CFPB’s Section 1033: Will US open banking reach its potential?

Just over a month since the US Consumer Financial Protection Bureau released its 'final ruling' on the expansion of the Dodd-Frank Act, the financial services world has now weighed in with a variety of detailed viewpoints on the landmark personal data rights and open banking regulation.

Will the new requirements for banking and fintech providers survive a new presidential administration? Likely yes, say experts in the field, but the 'Required Rulemaking on Personal Financial Data Rights' final form and its rollout timing may still be a bit up in the air. Of course, even though the new regulation reflects bipartisan and industry-wide thoughts on protecting consumer rights, 'the devil is in the details,' say most. Section 1033 definitely has its proponents and detractors.

“The US is now positioned on par with rest of the world when it comes to open banking” - Laurent van Huffel, CEO, OpenFinity.

“Consumers should make their own choices. But it's just great that the CFPB is giving people transparency so that they can make an educated decision for themselves.” - Matt Denham, Co-founder and chief product officer, Prizeout.

"It's time to fight back." - JP Morgan Chase CEO Jamie Dimon said while speaking at an American Bankers Association convention in New York City, specifically about the bank's potential support of another banking industry group’s lawsuit against section 1033 mandates. "I've had it with this sh*t. We don't want to get involved in litigation just to make a point," he added, "but I think if you're in a knife fight, you'd better damn well bring a knife."

How the industry is now interpreting 1033’s scope, reach, and realities

When Finextra last reported in depth on the US open banking marketplace, we explained how the Consumer Financial Protection Bureau - an independent bureau of the Federal Reserve - was expected to soon make its proposed ruling on an expansion of the Dodd-Frank Act official. After more than 14 years of effectively ‘setting aside’ certain data protection and sharing questions in favour of implementing other, more “urgent” aspects of the multi-layered post-financial crisis legislation passed in 2010, the final rules announcement in late October prodded organisations we’ve spoken to into high gear. 

Industry groups convened conversations and meetings to share details and gather opinions from others in the banking industry on the new regulation’s impacts. What would the 1033’s new requirements bring to the financial services and open banking table, and what could its challenges and opportunities really mean to customers and their bank, credit union, and fintech providers once in place?

One of our key contacts on the 1033 rule’s interpretation and ongoing progress, Van Huffel, CEO of OpenFinity, a nonprofit aimed at helping financial organisations understand and make successful transitions to open banking models, shared an update and summary of key discussions that took place during the 'Expo' the consortium hosted last week. The two-day online event included 36 sessions and 50 speakers addressing various ‘angles’ of the new regulation.

4 years of discussion, 10 years of waiting, rollout slated starting 2026

From its initial iterations of four years ago - further described by CFPB Director Rohit Chopra from late last summer into fall – only a few relatively minor changes followed a request for public and industry comments (1,123 received) on the pending final 1033 rule. That period was initiated and concluded at the end of 2023. The board’s ruling was published in the Federal Register on 22 October, with an effective date of 17 January 2025. The first group, encompassing the largest institutions, must be in compliance by 1 April 2026, with additional categories by institution size to follow each year thereafter.

However, the new rule and the CFPB’s powers and propriety to issue it were immediately challenged in court by a lawsuit, filed by the Bank Policy Institute, the Kentucky Bankers Association, and a small institution in the state, Forcht Bank, N.A. Add to these, the confrontational comments from JPMC’s CEO as shared above.

For anyone who hasn’t read the full document yet, this is how the CFPB describes Section 1033 of the Consumer Financial Protection Act’s intent: “The final rule requires banks, credit unions, and other financial service providers to make consumers’ data available upon request to consumers and authorized third parties in a secure and reliable manner; defines obligations for third parties accessing consumers’ data, including important privacy protections; and promotes fair, open, and inclusive industry standards.”

Further, the CFPB’s final rule language illustrates what it sees as the scope of the financial data regulation challenge in the US, estimating that “As of 2022, at least 100 million consumers had authorized a third party to access their account data. In 2022, the number of individual instances in which third parties accessed or attempted to access consumer financial accounts is estimated to have exceeded 50 billion and may have been as high as 100 billion, figures that vastly exceed the comparable public figures from some other jurisdictions’ open banking systems, even on a per capita basis. These figures are likely to grow as consumer engagement continues and use cases expand.”

How experts are weighing in on 1033’s challenges, opportunities, and questions

So, what will the rule actually mean to US consumers and the various entities required to comply with its provisions? Here is what the experts are saying about 1033’s most likely impacts and outcomes, with additional notes and new interpretations since its publication in late October 2024:

• Mandated Data Sharing: a broad range of financial products including checking accounts, credit cards, mobile wallets, and emerging payment apps like Zelle, Venmo, and Venmo’s ‘parent’ PayPal will all be impacted by the new secure data exchange rules. According to Van Huffel, including all of these providers under 1033’s mantle was a bit of a surprise, but it reflects the growing usage and market share of fintech and nonbank or quasi-financial institution providers in the banking world.
  • One key insight from the OpenFinity Expo sessions, per Van Huffel: “Collaboration with industry-standard bodies and regulatory guidance can facilitate smoother adaptation and adoption of the new open banking rules.”
• Consumer power over data: 1033 presents new requirements to provide consumers with details on what data is collected about them, who it is being shared with, and providing transparency around this and providing users the right to revoke access to their data at any time. This means both ceasing data collection and deleting all data immediately upon consumer request.
• Permissible purposes clearly defined: Using consumer data for any purpose other than that intended by the consumer – including targeted advertising, cross-selling, or other uses not previously agreed to by the user - is effectively banned.
• Some secondary, third party uses allowed: If consumer data usage can help financial providers improve services, protect against fraud, or train AI models, for example, they can do so without explicit authorisation from consumers.
• • Additional insight: Third-party entities receiving data must retain records of consumer authorisation for up to three years, including signed disclosures and any revocation history.
• Screen scraping scrapped: One of the major objectives of Section 1033 was to get rid of the practice of third-party aggregators and other financial providers using consumers’ sign-on credentials to access websites hosting their transactions and activities – then ‘scraping’ the information into reports and facilitating financial information consolidation and further activities. Now, APIs (application programming interfaces) to digitally connect users to providers are viewed as the secure method of choice to provide such aggregated services to users – and most industry watchers expect the industry group Financial Data Exchange (FDX) to set industry standards and unify formatting and security protocols.
• Not just banks or credit unions impacted: Under 1033, all sorts of financial entities must now comply with data security standards promulgated by the Gramm-Leach-Bliley Act. This means any organisation that provides financial services, even on the margins of the industry, must adhere consistently to data protection standards under the rule.
  
  • Additional insight: AI systems utilising consumer data must comply with the CFPB rule's privacy and accuracy requirements, and data governance teams within institutions will play a critical role in ensuring data used for AI training adheres to these standards.
• No fees for access: There will be no fees allowed to provide access to financial data. Consumers in the US, as in Europe and elsewhere, can now ask for and get their own data at no charge. This short-circuits any attempts to profit from or offset costs resulting from compliance with the new regulations.

Key assertions, assumptions, and predictions on 1033’s implementation impacts from industry experts and banking practitioners include:

• Open banking and ROI acceleration
  - Consumers demand transparency, control over their data, and personalised financial solutions. Open banking APIs will enable institutions to reduce costs, improve security and privacy, and attract new customers by providing seamless access to financial data. Institutions adopting these tools can better compete in the market and adapt to evolving customer expectations.
• Call to action for financial institutions (recommendations from MX, a financial data connections and insights company):
  - To succeed in open banking, institutions need to reimagine their data strategies, breaking down silos and fostering collaboration. Therefore, organisations must focus on using consumer data not just for marketing but for enhancing core product offerings and improving financial outcomes for customers.

Research from MX on the industry’s handling of data:

• 44% of financial leaders say they have lost consumers due to poor data utilisation;
• 73% of organisations expect to increase lending portfolio growth through the ability to utilise consumer financial data for business purposes;
• 81% of organisations expect to improve the overall customer experience by utilising consumer financial data for business purposes.

Credit unions will see obstacles and opportunities from open banking regulations as well

What does 1033’s mandate mean to credit unions? Industry watchers say these 'not-for-profit' entities will feel the burden of initial and ongoing 1033 compliance, just like banks and fintech providers, and also the Apples and Googles and Zelles and Venmos of the world with the steadily increasing usage of their own financial ‘wallet’ and peer to peer payment products.

Denham of loyalty and rewards programs provider Prizeout, which services credit unions and community banks, says 1033 is the right thing to do, and it is likely to energise many credit unions with opportunities to increase their membership and broaden their offerings. "For credit unions, but also for fintechs, which we are, this gives not us an edge, nor credit unions an edge. It gives consumers what they want.”

Though credit unions individually may not have the massive funding or political clout to match the major banking associations, they do have strength in numbers, says Denham. “There's 289 credit unions in America with more than 100,000 members, and (combined) they have 91 million members.” Not to mention thousands more smaller credit unions, with millions more members banking there in communities across the country every day as well.

Some issues, questions likely to be clarified as 1033 comply dates draw nearer

There are still some remaining challenges surrounding the 1033 final rule’s approach and verbiage. One area “subject to interpretation” according to OpenFinity and Van Huffel, is how the “multilayered chain” of user data may pass through multiple – and consumer authorised – financial intermediaries, partners, other institutions, and/or fintechs. This raises lots of questions as to what happens when/if a financial breach occurs, or any unauthorised transactions take place.

It’s not clear yet, says Van Huffel, if there will be “safe harbour” provisions to protect banks or other principal financial providers from liability should the consumer independently agree to share data with other entities down the chain over which the main provider has no control nor a supporting relationship. “Typically, in all regulations [such as 1033] you have something like this. I think there will be requests [from some providers] for [safe harbour protections.]”

The co-founder of the Washington, DC-based OpenFinity also sees some potential conflicts with other federal regulations, like Reg E – which mandates rules around disclosure, pre-authorisation, cancellation, error resolution, and liability pertaining to electronic fund and remittance transfers, such as provided through ATMs, direct deposit, gift cards, overdraft, and international money transfers.

“There might need to be some harmonisation (between) the overlaps of 1033 with Reg E, and other regulations,” Van Huffel predicts. “What if, by sharing this (consumer data) information, it results in an unauthorised transaction? Who becomes responsible? To me, these potential overlaps are inevitably going to come up before 1033 becomes the law,” he believes, which takes place effectively for the first of four categories of financial providers, in April 2026.

5 categories and compliance timelines, according to asset size or annual sales

How are those five data provider types defined? The CFSB now uses the following delineations:

• The first group – comprised of major financial institutions over $250 billion in assets and non-depository institutions with more than $10 billion in total receipts – will need to comply with 1033’s provisions by 1 April 2026.
• The second group of depository institutions with $10-250 billion in assets and non-depository companies below $10 billion in receipts, faces a compliance deadline one year later.
• Smaller depository institutions have target implementation dates each succeeding 1 April. Those from $3-10 billion in assets in 2028, then $1.5 billion to $3 billion the following year, and by 2030, the smallest group, financial institutions from $850 million to $1.5 billion in assets, must be operating in line with the new rule’s data sharing and control provisions.

Waiting any longer won’t change much – and it’s not smart management, either

Notwithstanding potential technical issues with bringing their core and consumer-facing systems and procedures into compliance with the new data requirements, and financial services industry objections and lawsuits, what’s next for the banks, credit unions, and nonbank providers subject to the final 1033 rules?

It’s time to get ready, no matter what, says OpenFinity’s Van Huffel. Some banks will wait for the pending lawsuit against the agency and its rule to be resolved, some banks will wait for the specific data-sharing standards to be used between financial providers and third parties to be confirmed by the CFPB, a choice which industry observers say is likely to be the FDX approach. Other institutions and fintechs might wait for their particular asset/sales category timeline to draw closer before starting preparations to comply. None of these are good ideas, says Van Huffel.

1033 offers all institutions opportunities for market expansion and innovation

OpenFinity’s CEO believes that delaying taking action to prepare for 1033, even given the extra year to get ready provided in the final rule, is a mistake. “Others will leverage the opportunities that 1033 data sharing and protection policies might bring them. They’ll ask the important questions of ‘How can this fit into our plans, drive our marketing, stop our client attrition rate, allow us to cross-sell more effectively.’” And they might just target other institutions - ones that aren’t yet fully on board or set up to comply with 1033’s data sharing and portability provisions – as ripe sources for new customers.

What's the net impact of 1033’s implementation on credit unions, even though they’re smaller than most banks? It will likely be a “win” for them, and for all consumers, says Denham: “One of the things about that (Bank Policy Institute/Kentucky Bankers Association) complaint that was quite interesting is its reference to the security of data,” along the financial chain, as described in the lawsuit’s first page (“sharing such sensitive data inherently presents risks to the security of customers’ deposits and sensitive financial information.”)

“Of course,” the fintech leader said, “there's got to be security of data, but let consumers consent to what they want to be done with their data, right?” (Which may not make larger banks happy, he admits, as they might prefer to decide themselves what can be done for customers in this regard.)

“That’s what we love about credit unions: (their focus on) transparency. So, a consumer can decide if they want to share information with an institution that can give them a better deal. Which credit unions do, right? And (they do it as) not for profit organisations, too.”