In July 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010[i] (Dodd-Frank Act) was signed into law. Title X of the Dodd-Frank Act, also known as the Consumer Financial Protection Act[ii] (CFPA) was best known for establishing the Consumer Financial Protection Bureau[iii] (CFPB), but it also contained another rather innocuous section, Section 1033.[iv]  Section 1033’s main requirement is only a few sentences long, and it simply establishes a consumer’s right to access their financial information held by financial institutions. But it makes that right only kick in after a CFPB rulemaking implementing the provision. 

On October 22, 2024, 14 years later, the CFPB finally issued its final rule implementing Section 1033 (“Rule 1033”).  This 594-page final rule mandates that “data providers” make “covered data” related to financial products and services accessible to consumers and authorized third parties in electronic format, adhering to the rule’s specific requirements. Additionally, the rule establishes criteria that third parties must meet to qualify as authorized, including a certification that they will comply with obligations for the collection, use, and retention of “covered data.”  The rule provides specific definitions for these terms.

Rule 1033 not only reflects a growing awareness of the importance of consumer control over personal data, but it creates a legal framework that requires a certain level of interoperability of financial institutions and FinTech companies.  This framework appears to be working toward what is referred to as an open-banking system. This interoperability should lead to a greater level of data access that will ultimately encourage competition among financial institutions.  This should also have the ancillary benefits of giving consumers the ability to access educational third-party technologies, leading to greater financial literacy among consumers, and forcing financial institutions to be more innovative, in an effort to provide consumers with better service and more affordable consumer credit products and services.

Covered Entitles and Covered Consumer Financial Products and Services

The Rule 1033 is applicable to “data providers,” which includes “financial institutions” as defined under Regulation E and “card issuers” as defined under Regulation Z, that offer a “covered consumer product or service.”  A “financial institution” generally means depository institutions, such as banks, savings associations, and credit unions, but can include non-depository institutions that offer payments accounts using an access device.  “Card issuers” can include non-depository companies that issue credit cards.

“Covered consumer financial products or services” are defined to mean an “account” as defined under Regulation E or a “credit card” as defined under Regulation Z, and the facilitation of payments from such accounts.

 Consumer Data Access Rights

At the heart of Rule 1033 is the consumer's right to access their financial data. Rule 1033 sets forth what financial data is “covered data,” which financial institutions must provide. The rule requires that consumers be able to access “covered data” in a manner that is timely, comprehensive, and usable. The data provider must also maintain a consumer-facing and a developer interface to access the data.  The rule also prohibits charging fees to consumers for maintaining the required interfaces or for receiving or responding to requests for data.

Covered data includes information about the consumer’s account and transactions, such as payment amounts, payees, and account balances, account numbers, terms of the product or service, upcoming bill information, and basic account verification information. However, the rule excludes certain sensitive data, such as proprietary business information or data related to fraud investigations, from mandatory disclosure. Financial institutions will need to implement data-segmentation protocols to ensure that only covered data is made available to consumers.

Data Portability and Third-Party Data Access

In addition to providing direct access to consumers, the Rule 1033 also emphasizes data portability. This refers to a consumer’s ability to transfer their financial data to third parties, such as Fintech providers, for the purpose of using alternative financial products or services. Under the rule, financial institutions must enable consumers to authorize the sharing of their data with these third parties in a secure and efficient manner.  Financial institutions will need to establish secure Application Programming Interfaces (APIs) or other data-sharing mechanisms to allow for this type of access. Importantly, institutions must ensure that these mechanisms adhere to strict security and privacy standards to prevent unauthorized access or data breaches. Institutions may face liability if they fail to protect consumer data during the transfer process.

Data Security and Privacy Obligations

One of the most critical aspects of the Rule 1033 for financial institutions is the emphasis on data security and privacy. Financial institutions are required to implement security measures for its developer interface that ensure the safe transmission and storage of consumer financial data. This may include measures that include encrypting data, authenticating access requests, and monitoring for any unauthorized access attempts. Note that the rule requires data providers to authenticate the identities of consumers and third parties that make data requests.

Additionally, institutions must grapple with how Rule 1033 interfaces with existing privacy laws, including the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA), when handling consumer data. These laws impose specific obligations regarding the safeguarding of nonpublic personal information (NPI) and the appropriate use of consumer data. Financial institutions must, therefore, take a proactive approach to reviewing their privacy obligations and data security protocols to ensure compliance with these overlapping regulatory frameworks.

Institutions should also consider the role of third-party service providers, such as Fintech companies, that may access consumer data on their behalf. Financial institutions must perform due diligence when engaging with such third parties, ensuring that they adhere to the same high standards of data security and privacy. This includes entering into robust contractual agreements that address liability and indemnification in the event of a data breach.

Disclosure and Transparency Requirements

Another critical element of Rule 1033 are the requirements for disclosures by data providers, as well as third parties that are authorized to access data on behalf of consumers. Companies should fully understand their disclosure requirements under the rule.

Consumer Consent and Control

Rule 1033 places a strong emphasis on consumer consent and control over data sharing when using third parties to access covered data. Third parties seeking access on behalf of a consumer must provide obtain the consumer’s affirmative consent as well as provide specific disclosures to consumers and the power to revoke the third party’s ability to collect data on behalf of the consumer and access to previously collected data.

Liability and Regulatory Enforcement

Financial institutions face significant liability under the Rule 1033 if they fail to comply with its provisions. The CFPB has broad enforcement authority under the rule and can impose civil penalties for non-compliance. In addition, it is possible that financial institutions may face consumer lawsuits if they are found to have violated consumers’ data rights or failed to adequately protect consumer data under various legal theories, such as state laws prohibiting unfair, deceptive, or abusive acts or practices.  As part of their compliance strategy, financial institutions must maintain detailed records of their data access and sharing practices. These records may be subject to examination or subpoena by the CFPB or other regulatory bodies. Institutions should also regularly review and update their policies and procedures to ensure ongoing compliance with the Rule 1033.

Compliance Dates by Institution Size

The rule provided for staggered mandatory compliance dates, based on institution size, which are as follows

·        April 1, 2026: depository institutions with assets at least $250 billion and non-depository data providers that generated at least $10 billion in total receipts in 2023 or 2024.

·        April 1, 2027: depository institutions with assets at least $10 billion but less than $250 billion and non-depository data providers that did not generate at least $10 billion in total receipts in 2023 or 2024.

·        April 1, 2028: Depository institutions with assets between $3 billion and $10 billion.

·        April 1, 2029: Depository institutions with assets between $1.5 billion and $3 billion.

·        April 1, 2030: Depository institutions with assets between $850 million and $1.5 billion.

Conclusion 

The CFPB’s rule implementing Section1033 introduces significant new obligations for financial institutions, particularly in the areas of consumer data access, security, and privacy. While there is litigation challenging the rule, it is still important for financial institutions to prepare to comply with this rule.  It is essential to develop robust data governance frameworks that balance the need for consumer transparency and control with the institution’s legal and operational requirements. In addition, institutions should always remain vigilant in ensuring that their third-party data-sharing practices are secure and compliant with all applicable laws, regardless of how the litigation challenging this rule plays out.

For any questions about this blog, please reach out to John V. Levonick.

[i] Pub. L. No. 111-203, 124 Stat. 1376 (2010)

[ii] Pub. L. No. 111-203, Title X, §§ 1001-1100H, 124 Stat. 1955 (2010)

[iii] 12 U.S.C. § 5491 (originally enacted as Section 1011 of Title X, Pub. L. No. 111-203, § 1011, 124 Stat. 1964 (2010))

[iv] 12 U.S.C. § 5533