Section 1033: Delivering Consent-Driven Customer Data Access

The Consumer Financial Protection Bureau (CFPB) has proposed a new rule, Part 1033¹ in October 2023, under the Consumer Financial Protection Act (CFPA) with significant implications for the financial data landscape. Being heralded as the beginning of the Open Banking era in the US, the proposed rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts. 

Even as the conversations around the implications and ambiguities of the proposed phase 1 go on, our 2-part blog offers a comprehensive resource for banks to navigate the resulting requirements. This first blog offers a deep dive into the key requirements from data providers, i.e., banks, and provides an overview of the expected systems impact and implementation considerations. The second blog in this series will analyze the market response to the proposal and highlight the strongest concerns raised by financial institutions, trade bodies and fintechs impacted by this regulation.

Key objectives of Section 1033

The proposed framework is intended to foster a safe, secure, reliable, and competitive framework by direct regulation of market practices. It also seeks to identify areas in which fair, open, and inclusive standards can be developed to provide additional guidance to the market.

If finalized as proposed, this rule will foster a data access framework that is: 

• Safe, by ensuring third parties are acting on behalf of consumers when accessing their data, including concerning consumers’ privacy interests; 
• Secure, by applying a consistent set of security standards across the market; 
• Reliable, by promoting the accurate and consistent transmission of data that are usable by consumers and authorized third parties; and 
• Competitive, by promoting standardization and not entrenching the roles of incumbent data providers, intermediaries, and third parties whose commercial interests might not align with the interests of consumers and competition generally. 

The data proposed to be covered under the rule would ensure consumers have access to key pricing terms, transaction and balance information, payment initiation information, and terms and conditions. This would facilitate consumer choice, including the ability of consumers to change providers of products or services.

Clarifying the scope of the data rights would also promote consistency in the data made available to consumers, reduce the costs of negotiating the inclusion of such data in access agreements, and focus the development of technical standards around such data.

Read our white paper on Personal Financial Data Rights for a detailed analysis of the proposed regulation, offering fuller details of institutional coverage, covered products, services, and data, as well as proposed provisions for authorized third parties and data aggregators.

Requirements from data providers

While the CFPB is not proposing amendments to Regulation E at this time, proposed part 1033 contains multiple provisions that would reduce fraud and unauthorized access risk in the open banking system.

Establishing basic standards for data access

The proposed rule would require data providers to establish and maintain a developer interface for third parties to access consumer-authorized data. Developer interfaces would need to make available covered data in a standardized format, in a commercially reasonable manner, without unreasonable access caps, and under certain security specifications. 

In addition, data providers would need to follow certain procedures to disclose information about themselves and their developer interfaces, which would ensure that consumers and authorized third parties have the information necessary to make requests and use the developer interface. 

Data providers also would be required to establish and maintain written policies and procedures to promote these objectives. Altogether, these provisions would ensure data providers make data available reliably, securely, and in a way that promotes competition.

Transitioning from screen scraping

The proposed rule would prevent data providers from relying on screen scraping to comply with the proposal because it is not a viable long-term method of access. Instead, data providers would be required to establish and maintain developer interfaces that would make data available in a machine-readable, standardized format and could not allow a third party to access the system using consumer interface credentials.

Clarifying the mechanics of data access

The CFPB is proposing certain requirements and clarifications to implement CFPA section 1033 concerning when a data provider must make available covered data upon request to consumers and authorized third parties. These provisions include: 

• requiring that third-party access be effected through a developer interface (rather than through credential-based screen scraping); 
• prohibiting a developer interface from requiring a third party to obtain or possess credentials for the consumer interface; and 
• allowing data providers to share tokenized account and routing numbers. 

The proposed rule would allow data providers to restrict access to their developer interface when they have reasonable risk management grounds to do so.

Ensuring third parties are acting on behalf of customers

To effectuate consumers’ control of access to their data, the proposed rule contains provisions intended to ensure that when consumers authorize a third party to access data on their behalf, the third party is actually doing so. To that end, the proposed rule would require a third party to certify to consumers that it will only collect, use, and retain the consumer’s data to the extent reasonably necessary to provide the consumer’s requested product or service. 

The proposed rule also would aim to improve consumers’ understanding of third parties’ data practices by requiring a clear and conspicuous authorization disclosure including key facts about the third party and its practices. 

Other key protections in the proposed rule include limiting the length of data access authorizations and requiring the deletion of consumer data in many cases when a consumer’s authorization expires or is revoked.

Separately, the proposed rule would exercise the CFPB’s authority to define financial products or services under the CFPA to ensure that it includes providing financial data processing. Although the CFPB has tentatively concluded that this activity would qualify as a financial product or service without a CFPB rule, this provision offers additional assurance that financial data processing by third parties or others is subject to the CFPA and its prohibition on unfair, deceptive, and abusive acts or practices.

Promoting fair, open, and inclusive industry standards

Fair, open, and inclusive industry standards are crucial for a safe, secure, and competitive data access framework. The CFPB will recognize standards set by such bodies and encourage their wide adoption. Diversely crafted standards will be more likely to attract market participants and prevent dominance by large firms, ultimately benefiting consumers.

Implementation considerations and system impact

Regardless of the minutiae of the adopted regulations, opening up customer data access in a secure, consent-driven manner requires banks to start developing an implementation roadmap. Table 1 maps the key objectives of the proposed Section 1033 regulation to implementation considerations and the kind of system enablers each would require.

Table 1

What’s next?

The CFPB is proposing to first apply part 1033 to a subset of covered persons—namely, entities providing asset accounts subject to the Electronic Fund Transfer Act (EFTA) and Regulation E, credit cards subject to the Truth in Lending Act (TILA) and Regulation Z, and related payment facilitation products and services. This is intended to prioritize some of the most beneficial use cases for consumers and leverage data providers’ existing capabilities.

While the CFPB is currently inviting comments on the proposed rule (to be submitted by December 29, 2023), the final rule is expected to be issued in November 2024, with effective dates for implementation beginning six months later. The CFPB site has started receiving comments and responses from individual players as well as trade associations who’d like to present a cohesive case for representation. Stay tuned for our next blog as we analyze the responses and look at their possible impact on the shape of the final regulations.

Disclaimer:

The information provided in this blog does not, and is not intended to, constitute business, financial or legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information.

Readers of this blog should contact their attorney to obtain advice with respect to any particular legal matter. All liability with respect to actions taken or not taken based on the contents of this blog are hereby expressly disclaimed. The content in this asset is provided “as is;” no representations are made that the content is error-free.

Footnotes

1. CFPB, Notice of Proposed Rulemaking – Required Rulemaking on Personal Financial Data Rights | Nov 2023