T How CFPB’s Rule 1033 Could Affect DATA RIGHTS AND OPEN BANKING BY BRADLEY WALLACE, CSI The Consumer Financial Protection Bureau estimates that 100 million consumers have authorized third parties to access their data.1 That data drives endless business decisions and capabilities. But financial institutions and technology developers must also be aware of regulations regarding consumers and their rights over their data. One such proposed regulation, Rule 1033, would require financial institutions and other data providers to help consumers access and share their data securely using application programming interfaces. What is CFPB’s Rule 1033? Section 1033 of the Consumer Financial Protection Act of 2010 was sent for comment in October 20232 and is expected to be finalized in the fall of 2024. This proposed rule would require depository and non-depository entities to: ▶ make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; ▶ establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data; ▶ provide basic standards for data access; and ▶ promote fair, open and inclusive industry standards. Compliance dates for this rule will be staggered based on institutional asset size, ranging from six months to four years from the date of the final rule publication. Rule 1033’s Potential Impact on Financial Data Rights The proposed rule is designed to address challenges with open banking by defining the: ▶ scope of data that third parties can access on a consumer’s behalf; ▶ terms on which data is made available; and ▶ mechanics of accessing the data, proposed to be consumer permission based. It seeks to impose a framework in which data transfers occur via APIs instead of existing methods, such as screen scraping or credential sharing. Data providers would be required to maintain a digital interface for consumers and developers, both of which must meet certain performance specifications to receive and respond to data access requests. This approach aims to ensure third parties are acting on behalf of consumers when accessing their data and respect their privacy interests. Rule 1033 also promotes security and reliability, as it would apply a set of consistent standards across the market for sharing data. Third party access proposals would require these companies to provide an authorization disclosure to inform the consumer of key terms of access and obtain the consumers’ informed consent. According to the CFPB, the proposed rule would “forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”3 What Data Does Rule 1033 Cover? The rule includes a definition of the types of data that providers, such as card issuers and financial institutions, DIRECTORS & SENIOR MANAGEMENT 48 HOOSIERBANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==