Editor's Note: The final 1033 rule was released on October 22, 2024. This article has been updated to reflect Plaid's current understanding of the final rule. We will continue to update this article if our ongoing evaluation changes.
A long-awaited U.S. open banking rule is finally here: the Consumer Financial Protection Bureau (CFPB) officially released the final Dodd-Frank Section 1033 rule on October 22, 2024. This rule formalizes consumer rights for financial data access, which will also make it easier for consumers to benefit from the choices that open banking provides.
The final rule introduces new consumer protections to help ensure safe and secure data sharing. It helps consumers make better-informed decisions about sharing their financial data and puts them in control of that data. However, these protections also mean new compliance obligations for everyone in the ecosystem.
Lack of compliance for third parties could mean losing access to data. In this article, we’ll cover what authorized third parties can do to meet those obligations that the 1033 rule imposes.
Is your company an authorized third party under 1033?
Authorized third parties are entities that are authorized by a consumer to receive their financial account information. These authorized third parties are often referred to as ‘data recipients.’ Examples include apps from personal financial management, neobanks, retailers, and financial institutions whose usage of financial data is necessary to provide a service to that consumer. Consumers may choose to share their financial information with these entities and access to this data can be facilitated by a data access platform like Plaid.
To learn what Plaid already is building for 1033 compliance, skip to the end. Otherwise, read on to learn more about what to expect.
→ Need to get ready for open banking regulation? See our Open Banking Readiness Guide, which includes a checklist of action items to help you prepare for 1033.
Do third parties have to achieve compliance on their own?
The good news is that Plaid has already developed solutions for our customers to help meet many of those new compliance requirements in a post-1033 world including authorization and risk management. Our compliance solutions are designed to reduce engineering lift to meet these new obligations. Read on for more details on these compliance solutions.
Why is the 1033 rule good for the financial ecosystem?
The CFPB’s 1033 rule can help both consumers and the financial ecosystem—including fintechs and banks . Having ‘rules of the road’ adds more certainty, protects consumers, and promotes fair competition and consumer choice.
The final rule establishes several important requirements that will empower consumers to make better and more informed choices about their financial lives.
Movement to APIs and API reliability: Data providers will need to make data available via an API, which will need to have a minimum of 99.5% uptime. This requirement ensures consumers have access to their financial data regardless of where they bank. It will also accelerate the shift away from legacy technology like screen scraping and towards a future of 100% API access.
Data availability and consistency: Data providers will be required to facilitate API access to all the data needed to facilitate covered consumer use cases, including interest rates,charged fees, pending transactions, and a minimum of 24 months of transaction history. This requirement will expand data availability to help build more robust products.
Data transparency and privacy: Authorized third parties, including Plaid customers, must disclose information about how consumer data will be used. This requirement will further advance a safe and transparent ecosystem for consumers.
For more information on what the final rule establishes and which types of data are covered, check out our other article, What is 1033? Understanding CFPB Section 1033 Rule.
What are the key compliance requirements under the 1033 rule?
The following requirements are key areas in the Section 1033 rule where working with a data aggregator like Plaid can help authorized third parties manage compliance.
1. Authorization management
Authorization management governs how consent should be captured to maintain access to consumer data. It can be broken down into three parts:
Initial authorization capture: Section 1033 requires authorized third parties obtain consumer authorization in order to access and use data as consented by the consumer. This requirement means providing clear disclosures about data collection and how that data is being used (e.g., lending) by the authorized third party.
Revocation: Authorized third parties must also ensure that consumers can revoke access to their financial data at any time in an accessible manner.
Reauthorization: Consumers will need to reauthorize their account connections every 12 months. Authorized third parties will need to capture this reauthorization in order to continue accessing consumer financial data.
All authorization changes need to be synced across the open banking ecosystem, so consumers see their changes reflected wherever they manage their permissions—whether at the third party, the access platform, or the data provider. That includes any consumer data deletions, which must be mirrored across all surfaces.
2. Record retention
Authorized third parties will need to be able to prove that they are compliant, which includes providing evidence that they are following the authorization management requirements outlined above. Those data recipients will need to show that their data usage is limited only to what Section 1033 permits.
3. App registration
Authorized third parties accessing consumer data will need to provide certain company details to data providers to help verify their legitimacy. These requirements include fields such as legal entity name, legal entity identifier (LEI), contact Information, and website URL. Data recipients will also need to provide evidence of adequate security practices.
Some of these fields may be ones that were already shared with data aggregators like Plaid during onboarding. A few, such as legal entity identifier, are new fields that will now be required to secure data access under Section 1033. There may also be other enhancements and oversight processes to meet Section 1033 requirements for security risk management.
For a detailed explanation of these requirements and their implications for your company, check out the Plaid Tech Talk video below, titled ‘Navigating the final 1033 rule.'
How can Plaid help?
Preparing for 1033 compliance is no small effort, but the good news is that Plaid has invested significant resources to support our customers in their 1033 journey. Our vantage point as a network, partnering with both third parties and data providers, allows us to make data access faster, safer, and more seamless for everyone.
Plaid has been advancing security, transparency, and privacy controls for years as part of our open finance platform and is well-positioned to meet forthcoming requirements. Back in 2022, we launched Plaid Portal, which enables consumers to easily view their authorization details and manage their third-party connections (including revocation). Our account linking flow (Plaid Link) includes best-in-class conversion while streamlining authorization capture via Data Transparency Messaging. Plaid customers can configure and enable Data Transparency Messaging (DTM) now from the Dashboard. Leading up to the data provider tiered compliance dates, Plaid will gradually turn on DTM for customers to assist with compliance with these new regulatory requirements. See our API docs to learn more.
Update Mode is a feature of Link that can streamline reauthorization capture every 12 months as required under the final rule. Customers can get started by integrating with Update Mode to be prepared for this requirement.
For record retention, we introduced the User Consent Events API, which enables customers to retrieve a history of authorizations, reauthorizations, and revocations for their users as required under 1033.
Finally, Plaid’s Compliance Center in the Dashboard helps customers review and fill in any missing business information that is required under 1033, such as legal entity name, legal entity identifier (LEI), contact information (email), and website URL. Register for a LEI by following the instructions in our readiness guide. Once the information is complete, Plaid will share it on behalf of our customers with data providers as needed to enable data access.
All of these tools complement our solutions for data providers (such as Core Exchange, Permissions Manager and App Directory), which today are used by some of the largest U.S. banks to empower their internal teams with the data they need to confidently meet compliance obligations.
Questions about your business can prepare for Section 1033 compliance? We want to hear from you. Reach out to your Plaid account manager or contact us by filling out the form below.