Open banking: Understanding CFPB’s Rule 1033
The Consumer Financial Protection Bureau’s open banking Rule 1033 marks a radical alteration in American financial services by introducing standardized data-sharing requirements and consumer protection measures.
The new open banking rule requires financial institutions to share their customers’ data with authorized third parties through standardized requirements. Millions of consumers will benefit from better financial services access and increased competition.
The open banking Rule 1033 — created by the Consumer Financial Protection Bureau (CFPB) and released on October 24, 2024 — provides clear guidelines for sharing data between financial institutions and authorized third parties.
The regulation specifies requirements for data providers and establishes security protocols along with consumer protection measures. Banks, credit unions and financial technology companies must adapt to these new standards that will transform how people handle financial information.
For consumers, Rule 1033 will alter the map of American finance by making data more accessible and giving consumers more control.
A recent study shows that 84% of consumers currently express concerns about open banking safety. This statistic highlights why we need to think about both the opportunities and challenges carefully.
Consumers will be able to switch their financial providers more easily and get better rates and services without paying transfer fees. This new regulation helps consumers compare financial products and get credit on better terms, especially young people with shorter credit histories.
For financial institutions and third-party providers, Rule 1033 means they are going to have to make major operational and technology changes.
Overview of the CFPB’s open banking rule
The Consumer Financial Protection Bureau’s open banking rule marks a major step forward in financial data sharing regulations. This rule implements sections 1033(a) and (b) of the Dodd-Frank Act and establishes complete guidelines for financial institutions and third-party providers.
1. Key objectives of the rule
The regulation aims to strengthen data security and boost competition in the open-banking ecosystem that enables consumers to switch between financial service providers easily.
That means financial institutions must make consumer financial data accessible to more people in a usable format — which means financial institutions will need major upgrades to their data management systems.
The most important focus ensures consumers explicitly authorize all uses of their personal financial data. The regulation strictly prohibits data harvesting for advertising or unrelated business purposes.
2. What does it cover?
The scope of this rule spans a wide range of financial products and services:
- Bank accounts, credit cards and prepaid accounts
- Mobile wallets and payment applications (including Apple Pay, Google Pay, PayPal, Zelle and Venmo)
- Payment facilitation services from regulated accounts
The regulation exempts depository institutions with assets below $850 million. This is a big deal as it means that this threshold makes an institution permanently subject to the rule’s requirements, whatever their asset changes might be later. It’s worth noting that once an institution passes that $850M threshold, they are forever required to meet Rule 1033 regardless of the future value of the assets.
3. Timeline for implementation
CFPB has set up a staggered compliance schedule that considers institution size and type. Large depository institutions with assets of $250 billion or more and nondepository institutions with receipts of at least $10 billion must comply by April 1, 2026.
Smaller covered institutions have until April 1, 2030, to achieve full compliance. This phased approach gives institutions enough time to build their infrastructure and compliance programs.
Data providers must create “commercially reasonable” interfaces that align with recognized industry formats. These interfaces should meet specific performance requirements and provide smooth integration capabilities for third-party developers.
Challenges for banks and financial institutions
Banks and financial institutions must make significant operational changes to meet the new framework requirements. They need to build secure data-sharing systems and implement APIs to achieve compliance.
These new regulations — if they withstand legal challenges — will bring the most important changes to market dynamics.
Financial institutions feel growing pressure to invent and enhance their services as they try to keep their customers. Rule 1033 will increase fintech competition since they will now have regulated access to consumer financial data that larger institutions previously controlled.
The industry faces critical security challenges as it adapts to new data-sharing requirements. The landscape reveals several major security risks.
API vulnerabilities have opened new doors to cybersecurity threats. The existing IT infrastructure creates complex integration challenges. Data transfers between institutions now face higher risks of breaches.
Banks and financial institutions worry about who bears responsibility at the time of data breaches or unauthorized access. Banking groups argue that the rule’s framework could expose them to legal liabilities and financial strain. This risk increases when they share data with third parties that might pose higher security risks.
Obligations and requirements of data providers
Data providers have a significant responsibility to implement open banking standards under the new CFPB regulation. The rule sets complete requirements that help these entities share data securely and protect consumer interests effectively.
- Definition of data providers: Data providers consist of covered persons that include financial institutions, card issuers and organizations that control or possess information about covered consumer financial products or services. These providers must ensure electronic accessibility of account data without charging any fees. The regulation strictly forbids any practices that could block consumers from accessing their financial information.
- Types of data to be shared: Financial data providers must share several categories of financial information:
- Transaction information and account balances
- Payment initiation data
- Upcoming bill information
- Simple account verification details
- Account holder identification data
- Data sharing methods and interfaces: Data sharing remains strictly limited to the work needed to provide requested services, which prevents unauthorized data collection for unrelated purposes. The regulation requires data providers to implement developer interfaces that aid authorized third-party access to consumer financial data. These interfaces must meet "commercially reasonable" performance standards and maintain compatibility with recognized industry formats. Financial institutions employ open banking APIs to share consumer data securely with applications and aggregators.
- Security and privacy considerations: Data providers must set up resilient security measures that line up with the Gramm-Leach-Bliley Act's standards and the Federal Trade Commission’s Standards for Safeguarding Customer Information. These standards establish specific requirements to protect data:
- Implementation of strong authentication protocols
- Prohibition of shared credentials between consumers and third parties
- Mandatory maintenance of compliance records
Data providers must immediately stop data access when consumers revoke it and delete data by default. Consumer’s access permissions need yearly renewal to maintain their control over financial information effectively.
Authorized third parties: Rights and responsibilities
Authorized third parties are a vital component of the open banking ecosystem, and they act as intermediaries between consumers and financial institutions. These entities follow strict protocols that the Consumer Financial Protection Bureau has established to handle data securely and responsibly.
- Definition of authorized third parties: Authorized third parties represent entities that access covered data on consumers’ behalf to deliver requested financial products or services. These organizations must get proper registration and licensing from regulatory authorities before they can participate in the open banking system.
- Consumer consent and authorization process: Third parties must provide consumers with detailed disclosure statements before authorization. These statements should include:
- Their company name along with any linked data aggregators
- A complete description of their requested services
- How long they plan to collect data
- Simple ways to cancel the authorization
Third parties also need to get fresh consent from consumers every year[AL1] to continue accessing their data.
Here are two critical elements for authorized third parties to know:
1. The CFPB controls data usage with strict rules
All third parties need to keep records that show they follow these rules and retain records for three years.
Permitted uses:
- Providing requested services
- Essential service operations
- Consumer-authorized activities
Prohibited activities:
- Targeted advertising
- Cross-selling products
- Data resale to brokers
2. Security and compliance requirements
Authorized third parties must implement reliable security measures that line up with:
- GLBA Safeguards Framework standards
- FTC’s Standards for Safeguarding Customer Information
The regulation requires written policies and procedures that ensure accurate data flows between providers and third parties. These third parties must also have systems ready to handle consumer revocation requests quickly and stop data collection as soon as authorization expires.
What to do now
Financial institutions must update their systems and protocols to meet strict security standards that allow authorized third parties to access data continuously.
The rule has already been challenged in a case brought in the U.S. District Court for the Eastern District of Kentucky by the Bank Policy Institute and the Kentucky Bankers Association, but banks that will be competitive in the future have either already upgraded their systems or should be right now.
The value of data is only increasing — as are consumer’s rights. So whether it’s Rule 11033 or another regulation, financial institutions will have to be able to make financial data available to them and authorized third parties.
And that data must be made available electronically in a secure and reliable manner.
Those who accept new ideas while maintaining resilient security measures will likely become leaders as financial services continue to evolve.
How Wipfli can help
The future of finance is here, and Wipfli is ready to help banks navigate the operational complexities of CFPB’s open banking rule. From API management to data governance, our advisors can guide your institution through this transformative change. Learn more.
Read more about the benefits and challenges of open banking, and technology that can help: