CFPB’s Final Rule 1033: Open Banking's Future

Currently, financial institutions control access to consumer financial data. Section 1033 of the Dodd-Frank Act aims to create a more transparent and competitive financial ecosystem in an open banking environment.

Rule 1033 strengthens the open banking ecosystem by enabling consumer-authorized data sharing with a focus on security and collaboration among consumers, data providers, third parties, and aggregators. It drives innovation, competition, and transparency while ensuring robust data security and regulatory compliance across all participants.

The CFPB’s final rule on financial data rights was issued on October 22, 2024. CFPB Rule 1033 implements Section 1033, which allows consumers to access and securely share their financial data (“covered data”) with third-party services and is intended to facilitate open banking. Key takeaways of the rule include data safety, clear consent, and giving consumers more control over their information:

• Empowers Consumer Rights - Enhance consumer rights related to accessing and sharing financial data.
• Facilitates Secure Data Sharing - Allow secure sharing of financial data with third-party service providers.
• Ensures Transparency and Consent - Data sharing is conducted safely with clear consent and transparency.
• Strengthens Consumer Control and Privacy - Provide consumers with greater control over their financial information through privacy protections.

Data providers must provide consumers and authorized third parties with access to: 

• Financial Transaction Data
• Payment Initiation Data
• Account balances
• Upcoming Bill information
• Terms and conditions
• Basic Account Verification Information

Rule 1033 facilitates open banking by enabling secure sharing of consumer financial data. Under the rule, data providers are required to maintain a consumer interface and a developer interface. Interface requirements include data formats (machine-readable files), performance conditions, and security specifications.

The rule has a phased rollout, determined by annual revenue or asset size.

Larger institutions are subject to implementation by April 1, 2026.

The fate of the rule hangs on two challenges. In October 2024, the rule was immediately challenged following its release. A Kentucky-based national bank, along with groups such as the American Bankers Association and The Bank Policy Institute filed lawsuits asserting that the CFPB was overstepping in its authority and concerns about liability and cost remained unaddressed. The CFPB filed an answer to the amended complaint in late December 2024, and the courts directed the involved parties to confer regarding a case schedule.  The second challenge arose with the change in the presidential administration and Congress, and the expected changes at the CFPB. Now that Congress is in session, it may disapprove of any rule finalized by the CFPB within the last six months of the former presidential administration. Whether Congress will reject the open banking rule remains to be seen. Adding to the already uncertain future of the rule, the incoming CFPB director may use the lawsuit to determine the fate of the rule.

Regardless of what happens to Rule 1033 and whether the CFPB will get to enforce it, the concept of open banking is likely here to stay. As industry groups and regulators work toward a resolution, financial institutions should assess ways to comply as data providers in an open banking environment.

By combining expertise in regulatory compliance, data privacy, and technology integration, Sia can help data providers navigate the complexities of Rule 1033. Our services would enable data providers to efficiently manage consumer data access, enhance transparency, and maintain compliance with evolving regulations.

Our team members have a practical, deep understanding of embedding regulatory requirements into our tailored, data privacy and cybersecurity solutions. From a readiness assessment and gap identification to a customized target operating model recommendation and full-scale implementation, we are equipped to confidently support clients with every step of this complex rule implementation.

We have a solid understanding of the ever-evolving regulatory landscape and strive to keep abreast of industry trends.

1033 Compliance Considerations

Regulatory Watch

•  Regulatory Watch AI uses artificial intelligence to monitor and analyze real-time regulatory changes, helping businesses stay compliant with evolving laws and industry standards while proactively managing compliance risks. The tool also helps extract the requirements, compare with policies and assist users to create new controls.

Reg Review AI

• Reg Review is part of Heka.ai, the ecosystem of AI solutions developed by Sia. Optimize your regulatory watch. Automate the collection of regulatory articles and their exploitation to improve regulatory oversight.

Smart Data Quality AI

• AI that improves your database and data quality management and transparency while minimizing risks from inaccurate or incomplete data. Ensures compliance with Open Banking Rule 1033.

Contract review & third-party assessment

• Review contracts for compliance with Rule 1033 by utilizing innovative tools and strategies, ensuring our client’s data-sharing processes, access protocols, and transparency measures align with applicable data protection and consumer rights regulations.

Sanction Challenger

• Sanction Challenger helps ensures compliant data sharing, detecting financial sanctions risks, and enhancing security and transparency in data exchanges. It automate the research on sanctions lists with Bot function.

Change Management (with Nod-A)

• Nod-A will help improve regulatory awareness and guide smooth behavioral changes to strengthen and enhance your compliance program.

Quantum Lab & DeepTech Lab

• Sia's Quantum Lab and DeepTech Lab use advanced technologies like quantum computing and AI to develop solutions that enhance data security, improve compliance, and optimize data management