Editor's Note: The final 1033 rule was released on October 22, 2024. This article has been updated to reflect Plaid's current understanding of the final rule. We will continue to update this article if our ongoing evaluation changes.
A long-awaited U.S. open banking rule is finally here: Dodd-Frank Section 1033 from the Consumer Financial Protection Bureau (CFPB) was officially released on October 22, 2024. This rule formalizes consumers’ right to access and share their financial data, which makes it easier for consumers to benefit from the better competition and more choices that open banking provides.
The final regulation introduces new protections for consumers to help ensure safe and secure data sharing. It helps consumers make better-informed decisions about sharing their financial data and puts them in control of that data. However, these protections also mean new compliance obligations for everyone in the ecosystem.
Lack of compliance for third parties could mean losing access to data. In this article, we’ll cover what authorized third parties can do to meet those obligations that the 1033 rule imposes.
Is your company an authorized third party under 1033?
Authorized third parties are companies that are authorized by a consumer to receive financial account information. ‘Data recipients’ or even ‘fintechs’ are other terms you may see used to refer to this group. Consumers may choose to share their financial information with these entities, oftentimes facilitated by a data access platform like Plaid.
Authorized third parties can be personal financial management apps, neobanks, retailers, financial institutions, and many other companies with use cases powered by consumers’ ability to access and share their financial data. Plaid customers are generally considered authorized third parties.
To learn what Plaid already is building for 1033 compliance, skip to the end. Otherwise, read on to learn more about what to expect.
→ Need to get ready for open banking regulation? See our Open Banking Readiness Guide, which includes a checklist of action items to help you prepare for 1033.
Do third parties have to achieve compliance on their own?
Fortunately, no. Third parties can choose to work with their data access platform partners (like Plaid) to help meet many of their key new compliance requirements in a post-1033 world—including authorization and risk management.
That means you don’t have to devote internal resources from already strapped engineering and compliance teams to something that isn’t your core product. Read on for more details on how Plaid is building solutions that help offload our customers’ new obligations.
Why is the 1033 rule good for the financial ecosystem?
The CFPB’s 1033 rule helps both consumers and the financial ecosystem—including fintechs, banks, and everyone in between. Having ‘rules of the road’ adds more certainty, protects consumers, and promotes fair competition and better consumer choices.
The final rule establishes several important requirements that will empower consumers to make better and more informed choices about their financial lives:
Movement to APIs and API reliability: Data providers will need to make data available via an API, which will need to have a minimum of 99.5% uptime. This ensures consumers have access to their financial data regardless of where they bank. It will also accelerate the shift away from legacy technology like screen scraping, and toward a future of 100% API access.
Data availability and consistency: Data providers will be required to facilitate API access to all the data needed to facilitate covered core consumer use cases, including interest rates and fees they charge, pending transactions, and a minimum of 24 months of transaction history. This will help you build better products and better meet your users’ needs.
Data transparency and privacy: Authorized third parties (like Plaid customers) must disclose information about the data they’re asking consumers to share and how the data will be used. This will further advance a safe and transparent ecosystem for consumers.
For more information on what the final rule establishes and which types of data are covered, check out our other article, What is 1033? Understanding CFPB Section 1033 Rule.
What are the key compliance requirements under the 1033 rule?
The following requirements are key areas in the Section 1033 rule where working with a data aggregator like Plaid can help authorized third parties manage compliance.
1. Authorization management & data deletion
Authorization management governs how consent should be captured, and how often, to maintain access to consumer data. It can be broken down into three parts:
Initial authorization capture: Section 1033 requires that authorized third parties capture the authorization and permissions that consumers are giving them—or have an access platform capture authorization for them. This means clearly disclosing to the consumer details about the data being collected to power their desired use case (e.g. lending), and receiving the consumer’s consent to do so.
Revocation: Third parties must also ensure that consumers can revoke access to their financial data at any time, and make it accessible for them to do so.
Reauthorization: Under the final rule, consumers will need to reauthorize their account connections every 12 months to ensure that their chosen third parties can continue accessing their data. Third parties will need to surface and capture this reauthorization or have a data aggregator do it for them.
All authorization changes need to be synced across the open banking ecosystem, so consumers see their changes reflected wherever they manage their permissions—whether at the third party, the access platform, or the data provider. That includes any consumer data deletions, which must be mirrored across all surfaces.
2. Record retention
Authorized third parties will need to be able to prove that they’re compliant. This includes providing evidence that you are following the authorization management requirements outlined above. Also, you’ll need to show that your data usage is limited only to what Section 1033 permits and that you received consent from the consumer during authorization.
3. Onboarding
Under the final rule, third parties accessing consumer data will need to provide certain company details to data providers to help verify you are a legitimate entity. This includes fields such as legal entity name, legal entity identifier (LEI), contact Information, and website URL. Third parties will also need to provide evidence of adequate security practices.
Some of these fields may be ones that you have already shared with your data aggregator while onboarding. A few, such as legal entity identifier, are new fields that will now be required under Section 1033. You should expect to hear from your data aggregator in the coming months on how to provide this data to secure your access.
As the rule comes into effect, you may see enhancements to onboarding and oversight processes to meet Section 1033 requirements and regulator and data providers’ expectations for security risk management.
For a detailed explanation of these requirements and their implications for your company, check out the video below from our tech talk on navigating the final 1033 ruling.
How can Plaid help?
Preparing for 1033 compliance is no small effort, but an area where Plaid continues to invest significant resources to support our customers. Our vantage point as a network, partnering with both third parties and data providers, enables us to make data access faster, safer, and more seamless for everyone, even as compliance obligations rise.
Plaid has been advancing security, transparency, and privacy controls for years as part of our open finance platform and is well-positioned to meet forthcoming requirements. Back in 2022, we launched Plaid Portal, which enables consumers to easily view their authorization details and control third-party connections (including revocation). By the end of the year, we’ll be adding new authorization details to provide consumers with even more visibility while helping customers to meet their 1033 obligations.
Our account linking flow (Plaid Link) includes best-in-class conversion while streamlining authorization capture via Data Transparency Messaging. Plaid customers can configure and enable Data Transparency Messaging now from the Dashboard. Leading up to the third party compliance dates, Plaid will gradually turn on DTM for our customers to assist with compliance with these new regulatory requirements. See our API docs to learn more.
Update Mode is a feature of Link that can streamline reauthorization capture every 12 months as required under the final rule. Customers can get started by integrating with Update Mode to be prepared for this requirement.
For record retention, we introduced consent logs, which will enable customers to retrieve a history of authorizations, reauthorizations, and revocations for their users as required under 1033.
Finally, Plaid’s Compliance Center in the Dashboard helps customers review and fill in any missing business information that is required under 1033, such as legal entity name, legal entity identifier (LEI), contact information (email), and website URL. Register for a LEI by following the instructions in our readiness guide. Once the information is complete, Plaid will share it on behalf of our customers with data providers as needed to enable data access.
All of these tools complement our solution for data providers (such as Core Exchange, Permissions Manager and App Directory), which today is used by some of the largest U.S. banks to empower their internal teams with the data they need to confidently meet compliance obligations.
Questions about your business can prepare for Section 1033 compliance? We want to hear from you. Reach out to your Plaid account manager or contact us by filling out the form below.