Skip to Content

The march towards the "open banking" revolution has begun. The end of 2024 and into 2025 will mark a significant transformation in how financial entities handle consumer data.

The Consumer Financial Protection Bureau has issued its Proposed Rule implementing Section 1033 of the Dodd-Frank Act. If/when it is finalized, financial institutions will be required to enter into new data sharing agreements that meet CFPB standards and that allow third parties access to consumers' financial information through new technology and perhaps, costly developer interfaces.

Whether a Wall Street trading house or Main Street community bank, cryptocurrency wallet or credit card, compliance with Section 1033 will be mandatory. The CFPB plans to publish the final rule by the end of 2024.

A partial final rule dealing with standard-setting organizations took effect on July 11, 2024.1

While Section 1033 aims to foster innovation and protect consumer rights, it will also require significant adjustments from financial institutions, which will have to adopt new and changing agreement terms and remain compliant with evolving technical standards.

This mandate will challenge data providers' operations with respect to their customer's data and change the landscape of their relationships with third parties that seek customer data.

Impacted financial entities will need to learn the new ways, or risk getting left behind.

CFPB's data access agreement is the 'bullseye' to open banking

Due to the commercial value of consumers' data, the CFPB contends that financial service entities have prevented sharing the data with potential competitors to keep consumers in the entities' private networks. Section 1033 and the CFPB's Proposed Rule target this problem by wrenching open these private networks and releasing consumer data to the broader market. And the bullseye is the data access agreement.

The Proposed Rule seeks to create new, "standardized agreements" that mandate what data must be provided, by whom, to whom, and most significantly, on what terms.

The CPFB intends that the Proposed Rule will require more entities to enter into more data access agreements but have less control over the terms of those agreements.2

Indeed, the CFPB explicitly acknowledges that "many features of data access agreements would be regulated by the [Proposed Rule] and not subject to negotiation," including what data is produced, how that must be made accessible, and the technical requirements for how it is produced.3 The expectation is that entities will use standardized agreements.4

Further, entities that do not currently have the ability to comply with the technical requirements will nonetheless be required to come into compliance at their own expense. It is not an overstatement to say that Section 1033 will transform how all financial entities conduct business.

For community banks to national banks, credit card issuers to payment facilitators, and neobanks to cryptocurrency wallets, the map of Section 1033's long march to the open banking revolution is just beginning to come into focus.

Section 1033 requirements and why it's happening now

In the aftermath of the 2008-2009 global financial crisis, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010. The Act was, in large part, intended to end the systemic risk of "too big to fail" banks.

Additional measures included in the Consumer Financial Protection Act were intended to "protect consumers from abusive financial services practices." One such provision is Section 1033 — Consumer Rights to Access Information.

Section 1033 directs the CFPB to prescribe rules requiring:

[A] covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.

Additionally, Section 1033 provides for four exceptions and an explicit confirmation that there is "no duty to maintain records." Nonetheless, the 335 words of Section 1033 spawned approximately 130 pages of proposed rulemaking published by the CFPB on October 31, 2023 ("Proposed Rule").5 

The public comment period on the Proposed Rule ended December 29, 2023, so that the CFPB could use much of 2024 to develop the final rule.

The Proposed Rule signifies a notable mile marker on the long march to "open banking." The use of the term "banking" is something of a misnomer here as Section 1033 applies to a broadly inclusive set of financial institutions.

Open banking refers to "the network of entities [regardless of depository status] sharing personal financial data with consumer authorization," for the ostensible purpose of obtaining "innovative financial service experiences" as Mastercard puts it on their website.6

These new financial services are largely enabled by the seamless sharing of consumer data, which has created divergent interests between the consumer, the entity who has his data, and the entity who wants his data.

The new way: Shared data for all

Proponents of open banking, and now the CFPB, have encouraged the use of developer interfaces instead of screen scraping. Although interfaces, enabled by APIs, allow for secure and more comprehensive data exchange between the parties, the costs associated with the development, implementation, and maintenance of the interfaces can be substantial.

For small data providers who would choose to outsource the development and maintenance of a third-party interface, the CFPB estimates the annual costs could range between four-figures and $600,000. For data providers who want to develop and maintain the third-party interface in-house, the CFPB estimates the total upfront staffing cost to be between $216,000 and $432,000, with an ongoing annual staffing costs between $42,000 and $83,000.7

In light of the costs, it may be unsurprising to many that the CFPB observed, "Data providers may decide not to establish a developer interface in the first instance, making it difficult for third parties to access data without resorting to screen scraping."8

Indeed, community banks and other smaller financial service providers will incur not only these technical compliance costs, but also face the burden presented by cumulative effect of regulatory requirements, a challenge presented to the CFPB in response to the Proposed Rule.9

On the other hand, CrowdStrike, a cloud-security provider, suggests that the Proposed Rule implement even stricter cybersecurity protocols, which would no doubt increase the cost of compliance for smaller entities.10

Because the CFPB disapproves of both screen scraping and costly negotiated bilateral data access agreements, the Proposed Rule is designed to mandate the use of developer interfaces while dictating the material terms regarding their use, thus making the agreements standardized industry wide.

Such material terms include those related to: (1) clarifying the scope of data rights; (2) establishing basic standards for data access; (3) clarifying the mechanics of data access; (4) establishing limitations of consumer data use by third parties with respect to such data collection, use, and retention.11

The Proposed Rule's new agreements for new industry standards

A bilateral data access agreement, like many contracts, is intended to strike a balance between the needs of the third party and the ability of the data provider to reasonably accommodate those needs, considering cost, technical requirements, and hardware or infrastructure constraints.

The Proposed Rule contemplates industry-standard contractual language for data access agreements. It also intends to "define key terms" of data access agreements, including not only what data must be made accessible but also the technical standards and mechanics for such access through consumer and developer interfaces, as well as permissible secondary uses of data obtained pursuant to such agreements.

Further, although the technical requirements for the interfaces will be stringent, data providers will be prohibited from charging fees for establishing or maintaining them, a decision observed by some as "illogical and unsustainable."12

Perhaps the most subtly onerous term is that data providers' interfaces must "perform at a commercially reasonable level" with certain "quantitative minimum performance specifications."13 These industry standards would govern response rate, latency and uptime, and access caps, and what is more, they would be publicly disclosed.

The test for what is an "indicia of commercially reasonable performance" is proposed to "evolve over time" and be pegged to "a qualified industry standard." The CFPB may, however, provide additional indicia of commercially reasonable performance in the final rule, which may be pegged to specific standards. These industry standards will be set by independent standard-setting organizations.

On June 5, 2024, the CFPB issued a final rule outlining the minimum attributes of these future standard-setting bodies. Notably, the final rule changes the term "qualified industry standard" to "consensus standard," and concludes in the final rule that the standard-setting body must possess "openness, balance, due process and appeals, consensus, and transparency."

Participation in the standard-setting process will be open to all "interested parties," which includes data providers, data recipients, third parties, and interest groups. The members of the standard-setting organization, with input from other interested parties, will set the consensus standard. The final rule observes, however, that "consensus does not necessarily require unanimity."

Customarily, bilateral data access agreements have identified the scope of the data to be exchanged based on the interests of the parties. The Proposed Rule, however, will standardize — and no doubt enlarge — the scope of data that must be accessible.

Proposed Section 1033.211 provides an illustrative but not exhaustive list of what "covered data" includes:

  1. Transaction information, including historical transaction [of at least 24 months]. This category includes amount, date, payment type, pending or authorized status, payee or merchant name, rewards credits, and fees or finance charges.
  2. Account balance.
  3. Information to initiate payment to or from a Regulation E account. This category includes a tokenized account and routing number that can be used to initiate an Automated Clearing House transaction.
  4. Terms and conditions. This category includes the applicable fee schedule, any annual percentage rate or annual percentage yield, rewards program terms, whether a consumer has opted into overdraft coverage, and whether a consumer has entered into an arbitration agreement.
  5. Upcoming bill information. This category includes information about third party bill payments scheduled through the data provider and any upcoming payments due from the consumer to the data provider.
  6. Basic account verification information, which is limited to the name, address, email address, and phone number associated with the covered consumer financial product or service.14

CFPB's final rule should be published by the end of 2024.

Adams and Reese will continue to monitor any further updates around Section 1033 that will impact your business.

Notes:

  1. https://bit.ly/3SLQAJI
  2. 88 FR 74849.
  3. 88 FR 74849.
  4. 88 FR 74855.
  5. Required Rulemaking on Personal Financial Data Rights, 88 FR 74796-01.
  6. https://mstr.cd/4diZKpb
  7. Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights, Oct. 27, 2022, 55-56.
  8. 88 FR 74799.
  9. Public Comment, Community Banks Association of Illinois, December 27, 2023.
  10. Public Comment, CrowdStrike, December 29, 2023.
  11. The Proposed Rule does not address questions of liability for misuse or theft of consumer data acquired pursuant to this section. Many commenters have proposed that the final rule establish a presumptive liability scheme that follows the data.
  12. Public Comment, Community Banks Association of Illinois, December 27, 2023, at 5.
  13. 88 FR 74816.
  14. See, 88 FR 74870; § 1033.211.

About Our Authors

Amy Hanna Keeney is a partner at Adams and Reese LLP, leading the firm's financial services regulatory and compliance team. Keeney helps banks, credit unions and nonbank financial service providers launch new financial products and navigate the complex regulatory landscape for fintech. As a certified information privacy professional, she helps companies assess third-party risk associated with data collection and processing. Keeney is also a liaison with the American Bar Association Fair Access to Services Subcommittee. She is based in Atlanta and can be reached at amyhanna.keeney@arlaw.com.

John Woods is an associate with the firm, practicing in financial services and commercial litigation with a focus on insurance defense in the health care and real estate industries. He works with clients on creating and revising operational and risk management policies. Woods is an experienced trial and appellate attorney, representing health care companies and long-term care facilities in medical malpractice and other liability matters. He is based in Memphis, Tennessee, and can be reached at john.woods@arlaw.com.