CFPB's Section 1033
Regulated Open Banking is coming to the United States
Altitude Consulting helps financial institutions prepare
The Consumer Financial Protection Bureau (CFPB) is set to finalize Section 1033 of the Dodd-Frank Act in October 2024.
This rule will mandate banks and financial institutions to offer open banking APIs for the secure sharing of account data.
How this impacts the industry?
Frequently Asked Questions
What is the CFPB?
The Consumer Financial Protection Bureau (CFPB) is a US government agency whose mission is to protect consumers in the financial sector by enforcing federal consumer financial laws and ensuring that financial institutions treat consumers fairly.
Has Section 1033 been finalized?
The CFPB intends to finalize Section 1033 in October 2024. The currently proposed rulemaking may change before it becomes final, so we recommend following the latest developments from the CFPB, as well as this page.
Is my organization impacted?
Section 1033 impacts depository institutions (banks, credit unions, other financial institutions) that hold deposit accounts, organizations that issue consumer credit cards, and services that possess or control account information including EFT service providers and digital wallets.
What are the timelines for compliance?
Assuming Section 1033 is finalized in October 2024, the following timelines will apply. The timelines are based on assets under management (AUM) for depository institutions and revenue for non-depository institutions.
​
April 2025: >$500B in assets / >$10B in revenue (non-depository institutions)
October 2025: $50B - $500B in assets / Under $10B in revenue (non-depository institutions)
April 2027: $850M - $50B in assets
October 2028: <$850M in assets​
What account types and data types are covered?
Regulation E - Deposit Accounts: Checking, Savings
Regulation Z - Payment Accounts: Credit cards, payment services, prepaid cards, government benefits
Data Types: Transaction information, account balances, account numbers and routing numbers, terms and conditions (fee schedules, rates, reward program terms, overdraft coverage, arbitration agreements), upcoming bill payments, basic account verification info (account holder's name, address, email, phone number)
Data Period: Minimum of 2 years (24 months)
How can my organization prepare?
Begin learning about Section 1033 requirements and their implications to your organization. Ensure that your leaders are engaged across Compliance, Strategy, Technology and Operations. Identify which timeline your organization falls into for compliance. Review your data governance, API maturity, technology stack and identify any bottlenecks or challenges that may arise while working to meet requirements. We have plenty of resources to get you started, and are here to help.