The Consumer Financial Protection Bureau (CFPB) acted with caution this morning (October 22) as it promulgated the final version of the long-awaited Rule 1033 regarding personal financial data rights. As expected, this rule will be an important step toward open banking in the United States. But the rules also eased regulations on payment apps, leaving room for credit unions and community banks to compete with larger financial institutions.
The rule implements Section 1033 of the Dodd-Frank Act and is designed to give consumers more control over their financial data and the ability to share it securely with third-party service providers. Under the new rules, banks, credit unions, and other financial institutions will be required to provide consumers’ financial data upon request to both consumers and authorized third parties. This data includes transaction, cost, fee, and usage information related to consumers’ savings accounts, credit cards, and payment services.
The CFPB’s scope is much broader than expected, encompassing data from not only bank accounts but also payment apps and digital wallets. “Digital wallet providers hold similar valuable data that provides a complete picture of a consumer’s financial situation,” a passage in the regulation reads. “Today, digital wallets can initiate payments from multiple credit cards, prepaid accounts, and checking accounts. ” This indicates that digital wallets and payment apps that facilitate payments from covered accounts are subject to this rule. I am. The document also states that digital wallet providers are generally considered data providers under this regulation, even if they only facilitate pass-through payments from other accounts.
The regulations also set strict guidelines for third parties seeking access to consumer data. These entities must obtain explicit consumer consent, limit data collection and use to what is necessary to provide the requested service, and implement data security measures. The rule also prohibits the use of consumer data for targeted advertising or sales to other parties. Banks need to move away from less secure practices like screen scraping and develop standardized APIs and other secure methods for data sharing. The rules also prohibit institutions from charging fees for data access.
The CFPB is taking a phased approach to the rollout, initially focusing on deposit accounts, credit cards, and payment services. Large financial institutions will have to comply first, and the compliance date will be staggered from 2026 to 2030, depending on the size of their assets. Specifically, depository institutions with assets of $850 million or less are exempt from the requirements of this rule.
There was little reaction at press time as the final draft of the regulations was released early in the morning. Greg Baer, Chairman and CEO of Bank Policy Institute, issued the following statement: Banks have been working for years to create secure ways to share customer data whenever customers ask. The CFPB’s rules disrupt this well-established process and require banks to share financial data with third parties without adequate safeguards in place to ensure the data is protected from fraud, misuse, and abuse. It is. ”
