1. Overview
The Consumer Financial Protection Bureau’s (CFPB) Section 1033 regulation for personal financial data rights is charting the path to regulated open banking in the US. The regulation is set to be finalized and deployed in October 2024, and will impact all parties in the US financial ecosystem: financial institutions, fintechs, financial services providers (e.g., payments companies), businesses and consumers.
This document serves as a comprehensive guide for stakeholders navigating the complexities of Section 1033. It is particularly valuable for decision makers in Data Provider organizations (financial institutions holding consumer data) and Data Recipient entities (third-parties accessing this data). This document empowers readers to:
Develop a clear understanding of the regulation
Proactively ensure compliance
Identify opportunities arising from these regulatory changes
Whether you're a financial institution, a fintech company, a business or a curious observer, this guide provides the insights needed to turn regulatory compliance into a competitive advantage.
2. Section 1033 and CFPB
2.1. Who is the CFPB?
The Consumer Financial Protection Bureau (CFPB) is a U.S. government agency established in 2010 as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Its primary mission is to protect consumers in the financial sector by enforcing federal consumer financial laws and ensuring that financial institutions treat customers fairly. The CFPB plays a crucial role in overseeing and regulating financial products and services.
2.2. Rationale behind Dodd-Frank Act and Section 1033
The Dodd-Frank Wall Street Reform and Consumer Protection Act was enacted in 2010 in response to the 2008 financial crisis, which exposed significant weaknesses in the U.S. financial system. The crisis, driven by risky lending practices and insufficient regulation, led to widespread economic turmoil, prompting the need for comprehensive financial reform. The Dodd-Frank Act was designed to increase transparency, reduce risks in the financial system, and protect consumers from abusive financial practices. Section 1033 of the Dodd-Frank Act focuses specifically on consumer access to financial data. It also ensures that financial institutions in the US provide these capabilities in a transparent and consumer-friendly manner. The CFPB is responsible for implementing and enforcing Section 1033.
2.3. Section 1033: Quick History and Timeline
The origins of Section 1033 date back to 2017, when the Consumer Financial Protection Bureau (CFPB) issued a Request for Information, and an Advance Notice of Proposed Rulemaking in 2020. By 2022, the CFPB proposed formal rules with final guidelines expected in October of 2024, requiring institutions to adopt necessary technologies and processes to ensure compliance. In June 2024 the CFPB launched the process to recognize Open Banking standards. In July 2024, the CFPB confirmed that it intends to release the final ruling for Section 1033 in October 2024.
2.4. Section 1033 Context in Open Banking
Open banking is a global movement which enables consumers and corporations to share their financial data using permissioned, common, and secure industry standard APIs.
Globally, over 70 regions have taken a regulatory approach to open banking, including the UK, EU, Australia and Brazil. To date, the US has taken a market-driven approach, with an industry consortium FDX designed to create and set standards. The introduction of Section 1033 is a major step for regulated open banking in the US, which introduces a layer of regulatory governance.
Section 1033 creates several additional benefits in the industry.
a. Level Playing Field
Traditionally, consumer financial data has been isolated within individual institutions and regarded as a competitive asset. Open banking disrupts this by opening up data access through secure and standard APIs. By exporting their data, consumers can more easily interact with new products and services from any financial institution, fintech or third party such as a retailer. This makes it easier for smaller players to compete with offerings that rival big financial institutions. In turn, that gives consumers more choice.
b. Secure Data Access
One of CFPB's significant initiatives is to shift the industry away from screen scraping, a practice where third-party apps collect data by logging into a user’s account with their credentials and extracting information from the web page. Screen scraping poses security risks and can lead to the mishandling of sensitive information. Sharing credentials also violates financial institutions’ terms of use, yet millions of consumers unknowingly do so today.
c. Standardization
The CFPB is focusing on the standardization of data sharing practices. By establishing common standards for data access and sharing, the CFPB aims to create a more consistent and interoperable financial ecosystem, where integrations and interactions between players are easier and more predictable.
3. Financial institutions impacted & compliance timelines
3.1. Financial Institutions Impacted
Section 1033 regulation applies to two types of entities: Data Providers (both depository and non-depository institutions) and Third Parties (also known as Data Recipients).
Data providers consist of:
Entities that hold consumer accounts or provide access to electronic fund transfer (EFT) services. For example, banks, credit unions, neobanks, and others.
Issuers of consumer credit cards.
Other entities that control or possess information about covered products or services, including digital wallets.
A Data Recipient is any entity that accesses, processes or uses the data provided by Data Providers.
An organization can be both a data provider and a data recipient. For example, a bank providing access to client account data can also receive account data from the client’s external accounts.
3.2. Compliance Timelines
The compliance timeline for your organization is based on assets under management (AUM) for depository institutions and revenue for non-depository institutions. The table below outlines the compliance timelines by institution type and tier.
It's important to note that the Dodd-Frank Act Section 1033 rulemaking process is ongoing. While the final rule is expected in October 2024, the specific requirements might evolve. Therefore, it's crucial to keep an eye on updates from the Consumer Financial Protection Bureau.
4. Compliance Requirements for Data Providers
This section summarizes the current set of requirements from Section 1033 as of September 2024.
1. Account Types
Section 1033 requires access to data from financial institutions providing accounts covered under Regulation E (deposit accounts) and Regulation Z (payment accounts), as well as any other organization that can facilitate a payment out of these accounts, such as a digital wallet.
Regulation E - Deposit Accounts
Checking
Savings
Regulation Z - Payment Accounts
Credit cards
Payment services
Prepaid cards
Government benefits
2. Data Types
Section 1033 requires 2 years (24 months) of the following data to be provided via APIs.
Transaction information: including but not limited to amounts, dates, payees, historical data, and fees
Account balances
Account numbers and routing numbers, which can be used to initiate payments to or from a Regulation E account
Terms and conditions: including fee schedules, rates, reward program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement
Information on upcoming bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider
Basic account verification information, limited to the account holder’s name, address, email address, and phone number
3. Developer Interfaces (APIs)
Data providers are required to establish and maintain a developer interface (APIs) that:
Provide data in a standardized, machine-readable format
Provide a response in under 3500ms
Meet a minimum 99.5% response rate
Adhere to industry open banking standards qualified by the CFPB
Satisfy security and confidentiality requirements
APIs must be provided free of charge.
4. Authorization and Authentication
Data providers must meet the following authorization and authentication requirements:
Implement processes to authenticate consumer and third-party identities
Verify third-party authorization
Retain authorization records
5. Consumer Consent
Consumer consent is the cornerstone of ethical data sharing practices. It ensures that individuals are fully aware of and agree to how their personal information is being used and shared.
Key Requirements:
Explicit and Informed Consent: Data providers must obtain clear, written, or electronic consent from consumers, explicitly outlining the types of data to be shared, the recipients, and the purpose of data sharing.
Revocability: Consumers must have the right to easily revoke consent at any time, with changes reflected promptly.
Opt-Out Options: Data providers should offer clear opt-out options for consumers to control data sharing preferences.
Consent Management System: A robust system to manage consumer consent, including tracking, storage, and retrieval of consent information.
Consent must be renewed every 12 months.
6. Data Security
Protecting consumer data from unauthorized access, breaches, and misuse is crucial. This section details the security measures that data providers must implement to safeguard sensitive information.
Key requirements:
Risk Assessments: Regular risk assessments to identify potential vulnerabilities and implement appropriate safeguards.
Data Encryption: Strong encryption for data both at rest and in transit.
Access Controls: Restrictive access controls to limit data access to authorized personnel.
Incident Response Plan: A comprehensive plan to address data breaches and security incidents.
Third-Party Risk Management: Rigorous vetting of third-party service providers handling consumer data.
7. Data Accuracy
Ensuring the accuracy and reliability of shared data is essential for maintaining trust and enabling informed decision-making.
Key Requirements:
Data Validation: Procedures to verify the accuracy and completeness of data before sharing.
Data Quality Monitoring: Ongoing monitoring of data quality to identify and correct errors.
Dispute Resolution: Mechanisms for consumers to dispute the accuracy of their data.
5. Compliance Requirements for Data Recipients
Data Recipients must protect consumer data with robust security measures, use data only for agreed-upon purposes, verify compliance with Section 1033, support consumers' rights to access, correct, and delete their data, and clearly inform consumers about data usage, obtaining their consent.
1. Consumer Protection
Consumer Protection involves safeguarding consumers' personal data and ensuring it is used fairly and transparently.
Key requirements:
Data Use Limitations: Clearly defined policies on how consumer data will be used, stored, and shared, adhering strictly to the consumer's consent. Data may not be used for any other purpose except the original purpose for which consent was received.
Data Minimization: Only collecting and retaining the data strictly necessary for the authorized purpose.
Fair Practices: Adhering to fair lending and consumer protection laws in all data-related activities.
Consumer Opt-Out: Providing a clear and accessible mechanism for consumers to opt out of data sharing for specific data uses.
Revocation: Consumers will be able to revoke access to data at any time. When access is revoked, the data recipient must immediately notify the data provider and aggregator used.
2. Data Security
Data Security is essential for protecting consumer data from unauthorized access and breaches. Data recipients must implement robust measures to ensure data confidentiality and integrity.
Key requirements:
Robust Security Measures: Implementing strong security measures to protect consumer data from unauthorized access, use, disclosure, duplication, modification, or destruction.
Risk Assessments: Regular security risk assessments to identify vulnerabilities and implement appropriate controls.
Incident Response Plan: A comprehensive plan for responding to data breaches and security incidents.
Third-Party Risk Management: Rigorous vetting of any third-party service providers involved in data handling.
3. Data Accuracy
Data Accuracy ensures that consumer data is correct and reliable. Data recipients must validate and monitor data quality to prevent errors and maintain trust.
Key requirements:
Data Validation: Verifying the accuracy and completeness of received data.
Data Quality Monitoring: Ongoing monitoring of data quality to identify and correct errors.
Dispute Resolution: Establishing a process for consumers to dispute the accuracy of their data.
4. Consumer Disclosure
Consumer Disclosure is about being transparent with consumers regarding how their data is used. Data recipients must clearly communicate their data practices to build trust and ensure informed consent.
Key requirements:
Transparent Data Practices: Providing clear and easily understandable information to consumers about how their data will be used.
Privacy Policy: A comprehensive privacy policy detailing data handling practices.
Data Sharing Notifications: Informing consumers about any changes in data sharing practices.
5. Data Retention
Data Retention involves managing how long data is kept and when it is securely deleted. Data recipients need to adhere to regulations while balancing business needs.
Key Requirements:
Data Retention Policy: Implementing a data retention policy that aligns with legal and regulatory requirements and business needs.
Data Deletion: Securely deleting data when no longer needed.
6. Consumer Complaint Handling
Consumer Complaint Handling is crucial for addressing consumer concerns effectively. Data recipients must have clear processes for managing and resolving complaints about data practices.
Key requirements:
Dedicated Complaint Channel: Establishing a dedicated channel for consumer complaints.
Prompt Response: Timely acknowledgment and investigation of consumer complaints.
Resolution: Effective resolution of consumer complaints.
7. Compliance
Compliance means adhering to all relevant laws and regulations. Data recipients must stay updated with legal requirements and ensure their practices align with regulatory standards.
Key requirements:
Regulatory Adherence: Ensuring compliance with all applicable federal, state, and local laws and regulations.
Monitoring and Auditing: Implementing systems to monitor compliance and conduct regular audits.
Employee Training: Providing ongoing training to employees on data privacy and security.
Remember, the specific requirements for data recipients may evolve as the CFPB finalizes the 1033 rule. It's crucial to stay updated on the latest regulations.
6. Options to meet Regulations
When considering implementation, financial institutions have a spectrum of options depending on their objectives and available resources. These options range from building your own platform to partnering with technology providers, each with its own set of advantages and challenges.
1. Build Your Own Open Banking Platform
This approach, while resource-intensive, offers significant flexibility and control. Financial institutions that choose this path can tailor their developer experience and use cases to their specific needs. It allows for full ownership of client and developer relationships, and provides the highest ability to innovate with new use cases, Banking-as-a-Service (BaaS), and embedded finance solutions. Additionally, it offers advanced capabilities for data ingestion.
However, building your own platform requires substantial investment and typically has the longest time to market. The institution also bears full responsibility for API management, security, identity verification, consent management, and performance optimization.
2. Partner with an Open Banking Platform Provider
This middle-ground option can minimize upfront investment and deliver a faster return on investment (ROI). It offers out-of-the-box compliance and manages much of the complexity and technology through the platform provider. This approach provides access to an extended set of use cases, available embedded finance capabilities, and advanced data enrichment options.
The trade-off is moderate control over capabilities and use cases, and potentially higher costs compared to working directly with a core banking provider.
3. Engage with Core Banking Technology Provider
For institutions seeking minimal investment and faster implementation, engaging with a core banking or technology provider can be an attractive option. This approach offers out-of-the-box compliance with minimal complexity, as the technology is managed by the provider. It typically includes select use cases ready for deployment.
However, this option provides limited control over capabilities and use cases, restricted monetization options, and minimal customization. There's also a high dependency on the core banking provider's schedule for updates and new features.
4. Hybrid Approach with Modular Integration
This flexible strategy allows financial institutions to leverage the strengths of multiple approaches, balancing control, speed, and resource allocation. It involves selectively building key components in-house while partnering with specialized providers for others.
This hybrid approach combines the benefits of in-house development and third-party solutions. It offers faster implementation, more flexibility, and cost-efficiency than building everything from scratch, while providing more control than off-the-shelf options. However, it requires strong management skills and a clear strategy to navigate the complexities of integrating multiple components and vendors. Overall, it's a balanced option for institutions wanting a customized open banking solution without starting entirely from scratch.
Each approach has its merits, and the choice depends on the institution's strategic goals, available resources, and desired level of control and innovation. Financial institutions should carefully evaluate these options against their long-term objectives and regulatory requirements to determine the most suitable path forward
7. Next Steps: What do you now need to do to prepare?
Assign an accountable executive: Designate a senior executive responsible for overseeing both the business and technical aspects of implementing Section 1033 compliance. This person should also act as a champion for the initiative, helping to drive the cultural shift needed for successful integration and fostering a change-ready environment.
Identify near-term goals and decide on long-term objectives: Develop immediate goals that align with the CFPB 1033 compliance timelines and requirements. At the same time, strategize for long-term objectives that focus on leveraging new business opportunities and ensuring scalability for future growth.
Decide on OKRs for both near-term and long-term objectives: Establish clear Objectives and Key Results (OKRs) for short-term compliance efforts and long-term strategic initiatives. This will help keep the team focused, aligned, and able to measure progress effectively.
Communicate your vision: Clearly articulate the vision for your financial institution, including how you plan to support your customers, differentiate your offerings, and highlight your unique selling propositions (USPs). This will ensure that all stakeholders are aligned and understand the purpose behind the compliance efforts.
Create a cross-functional agile team: Form a cross-functional team comprising members from information security, compliance, data governance, infrastructure, legal, sales, technology, and business units. This agile group should continuously monitor compliance changes and be ready to respond swiftly to any updates or challenges.
Develop a robust data governance: Outline a comprehensive data governance and management strategy that aligns with both compliance and business objectives. This should cover data collection, ownership, storage, access, sharing, and security. This step is essential to your organization’s abilities to comply as a data provider and set up the groundwork to ingest data as a data recipient.
Invest in employee training and education: Ensure all relevant staff are well-trained on Section 1033 requirements and their implications. Continuous education will help your team stay up-to-date on best practices and regulatory changes.
Engage with regulators and industry groups: Actively participate in discussions with regulators and industry associations to stay informed about the latest regulatory updates and best practices. Engaging with these groups can provide valuable insights and help shape your compliance strategy.
Work on long-term goals in parallel: In addition to immediate compliance tasks, begin pursuing long-term objectives such as forming partnerships with fintech companies and third-party providers. Even though this is a federal mandate, there will be advantages for institutions that implement these changes more effectively and innovatively than their competitors.
Iterate quickly and share successes: Foster a culture of rapid iteration, learning, and improvement. Regularly share successes and milestones with the broader organization to maintain momentum, celebrate wins, and keep everyone engaged and aligned with the project’s goals.
By following these steps, financial institutions can not only achieve compliance with CFPB 1033 but also position themselves to take advantage of new business opportunities and stay ahead of the competition.
8. How Altitude can help
Navigating the complexities of CFPB 1033 compliance can be challenging. Our team is here to support you every step of the way. We offer comprehensive services tailored to meet the specific needs of financial institutions.
Strategic Guidance: Our Open Finance Strategy team can help you prepare for Section 1033 by assessing your readiness and creating a robust plan that covers compliance, technology, risk management, and more. We'll work with you to identify monetization opportunities and develop a business model that aligns with the new regulatory landscape.
Platform and Partner Selection: Identify and select the ideal Open Finance Platform and Fintech partners for your organization based on your desired use cases, technical capabilities and operational investment. We’ll lead the RFP process for your organization to ensure ideal fit with your vision, business model, and technology stack.
Operationalization and Monetization: We’ll work cross-functionally with your team and partners to implement your open finance platform, ensure Section 1033 compliance, and launch the use cases that will drive the most business value.
Turn compliance into a strategic advantage to build a future-ready financial institution that not only meets regulatory demands but also thrives in the evolving open finance ecosystem.
Looking for more resources to get started? View our 1033 Compliance and Open Banking Opportunities Masterclass here.
コメント