CFPB’s Section 1033 Final Rule: 12 Revisions to the Proposal

Contents

• How the Final Rule Balances Expectations
• The Rulemaking May be Skewed
• The Path Ahead with Collaboration

The Consumer Financial Protection Bureau (CFPB) has released its final rule implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, a framework that promises to establish open banking standards in the United States.

This regulatory approach aims to enhance consumer autonomy by giving individuals greater control over their financial data, while setting the stage for unprecedented innovation in financial services. Yet, the new rule is expected to have significant and varied implications for different participants in the open banking ecosystem.

Drawing from extensive industry feedback on the initial Notice of Proposed Rulemaking (NPRM) (I’ve written about this earlier), this blog will dissect the 12 key differences between the proposed and final rules, analyzing their potential impact on critical stakeholders including data providers, data aggregators, and third-party financial service providers.

How the Final Rule Balances Expectations

Here are some elements of the final rule that somewhat balance the expectations of data providers and third parties:

1. Tokenized Account Numbers

The CFPB includes a requirement for data providers to make payment initiation data available. And like the proposed rule, the final rule allows data providers to utilize tokenized account numbers (TANs) instead of actual ACH account numbers.

However, there is evidence that tokenization may be misused to hamper competition¹, which is why the final rule authorizes the use of TANs, but with a caveat. It contains language allowing that a data provider may deploy TANs “as long as the tokenization is not used as a pretext to restrict competitive use of payment initiation information.”

2. Developer Interface Quantitative Performance Metrics

The proposed rule required an uptime of 99.5% and maximum response rate of 3,500 milliseconds for data providers’ developer interfaces. There was opposition from both banks and aggregators to the proposed performance requirements – banks said that it would be technically challenging and expensive, while data aggregators protested that it was slower compared to API providers in other markets.

The final rule maintains the 99.5% uptime requirement but changes how the metric is calculated. It removes the 3,500-millisecond response time requirement, instead providing that a developer interface must respond to data requests within “a commercially reasonable amount of time.”

Moreover, the final rule obligates data providers to disclose performance metrics for their developer interfaces at the end of each month and to maintain 13 months of rolling performance data. It also requires that data providers disclose scheduled downtime for their developer interfaces.

3. Digital Wallets

The final rule includes digital wallets within the ambit of data providers, even when they facilitate pass-through payments. This could pull major fintech payment platforms and wallet providers into the open banking regime.

However, the rule exempts pass-through wallets from making data available through a developer interface for some first-party payments they initiate.

4. Secondary Data Usage

Like the proposed rule, the final rule maintains the strict limitation on secondary use of covered data and restricts authorized third parties from using or retaining covered data for purposes beyond what the consumer has explicitly authorized unless legally mandated to do so. However, the final rule exempts enhancements to the consumer’s requested product or service from any secondary data limitations.

Banks had firmly supported the restriction on secondary use of open banking data. Meanwhile fintechs had objected to this stipulation, stating that it would prevent them from building better products and services. The final rule attempts to balance product innovation with data security.

5. Authentication

Data providers had wanted customer authentication and authorization on their platforms to capture customer consent, while data aggregators and third parties were apprehensive that this might introduce friction in the process of consent, leading to higher drop-offs.

The final rule does not specify any particular required method of consumer authentication and largely defers to recognized SSBs to develop authentication standards. The preamble to the rule expressed skepticism that additional authentication methods beyond token-based authentication are needed, stating, “The CFPB expects that all or nearly all consumers who wish to share consumer-authorized covered data with third parties either have an online account or the ability to create one.”

The Rulemaking May be Skewed

The CFPB’s final rule has the interests of the consumer in mind, which may require stakeholders to make certain concessions. Here are some aspects of the rule that may benefit third parties and data aggregators over data providers:

1. Inclusion of payments

The final rule expressly includes payment initiation data among the types of information that data providers are required to share.

The CFPB intends for the Section 1033 rulemaking to promote the use of “pay-by-bank,” which will “help bring greater competition to payments markets, which have long been an area of anti-competitive practices.”

Banks had argued in favor of narrowing the scope of data to be shared, citing misuse and security issues that would potentially accompany sharing payment initiation data with third parties. Data aggregators and third parties, obviously, wanted this data to be included in covered data.

2. Prohibition of Data Provider Evasion

Unlike the proposal, the final rule includes an anti- evasion provision that broadly prohibits data providers from engaging in behavior to evade the requirements set out in the final rule but which the CFPB may not, or could not, have fully anticipated.

3. Consumer-Facing Data Aggregator Certification

The final rule retains the core requirement that data aggregators must certify compliance with specific obligations when assisting authorized third parties in accessing consumer data. However, the final rule does not require data aggregators to provide revocation mechanisms or directly comply with consumer-facing obligations, allowing these responsibilities to remain primarily with the authorized third party. Additionally, the final rule refines language to ensure certifications are clear, conspicuous, and provided to the consumer in the same language as the authorization disclosures.

Following are some examples of changes made to the final rule favoring data providers:

1. Data Provider Coverage and Compliance Timelines

The proposal’s aggressive implementation timelines of six months had met with unanimous opposition, with banks suggesting tiered implementation over not less than 24 months.

The final rule outlines extended compliance timelines for data providers as compared to the NPRM. It also creates a fifth tier for compliance for smaller institutions as compared to the NPRM’s four tiers.

Under the final rule, the largest data providers must comply with the requirements included under the rule beginning April 1, 2026, while the smallest covered data providers have until April 1, 2030, to comply. Data providers that hold less than $850 million in total assets are exempt from the obligations to make covered data available under the rule.

2. Fair Credit Reporting Act

The final rule makes clear that data providers are not considered “furnishers” of data under the Fair Credit Reporting Act (FCRA) when facilitating access to consumer data at the consumer’s request.

The CFPB provides in the final rule that the consumer, not the financial institution, is to be treated as the furnisher of the data, which provides that responsibilities for data accuracy and compliance lie with the consumer and the third party accessing the data at their request.

This comes as a response to several comments asking for exemptions for data that were covered under existing regulation and the application of the FCRA.

3. Access Denial/Third Party Risk Management Requirements

Data providers had asked for a revision to give them the power to deny a third party access based existing guidance by prudential regulators like the OCC, FDIC, and Federal Reserve.

The final rule takes this into consideration, maintaining the ability of a data provider to deny access to an authorized third party. It articulates the limited cases in which a data provider is legally permitted to do so, including for “a specific risk,” the “safety and soundness standards of a prudential regulator,” and “other applicable laws and regulations regarding risk management.”

4. Authorized Third Party Recordkeeping Requirements

While both the proposed rule and the final rule require authorized third parties to maintain policies and procedures ensuring records related to compliance, the final rule expands on the types of records required to be retained by third parties.

The Path Ahead with Collaboration

Open banking would further encourage collaboration between issuers and fintechs, allowing them to create personalized financial experiences that resonate with tech-savvy customers. Through advanced data insights, banks could design targeted products and unlock new revenue streams from value-added services. This approach would not only improve cross-selling opportunities but position banks as adaptive, customer-centric institutions ready to meet the evolving demands of the digital finance landscape.

References

1. PYMNTS | Mastercard Agrees With FTC Card Data Routing Order | 2023