TPRM).

Accuracy and Accountability

Data providers must ensure data accuracy, must maintain a record of the third parties accessing consumer data and of the intended use of the data. Data providers are accountable for the proper handling and sharing of data, and must address any misuse of the data.

Dispute Resolution

Data providers must provide channels for dispute resolution in the event of data inaccuracies or unauthorized access of data.

Compliance and Reporting

Data providers must ensure ongoing compliance with CFPB's Section 1033 requirements and any additional related requirements that CFPB introduces.

Next Steps for Financial Institutions
Section 1033 Workshops

1033 Compliance Timelines.png
bottom of page