What is the CFPB Section 1033?

The CFPB's Section 1033 is a new rule proposal set to make a significant impact to the financial services landscape by granting consumers greater control over their financial data. CFPB Director Rohit Chopra recently stressed that “It will be important to coordinate with the Federal Reserve Board of Governors and the Office of the Comptroller of the Currency as we revise our approach. The banking industry and the public would benefit from a consistent and uniform approach to this law.” So, for financial institutions, early planning and implementation are crucial as the CFPB continues to push for more coordination and stronger sanctions against offenders.

Section 1033 in a nutshell means a shift from viewing consumer financial data as "my data" to "the customer's data in my control." In this article, we'll provide key information and a comprehensive guide to help financial institutions understand where they fit in and how to prepare for the CFPB compliance roadmap.

What is the CFPB Section 1033 Compliance Timeline?

CFPB's section 1033 compliance timeline is structured to allow financial institutions time to adapt. The CFPB plans to finalize the rule by fall 2024, followed by phased implementation. Larger depository institutions will have earlier compliance deadlines, while smaller institutions will have additional time to meet the requirements. See the chart below to determine your timeline.

‍6 months: Depository Institutions with over $500 billion in assets, and non-depository institutions with over $10 billion in annual revenue.

12 months: Depository Institutions with between $50 and $500 billion in assets, and non-depository institutions under $10 billion in annual revenue.

2.5 years: Depository Institutions with between $850 million and $50 billion in assets.

4 years: Depository Institutions with under $850 million in assets.

We at Sensedia recommend that all financial institutions begin preparations immediately. Begin by evaluating the current infrastructure and the necessary investments needed to meet compliance deadlines, then identify and implement these changes in a cost-effective, adaptive manner.

We stress that institutions must maintain full control over their solutions and avoid "shortcut" approaches that limit flexibility and scalability, as regulations and standards will inevitably evolve. Properly implemented open banking strategies have proven to leverage competitive advantages for early adopters. See case study.

CFPB 1033 Financial Data Coverage Overview

The proposed rule outlines obligations and limitations for how companies must collect, use, and store consumer data. It will require banks to share data in a standardized format via secure APIs, empowering consumers with greater control over their financial data via consent management.

The CFPB will cover the following financial data:

• Account Balances & Financial Transactions: Includes at least 24 months of historical information held by the data provider.

• Payment Initiation: Covers transactions to or from a Regulation E account, such as electronic fund transfers (EFTs), prepaid accounts, and gift cards.

• Bill Payment Information: Includes scheduled third-party bill payments and upcoming payments due to the data provider.

• Account & Routing Numbers: Covers both tokenized and non-tokenized numbers.

• Terms & Conditions: Includes fee schedules, annual percentage rates or yields, rewards program terms, and whether a consumer has opted into overdraft coverage or an arbitration agreement.

• Account Verification: Includes the name, address, email, and phone number associated with the consumer financial product or service.

‍

Institutions using third-party solutions must be cautious of open banking providers that focus mainly on data aggregation without offering full control over APIs. Surrendering control of your open banking APIs can pose significant risks if the third-party solution falls out of compliance or cannot keep up with evolving standards. There is also the risk of being locked into escalating prices, potentially pricing you out of the market.

CFPB 1033 Compliance Requirements Guide

All financial institutions accessing consumer financial data will be impacted by Section 1033 of the Consumer Financial Protection Act (CFPB's notice of proposed rulemaking), whether they are depository institutions or non-depository institutions, data providers, data receivers, or even data aggregators. 

1. Data Interfaces and Access

A. Requirements for Consumer Interface

Overview: A user-friendly interface where consumers can request and access their financial data and ensure the interface allows consumers to access data in an electronic format that is easy to use and transfer, and free of charge for the consumer (Page 9, Section 1033.301).

‍Requirement to Establish and Maintain Interfaces:

• A data provider must maintain a consumer interface and establish a developer interface and both interfaces must meet requirements.

‍

Machine-Readable Files upon Specific Request: 

• Upon request, a data provider must provide covered data in a machine-readable file that the consumer or authorized third party can retain and transfer to another information system in their control if requested.

‍

Prohibition of Fees: 

• A data provider must not impose any fees or charges on a consumer or an authorized third party in connection with:
• Establishing or maintaining the required interfaces.
• Receiving requests or making available covered data in response to requests as required by this part​.

B. Requirements for Developer Interface

Overview: An interface for third parties to access consumer financial data and ensure it meets the standardized format requirements and is commercially reasonable in performance; the interface must meet certain performance specifications to be considered commercially reasonable. (Page 10, Section 1033.311).

Standardized Format: 

• The developer interface must make covered data available in a standardized format by following a qualified industry standard. 
• In the absence of a qualified industry standard, the format must be widely used by other similarly situated data providers and be readily usable by authorized third parties.

‍

Quantitative Minimum Performance Specification:

• The interface must have a proper response rate of at least 99.5%.
• Proper responses exclude those during scheduled downtime.
• Scheduled downtime must be reasonable and communicated in advance.
• The total amount of scheduled downtime must adhere to qualified industry standards.
• Proper responses include fulfilling the query or explaining why it wasn't fulfilled within a commercially reasonable time (no more than 3,500 milliseconds).  

‍

Access Cap Prohibition: (Page 12, Section 1033.321)

• Data providers must not unreasonably restrict the frequency of data access requests.
• Any frequency restrictions must be non-discriminatory and consistent with established policies and procedures.

‍

Security Specifications (Page 14, Section 1033.321)

• A data provider must not allow a third party to access or scrape the data provider’s developer interface to use any consumer credentials.
• The interface must have an information security program that meets the requirements of the Gramm-Leach-Bliley Act or the FTC’s Standards for Safeguarding Customer Information.

‍

2. Open Banking Data Management and Compliance

A. Data Categorization and Availability

Overview: Identify and categorize covered data, including transaction information, account balances, payment initiation details, terms and conditions, upcoming bill information, and basic account verification information and ensure the data is up-to-date and includes at least 24 months of transaction history. (Page 7, Section 1033.211)(Page 20, Section 1033.351).

Record Retention Retention Policies: 

• Implement policies to retain records related to data requests, denials, and third-party authorizations for at least three years.

‍

Specific Requirements: 

• Retain records of requests for third-party access, actions taken, reasons for denying access, and revocation actions by consumers.

‍

Performance and Availability

• Performance Monitoring: Regularly monitor and disclose the performance of your developer interface, ensuring it meets the 99.5% proper response rate standard. Provide monthly updates on performance metrics.

‍

• Scheduled Downtime Management: Manage scheduled downtimes effectively, providing reasonable notice to third parties and limiting downtime to reasonable amounts.

‍

B. Third Party Authorization and Consumer Consent

Overview: To become an authorized third party, these steps ensure consumer data is handled responsibly, transparently, and with the consumer’s informed consent, while also providing mechanisms for consumers to manage and revoke data access. (Page 21, Section 1033.401)​

• Seek Access to Covered Data: The third party must request access to consumer financial data from a data provider to offer a product or service requested by the consumer.

‍

• Provide Authorization Disclosure: The third party must give the consumer a clear authorization disclosure that includes their name, the data provider’s name, a description of the service, the data categories to be accessed, a certification statement, and how to revoke authorization.

‍

• Certify Compliance: The third party must include a statement in the authorization disclosure certifying it will only use and retain data as necessary for the requested service, and not for targeted advertising, cross-selling, or selling the data.

‍

• Obtain Consumer Consent: The third party must obtain the consumer’s informed consent to access their data, documented by the consumer signing the authorization disclosure electronically or in writing.

‍

• Revocation Mechanism: Provide consumers with an easy mechanism to revoke third-party authorization and notify the data provider and other third parties when a revocation request is received.

‍

• Reauthorization Requirements: Third parties must reauthorize data collection annually by obtaining a new authorization from the consumer. Without reauthorization, third parties must stop collecting and using the data.

‍

C. Policies, Consumer Education, and Support

Overview: To comply with CFPB requirements, develop and maintain written policies on data availability, accuracy, access denial, and record retention. Ensure data accuracy, provide transparency about data practices, and offer clear contact information for assistance. (Page 19, Section 1033.351)​

• Written Policies: Develop and maintain written policies and procedures that ensure compliance with the CFPB’s requirements. These should cover data availability, accuracy, denial of access, and record retention.

‍

• Ensuring Accuracy: Implement procedures to ensure data accuracy, including addressing any inaccuracies reported by consumers or third parties.

‍

• Transparency: Make information about your data practices, including how to access and revoke data permissions, easily accessible to consumers.

‍

• Support Channels: Provide clear contact information for consumers and third parties to get assistance with data access and security concerns.

‍

D. Standardization and Interoperability 

Overview: A standard-setting body must be fair, open, and inclusive. Allowing all interested parties, including consumer groups, authorized third parties, data providers, and data aggregators to participate meaningfully in the standards development process on a non-discriminatory basis. (Page 6, Section 1033.141).

• Ensure no single interest dominates the process.
• Follows procedures, provide adequate notice, and resolve conflicts fairly.
• Develop standards through general agreement.
• Offer an impartial process for handling appeals.
• Recognized by the CFPB within the last three years.

‍

By addressing these areas, your financial institution and tech infrastructure will be well-prepared to comply with CFPB’s Section 1033, ensuring secure, transparent, and efficient data sharing with consumers and authorized third parties.

‍

How can Sensedia Help with Open Banking APIs?

At Sensedia, we leverage our extensive system integration experience to deliver tangible business value. We support a diverse range of financial institutions, from legacy core banks to fintechs, driving real success in open banking worldwide.

Our focus is on providing robust stability, security, and support to future-proof your business beyond compliance. Eliminate dependencies on intermediaries and data aggregators, and build a scalable, efficient, and profitable financial ecosystem. 

Sensedia is a global leader in multi-layer integrations, APIs, and Open Banking standards. Recognized by Forrester Wave™ (Q3 2024), 'Best Open Banking Solution Provider' by Fintech Awards UK, and ‘Best Real-Time Payments Solution’ by the Paytech Awards, a certified AWS Financial Services Partner, specializing in open innovation and enabling a more digital, connected, and open world.

For more detailed information please read our Open Banking Basics Crash Course or visit our Banking & Financial Services page to learn more.

‍