*Editor's Note: The final 1033 rule has not been published. This article reflects Plaid’s understanding of the proposed rule as released in October 2023. We will continue to update this article as new information becomes available
A long-awaited U.S. open banking rule is almost here. Announced back in October 2023, the new rule by the Consumer Financial Protection Bureau (CFPB), known as Dodd-Frank Section 1033, is set to be finalized in 2024 and promises to further formalize consumers’ right to access and share their financial data.
This is a positive step. The forthcoming rule will guarantee that access—making it easier than ever for consumers to benefit from the innovation, competition, and choice that open banking provides.
The proposed regulation will also introduce new protections for consumers to help ensure safe and secure data sharing. It will help consumers make better-informed decisions about sharing their financial data and put them in control of that data. However, these protections mean new compliance obligations for everyone in the ecosystem.
Is your company an authorized third party under 1033?
Authorized third parties are companies that are authorized by a consumer to receive financial account information. ‘Data recipients’ or even ‘fintechs’ are other terms you may see used to refer to this group. Consumers may choose to share their financial information with these entities, oftentimes facilitated by a data access platform like Plaid.
Authorized third parties can be personal financial management apps, neobanks, retailers, financial institutions, and many other companies with use cases powered by consumers’ ability to access and share their financial data. Plaid customers are generally considered authorized third parties.
As currently proposed, the rule will become effective just 60 days after it is finalized. And under the proposed rule, a lack of compliance for third parties can mean losing access to data.
The time is short and the stakes are high—but don’t worry. In this article, we’ll cover how authorized third parties can start preparing now for some of the new obligations the 1033 rule may impose.
To learn what Plaid already is building for 1033 compliance, skip to the end. Otherwise, read on to learn more about what to expect.
Do third parties have to achieve compliance on their own?
Fortunately, no. Third parties can choose to work with their data access platform partners (like Plaid) to help meet many of their key new compliance requirements in a post-1033 world—including authorization and risk management.
That means you don’t have to devote internal resources from already strapped engineering and compliance teams to something that isn’t your core product. Read on for more details on how Plaid is building solutions that help offload our customers’ new obligations.
Why is the 1033 rulemaking good for the financial ecosystem?
The CFPB’s 1033 rulemaking is good for consumers and good for the financial ecosystem—including fintechs, banks, and everyone in between. Having ‘rules of the road’ adds more certainty, protects consumers, and promotes fair competition and better consumer choices.
The proposed ruling will set in place several important standards that will empower consumers to make better and more informed choices about their financial lives:
Movement to APIs and API reliability: Data providers will need to make data available via an API, which will need to have a minimum of 99.5% uptime. This ensures consumers have access to their financial data regardless of where they bank. It will also accelerate the shift away from legacy technology like screen scraping, and toward a future of 100% API access.
Data availability and consistency: Data providers will be required to facilitate API access to all the data needed to facilitate covered core consumer use cases, including interest rates and fees they charge, pending transactions, and a minimum of 24 months of transaction history. This will help you build better products and better meet your users’ needs.
Data transparency and privacy: Authorized third parties (like Plaid customers) must disclose information about the data they’re asking consumers to share and how the data will be used. This will further advance a safe and transparent ecosystem for consumers.
For more information on what the proposed rulemaking will establish and exactly what types of data are covered, check out our other article, What is 1033? Understanding CFPB Section 1033 Rulemaking.
What are the key compliance requirements under the proposed 1033 rule?
The following three requirements in the proposed section 1033 rule will impact authorized third parties, but working with a data access platform like Plaid can help manage compliance.
1. Authorization management & data deletion
Authorization management governs how consent should be captured, and how often, to maintain access to consumer data. It can be broken down into three parts:
Initial authorization capture: Section 1033 requires that authorized third parties capture the authorization and permissions that consumers are giving them—or have an access platform capture authorization for them. This means clearly disclosing to the consumer details about the data being collected to power their desired use case (e.g. lending), and receiving the consumer’s consent to do so.
Revocation: Third parties must also ensure that consumers can revoke access to their financial data at any time, and make it accessible for them to do so.
Reauthorization: Under the proposed rule, consumers will need to reauthorize their account connections every 12 months to ensure that their chosen third parties can continue accessing their data. Third parties will need to surface and capture this reauthorization or have an access platform do it for them.
All authorization changes need to be synced across the open banking ecosystem, so consumers see their changes reflected wherever they manage their permissions—whether at the third party, the access platform, or the data provider. That includes any consumer data deletions, which must be mirrored across all surfaces.
2. Record retention
Authorized third parties will need to be able to prove that they’re compliant. This includes providing evidence that you are following the authorization management requirements outlined above. Also, you’ll need to show that your data usage is limited only to what Section 1033 permits and that you received consent from the consumer during authorization.
3. Risk management and data security
Under the proposed rule, third parties accessing consumer data will need to provide certain company details to data providers to help verify you are a legitimate entity. This includes fields such as Legal Entity Name, Contact Information, and Website URL. Third parties will also need to provide evidence of adequate security practices.
Some of these fields may be ones you already share with your data access platform during onboarding. A few, such as Legal Entity Identifier, are new fields that will be required if the proposed 1033 rule is finalized. You should expect to hear from your data access platform in the coming months on how to provide this data to secure your access.
As the rule comes into effect, you may see enhancements to onboarding and oversight processes to meet Section 1033 requirements and regulator and data providers’ expectations for security risk management.
How can Plaid help?
Preparing for 1033 compliance is no small effort, but an area where Plaid continues to invest significant resources to support our customers. Our vantage point as a network, partnering with both third parties and data providers, enables us to make data access faster, safer, and more seamless for everyone, even as compliance obligations rise.
Plaid has been advancing security, transparency, and privacy controls for years as part of our open finance platform and is well-positioned to meet forthcoming requirements. Back in 2022, we launched Plaid Portal, which enables consumers to easily view and control third-party connections (including revocation). Soon, it will also be ready to use by our customers to help meet their new compliance obligations. Our Plaid Link account linking flow includes best-in-class conversion while championing transparency (Data Transparency Messaging is currently in beta).
These tools complement our solutions for data providers (such as Core Exchange and Permissions Manager), which today are used by some of the largest U.S. banks to empower their internal teams with the data they need to confidently meet compliance obligations.
We are continuing to look ahead of industry changes, investing in deep experimentation and development to build compliance tools for you that minimize friction and optimize user onboarding conversion. Stay tuned for upcoming new solutions in the coming months to help our customers meet their new 1033 obligations.
Questions about your business can prepare for Section 1033 compliance? We want to hear from you. Reach out to your Plaid account manager or contact us by filling out the form below.