Editor's Note: The final 1033 rule was released on October 22, 2024. This article has been updated to reflect Plaid's current understanding of the final rule. We will continue to update this article if our ongoing evaluation changes.
The Consumer Financial Protection Bureau (CFPB) has announced a rulemaking to implement Section 1033 of the Dodd-Frank Act with the aim of reinforcing consumers’ strong rights over their financial data in the US and providing greater certainty and rules of the road to the ecosystem. The final 1033 rule was released on October 22, 2024. For financial institutions and entities that provide bank accounts, credit or debit cards, digital wallets, and other covered financial data to authorized third parties, new regulatory requirements are on the horizon.
This is a positive step toward expanding open banking in the US and enabling greater consumer data transparency and protection. The rule requires data providers to make certain data available via a developer interface—or what’s known as an API. Application programming interfaces (APIs) integrate a data provider’s core platform with third-party data networks to enable secure data access.
In this article, we’ll provide insight into how Plaid can help data providers prepare to meet many of Section 1033's key compliance requirements.
Is your company a covered data provider under Section 1033?
The rule mainly covers two entities that are subject to different rules: data providers and third parties. Most data providers are financial institutions and fintechs, but there are some additional companies considered data providers.
According to Section 1033, a data provider is considered as one of the following:
Entities that hold a consumer's Regulation E account (e.g., checking or savings account) or issue Regulation Z credit cards
Entities that facilitate payments from Reg E accounts or Reg Z credit cards (e.g., digital wallets)
Other entities that control or possess information about a covered product or service from categories 1 or 2
These categories cover depository and non-depository entities like banks, credit unions, neobanks, BNPL providers, digital wallet providers, and others. Depository institutions with $850 million or less in assets are not covered by the final rule.
Can you be a data provider and an authorized third party?
Yes, open banking is increasingly a two-way street. It’s common for financial institutions and entities that are data providers to also act as authorized third parties under Section 1033.
Authorized third parties have historically been mostly fintech apps that use consumer-permissioned information from data providers to provide financial services to consumers. Increasingly, data providers like financial institutions enable consumers to link external accounts to their own products and services, in which case they may be acting as an authorized third party.
For an overview of the Section 1033 requirements for authorized third parties, check out our other article on that subject.
What does Section 1033 mean for data providers?
Under Section 1033, data providers have areas to focus on related to providing API-based data access and ensuring their APIs meet certain performance and reliability standards.
Various compliance timelines
The compliance timelines range from around 18 months to 5.5 years from the date the rule was released (October 22, 2024), depending on a data provider’s size. To find out what timeline your organization falls under, see below.
Plaid can help data providers with the following three key areas of focus under the rule:
1. Developer interface/APIs
Data providers are required to make covered data available at consumers' direction through a safe and reliable developer interface (i.e., API). APIs need to follow a qualified industry standard and have a response rate of at least 99.5%. Additionally, data providers need to provide and maintain documentation for a third party to access their API as well as identifying and contact information that enables a consumer or third party to receive answers to questions about accessing covered data.
2. Authorization & records
When a consumer authorizes sharing covered data with a third party, the data provider must make the data available, retain authorization records, and can optionally provide consumers with a way to revoke authorization.
3. App registration
To ensure data access, third parties need to make company details available and provide evidence of adequate data security to data providers.
Plaid’s solution supports Section 1033 readiness
Plaid works with data providers at different points on their open banking journey. Many have asked us how they can best prepare for the proposed Section 1033 requirements without creating new teams or business units. Plaid can support data providers with no-cost, easy-to-use products that simplify their compliance work.
Plaid’s vantage point as a network enables us to make data access faster, safer, and more seamless—even as new compliance requirements are introduced. Plaid has been a leader in driving the industry to API technology. Today, 80% of Plaid’s traffic is on or committed to APIs, and 7,000+ organizations have access to API connectivity.
Plaid has also been advancing security, transparency, and privacy controls for years as part of our open finance platform. Our goal is to create solutions that align with the ecosystem as a whole and with the Financial Data Exchange (FDX) standards, which is expected to be the industry standard-setting body for 1033 compliance.
Data providers can begin adopting Plaid’s open finance solution today to get ahead of their compliance timelines. The products include:
Core Exchange enables data providers to build an interoperable API that’s aligned to the FDX standard in as little as six weeks. Data providers can get started from a single dashboard—with testing tools and dedicated support from Plaid’s FDX experts.
Permissions Manager gives data providers visibility into their customers' account connections to Plaid-powered apps. Data providers can access authorization records via API to support internal compliance and due diligence. Data providers can also choose to build their own permissions portal, empowering their customers to view and disconnect their Plaid-connected apps anytime. Soon, authorization records will be available through a no-code dashboard that streamlines implementation and support for connection troubleshooting.
App Directory helps data providers to manage app registration at scale. Access detailed information about all the apps and services that customers are using on the Plaid network and get insights including category and number of customers connected to each app from a single dashboard. Or data providers can use our APIs to integrate into their internal dashboards and streamline processes across risk and compliance teams.
Plaid’s 1033 Roadmap: staying ahead of the industry’s needs and collaborating with data partners
Compliance is complex, especially when it concerns planning for new regulations that have a significant impact on your operations, but Plaid can help. We are committed to closely engaging with data providers to work together to provide better and safer financial experiences for consumers.
We’d love to hear from you to understand your Section 1033 compliance plan and to answer your questions. Please fill out the form below to contact Plaid.
Talk to an expert at Plaid to help you prepare for Section 1033 rulemaking
Additional resources to learn more about Section 1033 and how industry leaders are preparing for the rule:
American Banker webinar on preparing for open banking regulation, including opportunities and challenges for banks.
Fintech Takes: Preparing For The Next Era of Open Banking
OpenFinity webinar on how to comply with open banking, how to embrace the rule to drive growth for your business, and what the future of open banking looks like.
America’s Credit Unions’ podcast on CFPB’s Section 1033 Open Banking Rulemaking featuring Meredith Fuchs and Ben Maxim, the CIO of Michigan State Federal Credit Union (Plaid Partner), discussing 1033, forthcoming compliance obligations, strategies for implementing APIs, and what this rulemaking means for smaller institutions looking to meet consumers’ demand for digital financial services.
Rob Blackwell’s Banking with Interest podcast on The “Existential” CFPB Plan Banks Should Care About, featuring a discussion with Plaid’s Global Head of Policy, John Pitts, on what 1033 will mean in terms of opportunities and challenges for banks and credit unions of all sizes.
Meredith Fuchs on the State of Fintech podcast with FTA and NY Bar Association discussing the future of fintech and benefits of open banking and 1033
Two op-eds in American Banker magazine:
Glenbrook Partners podcast: How Open Banking is Reshaping the Financial Playing Field with John Pitts, Plaid.
Mr. Open Banking Podcast: Episode two on checks and balances with John Pitts discussing 1033.
How to Reduce Your Risk When Using Personal-Finance Apps from the Wall Street Journal.