Reserve a Strategy Session


Getting Ready for Section 1033 Obligations: Where Financial Providers May Fall Short

Getting Ready for Section 1033 Obligations: Where Financial Providers May Fall Short


The Consumer Financial Protection Bureau’s (CFPB) final rulemaking under Section 1033 of the Dodd-Frank Act is expected to be released in early Fall 2024. This rulemaking is one of the most substantive regulatory changes to happen in the financial industry in many years. It fundamentally changes, for the better, how consumers can access and share their financial data. 

Once final, the clock starts for financial data providers and recipients to meet outlined compliance timelines and requirements. The compliance period will vary depending on the size of each institution. But, that doesn’t mean wait. The time is now for financial institutions to begin getting ready to meet obligations under this new rule. 

Let us help you get started with making sense of expected obligations — and opportunities — within your open banking journey. Talk to our experts today.

Common Areas Where Financial Services Providers are Vulnerable

While specific details may change before the final rule is published, MX’s data shows a few common areas where data providers and recipients may be vulnerable to meeting Section 1033 compliance obligations. Here’s 10 common areas to investigate now to make sure you’re ready to tackle new obligations once the rule is finalized:

For Data Providers

  1. Provide a “reasonable method” for consumers to revoke any third party’s authorization to access their covered data from the data provider. And, the data provider must notify the authorized third party (data recipients and data access providers) of the request to revoke access.
  2. Publish developer portal performance metrics on a monthly basis in a “public and readily identifiable manner”, as well as maintain a 99.5% response rate to meet a quantitative minimum performance specification.
  3. Provide reasonable notice of any scheduled downtime of the developer interface to all third parties. In addition, data providers must deliver a proper response that either fulfills the query or explains why a query was not fulfilled, remains consistent with written policies and procedures, and is delivered within a commercially reasonable amount of time (currently less than 3,500 milliseconds).
  4. Conduct due diligence on all third party apps and if access is denied, state and retain the non-discriminatory reason for that denial. While due diligence is already typically conducted, the proposed rule could lead to an increased volume of requests for data providers that currently have developer interfaces, while other data providers will be establishing interfaces for the first time. This volume of requests from third parties to access data provider interfaces could, according to the CFPP, “outstrip these data providers’ resources for vetting third parties.
  5. Make covered data available in a machine-readable file that a consumer or authorized third party can retain and transfer into a separate information system. In addition, data providers will also need to make covered data available upon request in a readily printable or downloadable format through a consumer interface.
  6. Disclose and maintain API documentation, including metadata describing all covered data and corresponding data fields, how third parties can get technical support and report issues, and other documentation sufficient for a third party to access and use the interface. 

For Data Recipients

  1. Ensure that consent management and authorization disclosures to the consumer meet all the obligations outlined in the proposed rule, including disclosing the names of the data recipient and data provider, categories of covered data that will be accessed, descriptions of products or services that the consumer has requested, how to revoke access, and certification that the data provider agrees to all obligations. In addition, data recipients need to determine how to capture, store, and present a copy of the Authorization Disclosure to the consumer after they have consented, ensuring it is accessible at any time for consumers to view.
  2. Evaluate data governance tools and processes to make sure covered data is only collected, used, and retained for 12 months unless re-authorized by the consumer or there is a “reasonably necessary justification for retention or use.” And, data recipients will need to provide a clear, easy way for consumers to re-authorize data sharing, ideally using proactive notifications prior to the end of 12 months to ensure no disruptions to the customer experience. 
  3. Provide a mechanism for consumers to revoke authorization to access their covered data by the data recipient that is “as easy to access as the initial authorization.” In addition, data recipients need to have a mechanism and process to receive — and execute on — revocation requests from a data provider. Finally, the data recipient must notify relevant data providers, aggregators, and other third parties of the request to revoke access. 
  4. Prepare for consent management, disclosures, and tracking related to potential secondary use cases. Currently, the proposed rule prohibits secondary use cases (i.e. targeted advertising, cross-sell of products and services, etc). However, the CFPB is actively seeking commentary on the possibility of an opt-in for secondary use cases. Data recipients will need to be mindful of how they will manage the final ruling around these use cases and how to manage additional processes to allow consumers to opt in. 

How MX’s Data Access Helps Get Ready for Section 1033 

MX’s mission is to empower the world to be financially strong. At the core of delivering on our mission is the ability for consumers to access, direct, and control their financial data to improve their financial outcomes. MX has been working with our clients, partners, and the wider ecosystem to accelerate Open Banking and secure data sharing for the past 5 years. 

As a leading voice on Open Banking and strong advocate for consumer-permissioned data sharing, our solutions and products are already built with this in mind. We will continue to work closely with institutions to ensure they are prepared to comply with Section 1033 – and continue to enhance our products to meet any new requirements under this rulemaking.

Our platform was architected with privacy, security, and permissioning-first principles. We consider our long-standing commitment to data integrity as a distinguishing factor. We require consumer permission before we allow our services to be used to identify, access, and share financial data. We put the consumer first, prioritize privacy, and do not aggregate data into files about individual consumers across clients. And, we continually focus on delivering reliable, secure connections through our APIs and connectivity solutions. 

MX’s Data Access solution is an open API platform built on FDX standards that improves time-to-market and reduces costs to deliver secure data sharing — enabling you to get ahead of Section 1033 compliance deadlines and expected obligations. It gives financial providers the tools to implement and manage consumer-permissioned data sharing, monitor compliance status, and access insights on open banking data. 

In addition, MX’s Data Access platform can help create a competitive advantage for organizations on their open finance journey with real-time performance metrics, insights into data sharing activity, and support tools to easily manage and maintain connections. Learn more about how MX Data Access helps financial institutions get ready for obligations under Section 1033.

MX is ready to help you evaluate where you sit in the compliance timeframe, API availability, and next steps. Schedule a strategy session today.

Outlining the Basics

What’s Currently Included in Section 1033 

The CFPB’s notice of proposed rulemaking calls out that the rule would cover Regulation E accounts and Regulation Z credit card accounts to start. This includes checking accounts, savings accounts, credit cards, prepaid cards, digital wallets, and other electronic payments. And, the CFPB has made it clear that more financial products, such as investments, loans, mortgages, etc., to be added over time. 

When Compliance Will Be Required

Organizations that control or possess information concerning one of the covered products or services will have work to do to ensure they are meeting the stated compliance requirements within the final timeframe that the CFPB issues. Currently, the proposed rulemaking outlines four compliance timeframes based on the organization’s asset size:

CFPB Proposed Compliance Timeline

Where to Start if Your Organization Doesn’t Have an API 

If you haven’t yet started or finished building an API to enable data sharing from your organization, now is the time to prioritize this work. The CFPB agrees that establishing an API would meet many of the requirements outlined in its proposed rule. Credential-free API connections also provide a more secure and reliable way for consumers to share and manage their financial data. 

The CFPB will also require that these APIs connections follow an approved standard and plans to designate Standard Setting Organizations (SSO). Across the industry, the Financial Data Exchange (FDX) has widespread adoption and aligns with many of the regulatory expectations, making it a likely contender as the first SSO. 

MX can help you understand what data is necessary to include in the API — for which use cases and account types, as well as nuances around formatting, errors, etc. We can also share best practices like how to implement an interoperable API following industry standards such as FDX, testing strategies, and launch timelines. 

In addition, MX makes it easier than ever for financial institutions of all sizes to accelerate open finance adoption and enhance the money experience for consumers through Data Access. The platform enables institutions to deliver a safe and secure connectivity experience for their customers. With consumer authorized and permissioned data sharing, customers gain visibility and control over which apps and institutions access their data — enabling them to grant, manage, and revoke access at any time. 

Why Open Finance is a Strategic imperative

Open Finance isn’t simply a check the box to meet forthcoming compliance and regulatory obligations. It provides significant benefits to consumers and financial services providers. 

Consumers gain more choice and control over the data they share and how they engage with their finances with the freedom and flexibility that Open Finance enables. And, they gain unparalleled access to a broader range of products and services. It also allows consumers to more easily connect their various financial accounts and data together into a single view — enabling a more seamless money experience. 

For financial services providers, Open Finance enables:

  • Better Fraud and Risk Management: By leveraging an open finance API rather than screen scraping, consumers never have to share their username and password, and financial providers eliminate the risk of sharing credentials.
  • More Accurate Customer Profiles: Financial providers can gain access to real-time consumer-permissioned financial data. This helps them better understand their customer needs and identify product and partnership opportunities.
  • Enhanced Customer Experiences: By putting consumers in the driver’s seat, financial providers can build trust and improve relationships, leading to greater customer satisfaction and loyalty. And, with better visibility into a consumer’s financial life, financial providers can deliver more personalized, intuitive experiences to meet them where they are.