Unlocking the Future of Finance: Part 2 - Breaking Down the CFPB’s 1033 Ruling Announcement

Part 1: Unlocking the Future of Finance: Navigating the Rise of Open Banking in America

Part 2: Breaking Down the CFPB’s Announcement

Part 3: The Dawn of Open Banking in Canada

Part 4: Open Banking Use Cases: Show me the Money

Part 1 of this four-part blog series explained what is Open Banking and how it started. Part 2 focuses on the announcement by the U.S. Consumer Financial Services Bureau (CFPB) to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act that will accelerate the shift towards open banking.

On October 19, 2023, CFPB announced the release of a proposed rule[1] requiring U.S. financial firms such as banks and credit unions that offer transaction accounts – like checking accounts, prepaid cards, credit cards, and digital wallets – to give consumers access to their personal financial data at no charge, so it can be shared with another provider.

The rule is aimed at leveling the playing field, empowering smaller financial institutions to better compete and giving consumers more freedom and access to new services.

Overview

The document, that is 80-pages long, from the Federal Register, dated October 31, 2023, details a proposed rule by the Consumer Financial Protection Bureau (CFPB) regarding personal financial data rights. This rule, under the Consumer Financial Protection Act of 2010 (CFPA), aims to regulate the handling of consumers' financial data by both depository and non=depository entities.

Key points include of Open Banking 1033 Ruling

1. Mandatory Data Availability: The rule would require entities to provide consumers and authorized third parties with access to certain transaction and account data.

2. Third-Party Obligations: It establishes obligations for third parties accessing consumer data, emphasizing privacy protections.

3. Depository and Non-depository Entities' Role: The rule mandates these entities to provide access to consumers' transaction and account data. This includes banks, credit unions, and non-banking financial companies.

4. Privacy and Data Security: The proposal places a strong emphasis on protecting the privacy of consumer data. It requires third parties to adhere to stringent data security and privacy standards.

5. Standards for Data Access: The rule aims to set clear standards for how data access is provided, ensuring consistency and reliability in the way consumer financial data is handled.

The document also discusses the background and challenges in the open banking system, the legal authority for the rule, and its potential impacts. It includes a detailed analysis of the proposed rule's benefits and costs, its effects on small depository institutions and credit unions, and its impact on consumers in rural areas.

Key Takeaways

1. Enhanced Consumer Control: The rule empowers consumers by giving them more control over their financial data. This could lead to better financial management tools and services tailored to individual needs. For instance, the rule will enable consumer’s financial data portability to easily move their bill pay data from one bank to another, similar to U.S. phone number portability regulations enacted years ago.

2. Industry Standardization: One of the key promises of Open Banking is to establish an open, shared standard to facilitate seamless interoperability. Although CFPB will not take side for a specific standard, currently, in the US, a de facto standard exists, largely due to the efforts of the non-profit Financial Data Exchange (FDX) organization, which emerged from collaboration within the banking ecosystem. Various industries have historically been hindered by a lack of interoperability, which has served as a barrier to adoption, costing millions. Consider the early days of cell phones and the challenges of international travel, not to mention the associated high fees. Nowadays, we often take for granted standards like TCP/IP, Wi-Fi, Bluetooth, HTTP, and HTML, among others. Imagine a world without.

3. Potential for Innovation: The rule could spur innovation in financial services, as fintech companies and other third parties will have standardized access to consumer data, enabling the development of new tools and services.

4. Data Security Concerns: With the increased sharing of financial data, there will be a heightened focus on data security and the prevention of data breaches. Today, such consumer data access is enabled via screen scraping, an unsecure method of sharing data with a third party. The bureau will therefore require financial institutions to use APIs to share data instead of compelling customers to give out their account credentials.

5. Impact on Financial Institutions: Banks and other financial institutions will need to invest in technology, processes, and education to adapt to and comply with new open banking requirements. This could lead to significant changes in their business models too. Technological advancements will include replacing screen scraping with secure FDX APIs, creating modern portals for API publication in discoverable marketplaces, managing consent, and more.

This proposed rule marks a significant step in regulating the use of personal financial data, reflecting the growing importance of data privacy and security in the digital age. It also highlights the CFPB's role in shaping the future of financial services through regulatory measures.

Proposed Timeline and Compliance Dates

Implementation Timeline: After the closure of the comment period on December 29, 2023, the CFPB will review the feedback and finalize the rule. The timeline for implementation will be outlined in the final rule, which is not specified in the document.

A data provider must comply with §§ 1033.201 and 1033.301 beginning on:

(1) [Approximately six months after the date of publication of the final rule in the Federal Register], for depository institution data providers that hold at least $500 billion in total assets and non-depository institution data providers that generated at least $10 billion in revenue in the preceding calendar year or are projected to generate at least $10 billion in revenue in the current calendar year.

(2) [Approximately one year after the date of publication of the final rule in the Federal Register], for data providers that are:

(1) Depository institutions that hold at least $50 billion in total assets but less than $500 billion in total assets; or

(2) Non-depository institutions that generated less than $10 billion in revenue in the preceding calendar year and are projected to generate less than $10 billion in revenue in the current calendar year.

(3) [Approximately two and a half years after the date of publication of the final rule in the Federal Register], for depository institutions that hold at least $850 million in total assets but less than $50 billion in total assets.

(4) [Approximately four years after the date of publication of the final rule in the Federal Register], for depository institutions that hold less than $850 million in total assets.

However, it would be prudent for financial institutions in the last two segments not to delay embracing open banking compliance. Waiting risks being outpaced and becoming obsolete by early adopters who gain a first-mover advantage.

[1] https://files.consumerfinance.gov/f/documents/cfpb-1033-nprm-reg-text-with-1001_2023-10.pdf