LinkedInLinkedInMessengerMessenger
Written By
Shanda Purcell
Topics
Core Bank Processing
Financial Crimes
Blog | Jan. 12, 2023
Why Open Banking is Driving the Future of Financial Services
Read
Blog | Dec. 15, 2022
Open Banking and Banking as a Service: What’s the Difference?
Read
Blog  |  July 11, 2024  |  6 min read

Data Rights in the Digital Era: Exploring CFPB’s Rule 1033 and Open Banking

Written By
Shanda Purcell
LinkedInLinkedInMessengerMessenger

You could say data makes the world go around—or at least the business world. For financial institutions, data drives endless business decisions and having access to customer data empowers institutions to develop personalized offerings and campaigns. But with data access comes an equally important topic: data rights.

The Consumer Financial Protection Bureau (CFPB) estimates that 100 million consumers have authorized third parties to access their data. But what rights do consumers have when it comes to their data? Rule 1033 aims to open and decentralize a system that will allow consumers to share personal financial data across institutions.

Read our blog to learn more about the implications of Rule 1033 on data rights and how your institution can continue its open banking journey while keeping data rights in mind.

What is CFPB’s Rule 1033?

In October 2024, the CFPB issued a final rule to implement section 1033 of the Consumer Financial Protection Act of 2010 to strengthen consumers’ financial data rights. The rule covers financial data housed at banks, credit unions and other financial institutions, as well as payments apps and digital wallets.

This rule requires depository and non-depository entities to:

  • Make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts
  • Establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data
  • Provide basic standards for data access
  • Promote fair, open and inclusive industry standards

To summarize, Rule 1033 requires financial institutions and other data providers to help consumers access and share their data securely using application programming interfaces (APIs). Compliance dates for this rule will be staggered based on institutional asset size, ranging from six months to four years from the date of the final rule publication.

A document with a check mark box appears in front of a person working on a laptop.
CFPB’s Rule 1033 would require financial institutions and other data providers to help consumers access and share their data securely through the use of APIs.

Rule 1033’s Potential Impact on Financial Data Rights

The rule is designed to address challenges with open banking by defining the:

  • Scope of data that third parties can access on a consumer’s behalf
  • Terms on which data is made available
  • Mechanics of accessing the data, proposed to be consumer permission based

The rule seeks to impose a framework in which data transfers occur via APIs instead of existing methods, such as screen scraping or credential sharing. Data providers will be required to maintain a digital interface for consumers and developers, both of which must meet certain performance specifications to receive and respond to data access requests.

This approach emphasizes safety, ensuring that third parties are acting on behalf of consumers when accessing their data and with respect to privacy interests. Rule 1033 also promotes security and reliability, as it would apply a set of consistent standards across the market for sharing data.

Rule 1033 includes guidance around how third parties would access covered data on behalf of a consumer. Third party access proposals would require these companies to provide an authorization disclosure to inform the consumer of key terms of access and obtain the consumers’ informed consent to the key terms of access in the disclosure.

According to the CFPB, the rule would “forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.” So, third parties would be required to certify to consumers they will not use their data in advertising, cross-selling or selling.

What Data Does Rule 1033 Cover?

The rule includes a definition of the types of data that providers, such as card issuers, financial institutions digital wallet and payment apps, would need to make available upon request. According to the rule, covered data includes:

  • Transaction information, including historical data (at least 24 months)
  • Account balances
  • Terms and conditions
  • Upcoming bill information
  • Basic account verification information, such as name, address, email, etc.

It excludes confidential commercial information, algorithms, information used to prevent fraud or money laundering or other crimes and information that is required confidential under other laws, as well as other information that the provider cannot retrieve in the ordinary course of business.

At the request of a consumer or authorized third party, providers must make covered data available in a machine-readable format that can be retained by the consumer or authorized by a third party and transferred for processing into separate information systems—all without imposing fees or charges.

How Rule 1033 is Accelerating Open Banking

So, what does Rule 1033 have to do with open banking? Open banking uses APIs to enable developers to access an institution’s data, which includes customer data. By embracing open banking, your bank can offer new products or services to meet customer needs without building them internally or relying on a single provider. And Rule 1033 aims to place data rights in the hands of consumers, expanding the definition of open banking and giving them more control.

Here’s why that’s good news for your institution. As consumers exercise more control over their data, they’re able to more easily partner with banks that provide personalized service and their desired products, instead of remaining with a bank that houses all of their financial data but provides poor service and lacking products. While this could make customers less “sticky,” institutions that prioritize relationship-based approach to customer service, like community banks, stand to benefit and become the provider of choice for their customers.

Woman sitting on couch looking at a bank card and tablet in her hands.
Open banking allows institutions to meet consumer demands by efficiently offering new services.

Data Rights Considerations in Open Banking

As with any technology partnership, concerns may arise regarding data sharing and third-party data breaches. However, there are ways to mitigate risk for your institution. And the opportunities that open banking provides—from improving customer experience to expanding revenue lines—can better position your institution against the competition. We provide some tips below to protect your bank while still evaluating all open banking has to offer.

As a data provider, your bank should consider several factors to protect your customers and remain compliant. Safeguard your digital services, core platform and any other sectors placed into your open banking ecosystem. Your bank should also ensure you have secure processes in place, including handling file transfers without opening yourself up to any vulnerabilities.

To maximize your security and incident preparedness, develop and maintain policies and procedures for preventing and managing a security breach. Additionally, make sure you understand data retention and data deletion obligations. If leveraging AI, do you have the proper controls? Take the time to understand how AI is being used to reduce the risk of it monitoring or mining data for unintended purposes.

Pattern with blue security locks
When embracing open banking, protect your customers’ data by implementing secure processes.

How to Qualify an Open Banking Vendor

Partnering with third-party vendors to enhance your offerings is a key part of open banking, allowing you to fill product or service gaps with considerable ease. But you must stay vigilant and keep bad actors out of your open banking network.

Here are a few considerations your institution should keep in mind when qualifying a vendor:

  • Qualified sources: Ensure you’re looking for vendors and applications from reputable industry sources.
  • Standard due diligence: Audit procedures should follow your institution’s established policies.
  • Adequate testing phase: Deploy a testing phase to ensure how your institution’s data is accessed and used through the vendor’s apps. With this approach, you can address any issues before going live.
  • Security, audits and reporting: Verify the vendor uses secure methods to access and store your institution’s data, especially consumer-related data. Understand what they offer in terms of audit support and reporting capabilities.

Sharing Data in the Digital Era

When it comes to Rule 1033, your bank has a choice to make. Will you simply implement measures to ensure compliance once required and deliver data upon request? Or will you embrace open banking to better serve current and prospective customers? Developing the right open banking strategy for your institution can provide long-term benefits for your bank.

For additional insight into open banking and its applications, check out our white paper.

Read Now

 

 

Shanda Purcell
Shanda Purcell, Senior Director of Open Banking

With more than 25 years in business and product management, Shanda Purcell currently leads CSI’s Open Banking strategy. The focus of the Open Banking team is to deliver the best integration experience for banks and vendors as well as empower to them to expand into BaaS and PaaS markets.

Get In Touch

Are you looking for the edge to outperform the competition? CSI is a full-service technology and compliance partner.

Let’s talk