Heading 6
Section 1033 and US Open Banking Regulation
Navigating CFPB's Section 1033
As a senior leader at a US-based financial institution, you've likely heard of CFPB's Section 1033 ruling. This regulation, also called Personal Financial Data Rights, promises to provide consumers with the ability to export their financial data from their financial institutions, and requires financial institutions to provide Appication Programming Interfaces (APIs) for data sharing.
​
You may be asking yourself, is your financial institution required to comply? What are the timelines and requirements? What are the options to meet these requirements? This is your comprehensive guide to get started.
​
What is the CFPB?
The Consumer Financial Protection Bureau (CFPB) is a regulatory agency established in 2010 as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Its primary mission is to protect consumers in the financial sector by ensuring that financial institutions operate fairly and transparently. The CFPB oversees a wide range of financial products and services, including mortgages, credit cards, and student loans.
​
The CFPB plays a crucial role in maintaining the integrity of the financial system by enforcing laws and regulations that safeguard consumers. It provides a platform for consumers to voice complaints and ensures that financial institutions adhere to ethical practices.
​
Origins of Section 1033
Section 1033 of the Dodd-Frank Act was established to empower consumers by granting them greater access to their financial data. This section mandates that financial institutions provide consumers with their account information in a usable electronic machine-readable format (APIs), enabling consumers to share their data with third-party financial service providers in a secure, permissioned way.
​
Compliance Dates
Financial institutions required to comply with Section 1033 are segmented into four tiers. The lagest financial institutions will be required to meet requirements within 6 months of ruling from the expected ruling date of October 2024.
​
​
​
​
​
​
​
​
​
​
​
Financial institutions that hold covered consumer accounts but have not established a consumer interface are exempt from providing APIs under Section 1033. CFPB estimates that only 0.64% of financial institutions in the US meet this exemption. Data providers that stopped providing a consumer interface will not be exempt.
​
Section 1033 Requirements
The highlights of CFPB's Section 1033 requirements are summarized below.
​
Account Types
Regulation E: Checking and Savings.
Regulation Z: Credit cards. Additional accounts that may be covered under Regulation Z are prepaid cards, government benefits, payment services.
​
Scope of Data
Two (2) years of historical data must be provided. Data scope includes:​
-
Account balances
-
Transactions
-
Payments
-
Terms & Conditions (including interest rates, annual percentage rates, fee schedule)
-
Bill Payments
-
Verification Info
​
Consumer Consent
Explicit consumer consent must be obtained before sharing data with third parties. Consumers must be informed of the data being shared, the third party the data is shared with, the purpose of sharing the data, and how long the third party will have access to the data.
​
Developer Interfaces (APIs)
APIs conforming to an industry standard that is officially recognized by the CFPB must be provided by financial institutions. API SLAs must include 99.5% availability and a response time under 3.5 seconds.
​
Security and Privacy
Third parties requesting access to consumer data must go through a rigorous onboarding process. Agreements must be maintained with third party recipients and security reviews must be conducted. This is also known as Third Party Risk Management (TPRM).
​
Accuracy and Accountability
Data providers must ensure data accuracy, must maintain a record of the third parties accessing consumer data and of the intended use of the data. Data providers are accountable for the proper handling and sharing of data, and must address any misuse of the data.
​
Dispute Resolution
Data providers must provide channels for dispute resolution in the event of data inaccuracies or unauthorized access of data.
​
Compliance and Reporting
Data providers must ensure ongoing compliance with CFPB's Section 1033 requirements and any additional related requirements that CFPB introduces.
​
Next Steps for Financial Institutions
​
Section 1033 Workshops
​
​