Where Financial Providers May Fall Short on Section 1033 Obligations

May 9, 2024|0 min read

Copied

While specific details may change before the final rule under Section 1033 of the Dodd-Frank Act is published by the Consumer Financial Protection Bureau (CFPB), MX’s data shows a few common areas where data providers and recipients may be vulnerable to meeting compliance obligations. Here’s a quick recap of common areas to investigate now to make sure you’re ready to tackle new obligations once the rule is finalized.

Getting Ready for Section 1033 Obligations: 10 Common Areas to Investigate Ahead of Time. Read the full guide

Consent Management and Authorization

Data recipients need to ensure that consent management and authorization disclosures to the consumer meet all the obligations outlined in the proposed rule, including disclosing the names of the data recipient and data provider, categories of covered data that will be accessed, descriptions of products or services that the consumer has requested, how to revoke access, and certification that the data provider agrees to all obligations. In addition, data recipients need to determine how to capture, store, and present a copy of the Authorization Disclosure to the consumer after they have consented, ensuring it is accessible at any time for consumers to view.

Revoking Access

Data providers and recipients will both need to provide a method or mechanism for consumers to revoke authorization to access their covered data by a third party. In addition, data providers must be able to notify the authorized third party (data recipients and data access providers) of the request to revoke access. And, data recipients need to have a mechanism and process to receive — and execute on — revocation requests from a data provider. Finally, the data recipient must notify relevant data providers, aggregators, and other third parties of the request to revoke access.

Performance Metrics

Data providers will need to publish developer portal performance metrics on a monthly basis in a “public and readily identifiable manner”, as well as maintain a 99.5% response rate to meet a quantitative minimum performance specification.

Third Party Due Diligence

While due diligence is already typically conducted, the proposed rule could lead to an increased volume of requests for data providers that currently have developer interfaces, while other data providers will be establishing interfaces for the first time. This volume of requests from third parties to access data provider interfaces could, according to the CFPP, “outstrip these data providers’ resources for vetting third parties.”

Data Governance and Documentation

Data providers will need to ensure they disclose and maintain API documentation, including metadata describing all covered data and corresponding data fields, how third parties can get technical support and report issues, and other documentation sufficient for a third party to access and use the interface. And, for data recipients, they will need to ensure they have data governance tools and processes to make sure covered data is only collected, used, and retained for 12 months unless re-authorized by the consumer or there is a “reasonably necessary justification for retention or use.”