*Editor's Note: The final Section 1033 rule has not been published. This article reflects Plaid’s understanding of the proposed rule released in October 2023. We will continue to update this article as new information becomes available.
The Consumer Financial Protection Bureau (CFPB) has announced a rulemaking to implement Section 1033 of the Dodd-Frank Act with the aim of reinforcing consumers’ strong rights over their financial data in the US and providing greater certainty and rules of the road to the ecosystem. The rule is expected to be finalized in Fall 2024. For financial institutions and entities that provide bank accounts, credit or debit cards, and other covered financial data to authorized third parties, new regulatory requirements are on the horizon.
This is a positive step toward expanding open banking in the US and enabling greater consumer data transparency and protection. As currently drafted, the proposed rule will require data providers to make certain data available via a developer interface—or what’s known as an API. Application programming interfaces (APIs) integrate a data provider’s core platform with third-party data networks to enable secure data access.
In this article, we’ll provide insight into how data providers can prepare for Section 1033's expected compliance requirements and how Plaid can help.
Is your company a covered data provider under Section 1033?
The proposed rule mainly covers two entities that are subject to different rules: data providers and third parties. Most data providers are financial institutions and fintechs, but there are some additional companies considered data providers.
According to Section 1033, a data provider is considered as one of the following:
Entities that hold a consumer's account or provide access to electronic fund transfer (EFT) services. This includes depository and non-depository entities like banks, credit unions, neobanks, and others.
Issuers of consumer credit cards.
Other entities that control or possess information about a covered financial product or service from categories 1 and 2 above. This includes digital wallets.
Can you be a data provider and an authorized third party?
Yes, open banking is increasingly a two-way street. It’s common for financial institutions and entities that are data providers to also act as authorized third parties under Section 1033.
Authorized third parties have historically been mostly fintech apps that use consumer-permissioned information from data providers to provide financial services to consumers. Increasingly, data providers like financial institutions enable consumers to link external accounts to their own products and services, in which case they may be acting as an authorized third party.
For an overview of the proposed Section 1033 requirements for authorized third parties, check out our other article on that subject.
What does Section 1033 mean for data providers?
Under the proposed Section 1033 rule, data providers will have areas to focus on related to providing API-based data access and ensuring their APIs meet certain performance and reliability standards.
Various compliance timelines
The proposed timelines range from six months to four years from the date the rule goes into effect, depending on a data provider’s size. Keep in mind that these timelines could change in the final rule, but to find out what timeline your organization tentatively falls under, see below.
For data providers, there are three key areas to focus on under the proposed rule:
1. Developer interface/APIs
Data providers would be required to make covered data available at consumers' direction through a safe and reliable developer interface (i.e. API). APIs will need to follow a qualified industry standard and have a response rate of at least 99.5%. Additionally, data providers will need to provide and maintain documentation for a third party to access their API as well as identifying and contact information that enables a consumer or third party to receive answers to questions about accessing covered data.
2. Authorization & records
When a third party (which includes aggregators) provides certain information about a consumer's authorization, the data provider must make specified covered information available to the third party. Authorization records must be retained, and optionally, data providers can provide consumers with a way to revoke authorization.
3. Third-party onboarding
To ensure data access, third parties need to make company details available and provide evidence of adequate data security to data providers.
Plaid’s solutions support Section 1033 readiness
Plaid works with data providers at different points on their open banking journey. Many have asked us how they can best prepare for the proposed Section 1033 requirements without creating new teams or business units. Plaid can support data providers with no-cost, easy-to-use solutions that simplify their compliance work.
Plaid’s vantage point as a network enables us to make data access faster, safer, and more seamless—even as new compliance requirements are introduced. Plaid has been a leader in driving the industry to API technology. Today, 80% of Plaid’s traffic is on or committed to APIs, and 7,000+ organizations have access to API connectivity.
Plaid has also been advancing security, transparency, and privacy controls for years as part of our open finance platform. Our goal is to create solutions that align with the ecosystem as a whole and with the Financial Data Exchange (FDX) standards—as we anticipate that the final 1033 rule will accept FDX specifications as an open banking API standard.
With a final rule expected later this year, data providers can begin adopting Plaid’s open finance solutions. These include:
Core Exchange enables data providers to build an interoperable API that’s aligned to the FDX standard in as little as six weeks. Data providers can get started from a single dashboard—with testing tools and dedicated support from Plaid’s FDX experts.
Permissions Manager gives data providers visibility into their customers' account connections to Plaid-powered apps. Data providers can access authorization records via API to support internal compliance and due diligence. Data providers can also choose to build their own permissions portal, empowering their customers to view and disconnect their Plaid-connected apps anytime. Soon, authorization records will be available through a no-code dashboard that streamlines implementation and support for connection troubleshooting.
Plaid’s Risk & Oversight Program currently screens authorized third parties before they can access data through Plaid. We’re updating this program to reflect Section 1033’s requirements. Data providers will have visibility into the authorized third parties on the Plaid network that access their customers’ data using a new solution, App Directory. App-level insights will be available soon through a no-code dashboard or API.
Plaid’s 1033 Roadmap: staying ahead of the industry’s needs and collaborating with data partners
Compliance is complex, especially when it concerns planning for new regulations that have yet to be finalized. We are committed to closely monitoring developments and continuing to engage with data providers to work together to provide better and safer financial experiences for consumers.
We’d love to hear from you to understand how you’re planning for the Section 1033 rulemaking and answer your questions. Please fill out the form below to contact Plaid.